AWS

Today, Microsoft Intune enables organizations to enroll Android devices into Azure Active Directory shared-device mode, so they can provide sharable mobile devices to their frontline workers. With shared-device mode, frontline workers have a simpler authentication experience, because they only need to sign-in and sign-out once whenever they use a shared device. For organizations using Intune, in addition to Microsoft Teams and Managed Home Screen, we are excited to announce that the ability for administrators to manage the Microsoft Edge and Yammer apps on Android devices is now in public preview in Intune. At the start of their shifts, after signing into a shared device, frontline workers can use Microsoft Edge to look up answers they need to do their jobs efficiently – whether that is the shipping status of items to be delivered or answers to technical questions to resolve customers issues. With Yammer, frontline workers can easily receive communications from leadership, get information on company mission and strategic priorities, and connect with communities that fit their interests. When used with Intune's Managed Home Screen, administrators can also create a streamlined sign-in experience for both Microsoft Edge and Yammer, so frontline workers always know how to get started with their day. At the end of their shifts, frontline workers can easily sign-out by selecting the sign-out button in any of their apps. This will remove any personal information from the apps that support the feature, so a worker can return the device for the next person to use. When administrators apply application protection policies from Intune, they can provide additional data protection so other apps do not leave data behind. For more information on shared device mode, read the Azure Active Directory shared device mode documentation. For steps to setup shared device mode with Intune, read the Intune setup blog. For further guidance on deploying frontline solutions, read the frontline deployment documentation. Continue reading...

We are pleased to announce the security review for Microsoft Edge, version 108! We have reviewed the new settings in Microsoft Edge version 108 and determined that there are no additional security settings that require enforcement, however there is one setting that attention should be given to. The Microsoft Edge version 107 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. TLS Encrypted ClientHello Enabled (Consider) An interesting setting Admin’s may wish to consider, particularly if using Windows Defender Network Protection or similar security software. TLS Encryped ClientHello (ECH) Enabled is a privacy-improving feature that combats one of the shortcomings of HTTPS – namely, TLS does not hide from a network observer the target hostname to which the browser is connecting. This means that your company or ISP network administrator (or anyone who can spy on network traffic) can see the hostname of the site to which your browser is connecting, which has privacy implications. ECH hides the hostname so that a network observer can only see the target IP address of browser traffic, but not which specific site at that IP is being requested. The reason that this feature has a security impact is that some security software may be spying upon your network requests and blocking requests to specific sites based on the site’s hostname. As a specific example, the Windows Defender Network Protection feature relies upon looking at the Server Name Indication (SNI) within the ClientHello to decide whether to block traffic to sites on the “known malicious” list or the customer’s custom blocklist. If the ClientHello is encrypted by the browser’s new ECH, this Network Protection feature (and similar features in other security software) will not be able to read the SNI, and thus will not be able to block the traffic. For Microsoft Edge specifically, there’s a subtlety around the interaction of ECH and Network Protection. Machine installed channels of Edge (Stable/Beta) are exempted from Network Protection (in favor of Microsoft Defender SmartScreen), so the implications of this policy on Microsoft Edge are really limited to Edge Canary OR users of non-Microsoft Defender security products. But IT departments using Network Protection in Google Chrome really should set the equivalent policy. Microsoft Edge version 108 introduced 4 new computer settings and 4 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them. As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here. Please continue to give us feedback through the Security Baselines Discussion site or this post. Continue reading...

Microsoft 365 Defender Monthly news November 2022 [attachment=27371:name] This is our monthly "What's new" blog post, summarizing product updates and various assets we have across our Defender products. Legend: [attachment=27372:name] Product videos [attachment=27373:name] Webcast (recordings) [attachment=27374:name] Docs on Microsoft [attachment=27375:name] Blogs on Microsoft [attachment=27376:name] GitHub [attachment=27377:name] External [attachment=27378:name] Product improvements [attachment=27379:name] Previews / Announcements Microsoft 365 Defender [attachment=27380:name] Investigate incidents more effectively with the new attack story view in Microsoft 365 Defender. [attachment=27381:name] Identity Protection alerts are now available in Microsoft 365 Defender. [attachment=27382:name] (Preview) Microsoft Defender Experts for XDR (Defender Experts for XDR) is now available for preview. Defender Experts for XDR is a managed detection and response service that helps your security operations centers (SOCs) focus and accurately respond to incidents that matter. It provides extended detection and response for customers who use Microsoft 365 Defender workloads: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Azure Active Directory (Azure AD). For details, refer to Expanded Microsoft Defender Experts for XDR preview. [attachment=27383:name] DEV-0569 finds new ways to deliver Royal ransomware, various payloads. DEV-0569’s recent activity shows their reliance on malvertising and phishing in delivering malicious payloads. The group’s changes and updates in delivery and payload led to distribution of info stealers and Royal ransomware. [attachment=27384:name] Vulnerable SDK components lead to supply chain risks in IoT and OT environments. Researchers investigated an electrical grid intrusion that may have used common IoT devices to gain a foothold into the OT network and found a web server component that although discontinued since 2005, is still implemented and prevalent in many IoT devices [attachment=27385:name] Query resource report in advanced hunting (public preview). The query resources report shows your organization's consumption of CPU resources for hunting based on queries that ran in the last 30 days using any of the hunting interfaces. This report is useful in identifying the most resource-intensive queries and understanding how to prevent throttling due to excessive use. [attachment=27386:name] New advanced hunting table: DeviceTvmHardwareFirmware. The DeviceTvmHardwareFirmware table in the advanced hunting schema contains hardware and firmware information of devices as checked by Microsoft Defender Vulnerability Management. The information includes the system model, processor, and BIOS, among others. Microsoft Defender for Cloud Apps [attachment=27387:name] Introducing the Microsoft Defender for Cloud Apps data protection series. A brand-new blog series focused on information protection in Microsoft Defender for Cloud Apps, various members of the Product Group will walk us through how to protect the data that lives inside your SaaS apps. [attachment=27388:name] Microsoft Defender for Cloud Apps data protection series: Understand your data types. Our second installment in the Microsoft Defender for Cloud Apps data protection series, where we focus on the different types of data that can be protected. [attachment=27389:name] App Governance is a Key Part of a Customers' Zero Trust Journey - Watch this webinar now on YouTube. This webinar focused on how App governance helps customers implement Zero Trust in their environments. We walk you through a typical scenario and how it is aligned to Zero Trust pillars. [attachment=27390:name] Workplace by META API connector is now available in Defender for Cloud Apps. Workplace by META API connector in Defender for Cloud Apps provide you enhanced visibility and control over user activities in Workplace. Microsoft Defender for Endpoint [attachment=27391:name] The new device timeline is now generally available. The device timeline reflects all the event observed on a device in a chronological order, it’s mostly used to deepen the investigation and pivot from an alert to learn what happened on a device before/after the suspicious activity. the new view keeps the existing functionality in pair, in addition to performance several UI improvements. The new timeline offers faster loading time, while seamlessly fetching bigger chunks of data (1000 instead of 200), in addition to several UI improvements for a smoother experience. New event side panel, aligned with the alert story process tree experience, for easy orientationEnhanced MITRE data, showing all related techniques and tactics at a single event panelLinking events to the new user side panel, providing more details and context to the investigation without leaving the pageBetter visibility to the data set shown in the timeline, by reflecting the applied filters on top of the table [attachment=27392:name] Detecting and remediating command and control attacks at the network layer. Microsoft Defender for Endpoint helps SecOps teams detect network C2 attacks earlier in the attack chain, minimize the spread by rapidly blocking any further attack propagation, and reduce the time it takes to mitigate by easily removing malicious binaries. [attachment=27393:name] Mobile Network Protection for Defender for Endpoint on Android and iOS now generally available. Microsoft brings network protection features in Defender for Endpoint to Android and iOS providing more ways to help organizations identify, assess, and remediate endpoint weaknesses with the help of threat intelligence. [attachment=27394:name] Use the new Microsoft 365 Defender API for all your alerts. The new Microsoft 365 Defender alerts API, currently in public preview, enables customers to work with alerts across all products within Microsoft 365 Defender using a single integration. [attachment=27395:name] Announcing new removable storage management features on Windows. Over the last several months, Microsoft Defender for Endpoint has rolled out a handful of device control capabilities to help secure removable storage scenarios on Windows. [attachment=27396:name] Microsoft Defender for Endpoint now integrated with Zeek. The integration of Zeek into Microsoft Defender for Endpoint provides new levels of network analysis capabilities based on deep inspection of network traffic powered by Zeek, a powerful open-source network analysis engine that allows researchers to tackle sophisticated network-based attacks in ways that weren't possible before. [attachment=27397:name] Built-in protection is now generally available. Built-in protection helps protect your organization from ransomware and other threats with default settings that help ensure your devices are protected. Built-in protection is a set of default settings that are rolling out to help ensure your devices are protected. These default settings are designed to protect devices from ransomware and other threats. [attachment=27398:name] Check out the Library API to upload/delete/update files in your tenant's library. [attachment=27399:name] Stopping C2 communications in human-operated ransomware through network protection. Providing advanced protection against increasingly sophisticated human-operated ransomware, Microsoft Defender for Endpoint’s network protection leverages threat intelligence and machine learning to block command-and-control (C2) communications. Microsoft Defender for Identity [attachment=27400:name] Deprecation of the Defender for Endpoint Defender for Identity Integration. At the end of November, integration with Microsoft Defender for Endpoint will no longer be supported. We highly recommend using the Microsoft 365 Defender portal (Sign in to your account) which has the integration built-in. [attachment=27401:name] New option for running the remediation actions by using the sensor's server LocalSystem account. Defender for Identity can now use the LocalSystem account on the domain controller to perform remediation actions (enable/disable user, force user reset password), in addition to the gMSA option that was available before. This enables out of the box support for remediation actions. [attachment=27402:name] New health alert for verifying that Directory Services Advanced Auditing is configured correctly. New health alert for alerting customers that their Directory Services Advanced Auditing do not include all the categories and subcategories as required.that the NTLM Auditing is enabled. New health alert for alerting customers that their NTLM Auditing (for eventId 8004) is not enabled. Microsoft Defender for Office 365 [attachment=27403:name] Build custom email security reporting with Microsoft Defender for Office 365 and PowerBI. In this blog, we will showcase an example on how you can leverage Power BI and the Microsoft 365 Defender Advanced Hunting APIs to build a custom dashboard and share a template that you can customize and extend. [attachment=27404:name] Microsoft announces partnership with SANS Institute to deliver a new series of computer-based training (CBT) modules in the Attack Simulation Training service. The modules will focus on IT systems and network administrators. Microsoft is excited to collaborate with a recognized market leader in cyber security training to bring our customers training that can help our customers address a critical challenge in the modern threat landscape: educating and upskilling security professionals. [attachment=27405:name] Why Microsoft is the right choice for healthcare. First in an industry series focusing on why Microsoft is the right choice for your security needs in healthcare. Microsoft Defender Vulnerability Management [attachment=27406:name] Reduce OpenSSL 3.0 vulnerabilities risks with Microsoft Defender Vulnerability Management. The OpenSSL team published two high severity vulnerabilities: CVE-2022-3602 and CVE-2022-3786. Any OpenSSL versions between 3.0.0 and 3.0.6 are affected and the guidance is OpenSSL 3.0 users should expedite upgrade to OpenSSL v 3.0.7 to reduce the impact of this threat. [attachment=27407:name] Announcing Software Usage Insights in public preview. Organizations can view the number of devices using specific Windows software and the median usage for the past 30 days to better inform organizations of the user impact if they want to block software or any vulnerable versions. [attachment=27408:name] Firmware assessments support now in public preview in Microsoft Defender Vulnerability Management. This new firmware assessments feature provides customers with full visibility into device manufacturer, processor and BIOS information Continue reading...

Heya folks, Ned here again. The latest Windows Server Summit is coming December 6th, 2022. Join us for demos, sessions, and live Q & A on Windows Server and: Securing your infrastructure Getting the most from new Windows Server 2022 capabilities Efficiently managing hybrid workloads Seeing my dogs in demos Free registration: Windows Server Summit | Microsoft Event Agenda Products / topics included Opening Rick Claus Sonia Cuff Executive “fireside chat” Roanne Sones Rick Claus High-level hybrid & migration themes, Azure Arc, AHB for Azure Stack HCI and AKS, with Windows Server Azure Edition What’s new with Windows Server / Key announcements Jeff Woolsey (and Ned Pyle, briefly) Secured-core Server, 5-year container support, AHB for Azure Stack HCI and AKS, Hotpatch, WSL2 for Linux containers Optimize your Windows Server Orin Thomas Sonia Cuff File server, security (including how to harden Active Directory), WS2012 end of support Secure and manage infrastructure everywhere Aurnov Chattopadhyay Trung Tran Azure Arc, WAC, Automanage Modernize where and how you need to Vinicius Apolinario and Thomas Maurer Containers, app modernization, AKS Enhance security and save time with Windows Server 2022 and Windows 11 Ned Pyle SMB compression and SMB over QUIC ; security pieces that require Win11 and WS2022 together; HCI and Azure Edition as Windows 11 target. What’s new in System Center 2022 (on-demand) Bhavna Appayya Sujay Jagadish Desai System Center 2022 Navigating technical change for Windows Server professionals (on-demand) Sonia Cuff Orin Thomas Jeff Woolsey Windows Server professionals moving skills to cloud, Hybrid certification That's a lot to pack in. There are several on-demand sessions as well, plus that live Q & A where you can talk to me and dozens of other MS experts and technology owners. Remember that registration! Windows Server Summit | Microsoft See you December 6th! - Ned Pyle and his demo dogs Continue reading...

Windows 365 makes it easy to configure and deploy a PC in the cloud. Once configured, you may ask yourself, “How are Cloud PCs different from a system management perspective? Should I do anything different for these endpoints?” The fact is you can manage your Windows 365 environment the same way you have been managing your physical fleet of Windows endpoints. But there are a few configurations that can improve the experience for you and your users. This blog will provide guidance on each of the features below to help you get the most out of your investment in Windows 365. Cloud PC Dynamic Groups and Filters Conditional Access policies specifically for Cloud PCs Endpoint Analytics Multimedia Redirection RDP Shortpath Targeting Windows 365 Devices As you create more Cloud PCs, you may want to target specific subsets of your devices for specific applications or configurations. This can be done with either dynamic groups or device filters. Below are the most common groups and filters used by Cloud PC administrators. See these articles if you are looking for step-by-step instructions on how to create a dynamic group or filter. Target Devices Dynamic Group Query Filter Windows 365 Devices (device.deviceModel -contains "Cloud PC") (device.model -contains "Cloud PC") All Windows 365 Devices of Model 2vCPU/8GB/128GB or other model (device.deviceModel -contains "Cloud PC Enterprise 2vCPU/8GB/128GB") (device.model -contains "Cloud PC Enterprise 2vCPU/8GB/128GB") All Windows 365 Devices with Provisioning Policy “Microsoft Hosted Network - US East 2” Modify this to your Provisioning Policy name (device.enrollmentProfileName -eq "Microsoft Hosted Network - US East 2") (device.enrollmentProfileName -eq "Microsoft Hosted Network - US East 2") If you’re unsure when to use a Dynamic Group vs a Filter, see the Intune Support Team’s blog Intune grouping, targeting, and filtering: recommendations for best performance. Conditional Access You’re likely comfortable with using Conditional Access to enforce MFA to protect your information in Office 365. You can also configure Azure Active Directory (Azure AD) Conditional Access to tighten your Windows 365 security posture in a multi-step approach: Control access methods Enforce session limits on the local device Require Intune compliance for organization access Control Access to Cloud PCs Windows 365 can be accessed by using the Windows 365 app, navigating to the web portal, or using the Remote Desktop client. Access via all three is controlled via Conditional Access policies targeted at the Windows 365 Azure AD application. However, because Windows 365 is built on the same technology as Azure Virtual Desktop, Conditional Access policies targeting Azure (or Windows) Virtual Desktop will still apply to connections initiated from the Windows 365 app and the Remote Desktop client. Enforce Session Limits The Sign-in frequency Session Control can be used to force reauthentication after a specific amount of time. For example, configuring this to 24 hours can ensure that your users are prompted to reauthenticate to the Windows 365 service at least once per day. If a user’s authentication token expires while they are using their Cloud PC, the user will be allowed to continue their active session and will only be prompted for re-authentication the next time they connect to their Cloud PC. See the Set conditional access policies for Windows 365 docs page for step-by-step instructions on creating a basic Windows 365 Conditional Access policy. Enforce Intune Compliance Once connected to a Cloud PC, the same Conditional Access rules targeted at the rest of your client environment apply. However, if you are using the Require device to be marked as compliant configuration in your Conditional Access Grant Rules, there are a few Compliance policy settings that may report inaccurately on Cloud PCs. To avoid these issues, consider excluding this requirement for both the Azure Virtual Desktop (AVD) and Windows 365 apps. Reference the Known Issues page for specific details. Enable Endpoint Analytics Endpoint Analytics provides you with insights into the quality of the endpoint experience in your environment. The information the reports provide can help you optimize the end user experience across your physical and virtual endpoint platforms. The resource performance report provides insights into CPU and RAM usage to help identify devices that may need more resources. In addition to the core reports available in Endpoint Analytics, there are reports specifically targeted for usage with Windows 365. The Remoting Connection report provides insights into both Round-Trip Time and Sign-in Time. And the Cloud PC Performance & Utilization report helps you ensure your Cloud PCs are efficiently being used. The Endpoint Analytics enrollment process is different depending on if your devices are managed by Intune or Co-Managed with Configuration Manager. Once enrolled, device information can take several days to start to populate into reports. Multimedia Redirection Multimedia redirection allows for smooth playback of video in Teams live events and streaming video platforms in both Microsoft Edge and Google Chrome. Smooth playback is enabled by offloading the video processing to the local machine for faster rendering. This feature is in preview on Azure Virtual Desktop and supported on Windows 365 endpoints. It is enabled by installing an extension for Edge or Chrome and configuring a few additional policies. Once configured, you’ll see the extension appear in the upper right of your Edge and Chrome browser. For specific details on how to configure multimedia redirection see Multimedia redirection on Azure Virtual Desktop on the Microsoft Docs site. RDP Shortpath RDP Shortpath is a feature that changes how users connect to their Cloud PC from a TCP connection to a secure UDP connection. Enabling RDP Shortpath has several key benefits that can improve end user experience and allow for added control at network layer. These include: Changing the connection protocol from TCP to Universal Rate Control Protocol (URCP). This is a low delay and low loss protocol that dynamically adapts to network parameters. Reduces network hops between RDP Clients and Cloud PCs to improve connection reliability and bandwidth. Improves performance of latency dependent applications by reducing connection round-trip time. Enables support for QoS on RDP connections (Azure Network Connection Only). Enables support for bandwidth throttling on outbound network traffic (Azure Network Connection Only). Because Windows 365 is built on the same technology as Azure Virtual Desktop, the configuration of RDP Shortpath is the same for both technologies. Be sure you review the correct requirements and configuration steps depending on if you use a Azure Network Connection or a Microsoft Hosted Network for your Windows 365 environment. Summary After configuring each of these features, you’ll be well on your way to delivering the best Cloud PC experience to your end users. Keep an eye on the What's new in Windows 365 and Windows 365 In Development pages for upcoming service enhancements and features. There are a lot of exciting capabilities coming soon! Continue reading...

We are excited to announce the general availability of Azure IoT Edge for Linux on Windows (EFLOW) 1.4 LTS, a new long-term servicing branch which includes the 1.4 version of Azure IoT Edge. With this release, you will be able to take advantage of the latest features of Azure IoT Edge on Windows devices. EFLOW 1.4 LTS is recommended for all new production deployments and will be supported until November 12, 2024, according to the Azure IoT Edge product lifecycle. Customers currently on EFLOW 1.1 LTS will be able to upgrade to EFLOW 1.4 LTS without needing to reinstall. The EFLOW CR branch will still be available in preview for customers who require the latest non-LTS stable release of Azure IoT Edge. Note that customers can only have one version of EFLOW installed at a time. We are continuously listening to customer feedback and bringing the latest Azure IoT Edge features to EFLOW. EFLOW 1.4 LTS includes the following features: Latest features in Azure IoT Edge 1.4 release. CBL Mariner 2.0 Support for additional networking configurations and control including: Static IP & DHCP, Multiple NICs, Static MAC address, DNS configurations Support for exposing host hardware capabilities to the Linux workloads including: TPM for DPS provisioning, Camera over RTSP, Serial Passthrough, and USB over IP Shared storage for sharing files and folders across Windows & Linux. GPU passthrough, including support for a broader set of GPUs. Support for deploying EFLOW on virtualized infrastructure including VMWare Windows virtual machines See full details of the update here: Release 1.4.1.13112 LTS · Azure/iotedge-eflow If you are new to EFLOW and want to learn more about it, we recommend starting with reading the EFLOW 1.1 LTS GA announcement blog and visiting the EFLOW documentation. Continue reading...

Newsworthy Highlights Microsoft Priva is generally available to GCC, GCC High and DoD As the privacy landscape continues to evolve, the way that government organizations respond to privacy regulations will be critical to maintaining their privacy posture and responding to constituent requests. Microsoft’s newest security brand category, Microsoft Priva, was first announced at Ignite in 2021—today, we are excited to announce the general availability of Microsoft Priva for the Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) customers. Announcing New Teams Developer Portal for GCC Teams Developer Portal for GCC will allow developers to Configure, distribute, and manage Microsoft Teams apps. Formerly App Studio, the Developer Portal can help wherever you are in your Microsoft Teams app development journey. What’s New in Microsoft Teams | October 2022 These features currently available to Microsoft’s commercial customers in multi-tenant cloud environments are now rolling out to our customers in US Government Community Cloud (GCC), US Government Community Cloud High (GCC-High), and/or United States Department of Defense (DoD). Windows 365 brings Cloud PCs to government Built to meet the enhanced security and compliance requirements of the US government, Windows 365 Government is a full Windows 365 experience—combining the power and security of the cloud with the familiarity of the PC to empower flexibility and innovation. With Windows 365 Government, US government agencies, contractors, partners (State, Local, Federal Civilian, Defense), and native Indian tribes (US only) can securely stream their Windows apps, data, content, and settings from the Microsoft cloud to any supported device at any time. It’s a complete Windows experience that is: FedMake Microsoft Federal's FedMake program delivers hackathon style events, exclusively for Federal (Civilian / DoD / Intel) organizations, where conditions are created, and facilitated, by Microsoft experts, for cross-organization teams to leverage Microsoft expertise and develop solutions that achieve their mission. Where to Start with Microsoft Teams Apps in Gov Clouds Customers in our Office 365 government clouds, GCC, GCCH, and DoD, are continuing to evolve how they do business in the hybrid workplace. As Microsoft Teams is the primary tool for communication and collaboration, customers are looking to improve productivity by integrating their business processes directly into Microsoft Teams via third-party party (3P) applications or line-of-business (LOB)/homegrown application integrations. Microsoft 365 Government Adoption Resources Empowering US public sector organizations to transition to Microsoft 365 Release News Exchange Online Exchange Online support for Windows PowerShell 2.0 connections is ending SharePoint / OneDrive for Business We are updating the e-mails that are sent when users that share SharePoint sites to match the behavior of our other sharing e-mails The Stream web app will provide an enriched playback experience for videos stored in SharePoint or OneDrivej Teams Users will now be able to open teams calendar scheduling form in a new window – GCC December, GCCH January, DoD February Additional logs in Teams Call History – GCC October, GCCH and DoD November Human Interface Devices (HID) for Teams on VDI environments – GCC October, GCCH & DoD November Contact Group management is now available in the Calls App pane – GCC October, GCCH & DoD November View users and groups assigned to a policy - GCC Companion mode updates provide a differentiated meeting experience on mobile that complements the overall meetings experience across devices or in hybrid environments – Android – GCC September, GCCH & DoD October When accepting a PSTN call, an automatic browser launch can pop out alongside Teams, displaying relevant information to the user – GCC November, GCCH & DoD December Microsoft Purview eDiscovery (Premium): Usability enhancements for list pages in compliance portal Security/Identity Data loss prevention (DLP) support for trainable classifiers AIP Scanner admin experience moving to Microsoft Purview compliance portal Safe Documents is now Generally Available - GCC August, GCCH & DoD November New service plan: Data classification in Microsoft 365 Deep link to Content Viewer from DLP alert Announcing the retirement of ‘Office 365 Security and Compliance Center’ (protection.office.com) - GCC Intune Microsoft Endpoint Manager branding change Microsoft 365 The Office app for web (Office.Com), Windows, iOS, and Android is becoming the Microsoft 365 app References and Information Resources Microsoft 365 Public Roadmap This link is filtered to show GCC, GCC High and DOD specific items. For more general information uncheck these boxes under “Cloud Instance”. Stay on top of Microsoft 365 changes Here are a few ways that you can stay on top of the Office 365 updates in your organization. Microsoft Tech Community for Public Sector Your community for discussion surrounding the public sector, local and state governments. Microsoft 365 for US Government Service Descriptions · Office 365 Platform (GCC, GCCH, DoD) · Office 365 U.S. Government GCC High endpoints · Office 365 U.S. Government DoD endpoints · Microsoft Purview (GCC, GCCH, DoD) · Enterprise Mobility & Security (GCC, GCCH, DoD) · Microsoft Defender for Endpoint (GCC, GCCH, DoD) · Microsoft Defender for Cloud Apps Security (GCC, GCCH, DoD) · Microsoft Defender for Identity Security (GCC, GCCH, DoD) · Azure Information Protection Premium · Exchange Online (GCC, GCCH, DoD) · SharePoint (GCC, GCCH, DoD) · OneDrive (GCC, GCCH, DoD) · Teams (GCC, GCCH, DoD) · Office 365 Government (GCC, GCCH, DoD) · Power Apps (GCC, GCCH, DoD) · Power Automate US Government (GCC, GCCH, DoD) · Power BI (GCC, GCCH, DoD) · Planner (GCC, GCCH, DoD) · Outlook Mobile (GCC, GCCH, DoD) · Viva Insights (GCC) · Dynamics 365 US Government Be a Learn-it-All Public Sector Center of Expertise We bring together thought leadership and research relating to digital transformation and innovation in the public sector. We highlight the stories of public servants around the globe, while fostering a community of decision makers. Join us as we discover and share the learnings and achievements of public sector communities. [attachment=26825:name] Microsoft Teams for US Government Adoption Guide [attachment=26826:name] Message Center Posts and Updates for Microsoft Teams in GCC Looking for what’s on the map for Microsoft Teams and only Teams in GCC? Go right to the GCC Teams Feature Communications Guide Message Center Highlights SharePoint Online / OneDrive for Business MC454797 — SharePoint and OneDrive deploying hard block for IE11 in January 2023 As communicated in MC278815 (August '21) Microsoft 365 apps and services ended providing support for Internet Explorer 11 in August, 2021. Beginning mid-January, 2023, access to SharePoint Online and OneDrive from Internet Explorer 11 will be hard blocked for all users. Users should access these services through a modern browser, and we recommend Microsoft Edge as a faster, more innovative browser than IE11. When this will happen: Mid-January 2023 How this will affect your organization: Once the hard block is deployed, the connection requests will fail and users will no longer be able to access these services through IE11. These users would need to use a modern browser, such as Microsoft Edge, to continue accessing SharePoint Online and OneDrive. Current soft block experience: Future hard block experience: What you need to do to prepare: If you still use IE11 to access SharePoint or OneDrive content, we strongly recommend you review the following guidelines to help avoid service disruption for users: 1. Deploy a modern browser such as Microsoft Edge 2. Prepare your SharePoint environment for the retirement of Internet Explorer 11 for Microsoft 365 apps and services - SharePoint in Microsoft 365 | Microsoft Docs Note: If your organization has already finished upgrading to Microsoft Edge, no further actions are needed. Please click Additional Information to learn more. MC445742 — OneDrive: Folder Backup for macOS Microsoft 365 Roadmap ID 82032 Folder Backup enables an admin and/or end-user to redirect the local macOS Desktop and Documents folder to OneDrive. This allows the end user to keep using those folders to save their content while delivering the protection and access anywhere promise that OneDrive offers. The feature and relative list entries are very similar to the Folder Backup experience that has been on Windows for a while. Note: If your organization does not use macOS you can safely disregard this message. When this will happen: Standard Release: We will begin rolling out mid-October and expect to complete by mid-November. How this will affect your organization: As the feature is rolled out, end users will be able to access this feature via OneDrive Sync Settings. As end-users enroll in this feature all of their files within Desktop and Documents will be uploaded to their OneDrive for Business root folder. What you need to do to prepare: · Ensure that the Standalone OneDrive Sync client version 22.191 is rolled out within your workplace · Ensure that macOS 12.1 Monterey or later version of macOS is rolled out within your workplace · Enable the best plist entries for your workspace once the feature has rolled out (KFMOptInWithWizard, KFMSilentOptIn, KFMBlockOptIn, KFMBlockOptOut) MC445418 — Retiring Turn On File Synchronization Via SOAP Over HTTP We are removing the “Turn on file synchronization via SOAP Over HTTP” policy from Group Policy. This policy allows IT admins to turn file synchronization via SOAP over HTTP on or off for Office. When is this change taking effect? This change is rolling out in MEC mid-October, and it will be in the Semi-Annual candidate in January 2023. How will this affect you? This policy was originally introduced when Office switched to using the SOAP protocol to connect and exchange information with newer versions of SharePoint. This policy was implemented to give admins better control of this transition, particularly for older versions of SharePoint 2013 on-premises deployments. As this transition completed, we’ve found that some users turn this policy off in an attempt to troubleshoot "Sorry we can't open https://" or "Upload failed." error messages when trying to open documents on a SharePoint website. Setting the policy to Disabled adds the FSSHTTPOff registry key and it prevents Office from using its preferred protocol to open documents on SharePoint. It also prevents features such as co-authoring, checking documents in and out, reverting to earlier versions of documents, filling out required file properties, and so on, to function properly. As a result, we are retiring this policy in favor of always using SOAP as the Office preferred protocol to open documents on SharePoint. What do you need to do to prepare for this change? If you or your organization is affected by this retirement, please let us know about your scenario by emailing: FileSyncViaSOAP@microsoft.com. MC444990 — Update to sharing e-mails Microsoft 365 Roadmap ID 98197 We are updating the e-mails that are sent when users that share SharePoint sites to match the behavior of our other sharing e-mails. When this will happen: This feature is now rolling out and will complete by late-October. How this will affect your organization: Going forward, if the user who is sharing a SharePoint site has an Exchange mailbox, the mail will come from their e-mail account instead of no-reply@sharepointonline.com. This change will make it easier for users to spot important sharing e-mails and improve delivery reliability. What you need to do to prepare: You may want to update your internal documentation. MC408994 — (Updated) Private drafts for SharePoint pages and news Microsoft 365 Roadmap ID 85629 Updated October 6, 2022: We have updated the rollout timeline below. Thank you for your patience. We’re adding the ability to create private drafts for pages and news posts. A private draft is visible only to the page author, the people the author chooses to share it with, and site admins. It's great for creating and editing content that’s not ready for others to see except the people you want to collaborate with. When this will happen: This update will roll out to Targeted Release customers starting early August and to all customers by mid-November (previously mid-September). How this will affect your organization: Authors of SharePoint pages and news will be able to create private drafts. When a private draft is created, only the creator and site admins can see the page (including from within the Pages library). The creator can then share the private draft with other people to allow them to access and edit the page. They will also have access to the assets associated with the page which are stored in the site’s assets library. Like all pages and news posts, only one person at a time can edit the draft. When the draft is published, its permissions are reset and everyone in your organization who has access to the site will be able to view it. What you need to do to prepare: You do not need to do anything to prepare for this update, but you may want to let your users know about these improvements. More information available here: Create a private SharePoint page or news post MC408694 — (Updated) New 'Activity' Column in OneDrive 'My Files' list view Microsoft 365 Roadmap ID 88913 Updated October 27, 2022: We have updated this message with a link to additional information. Thank you for your patience. We are introducing a new Activity column in OneDrive My Files list view. The goal of this feature is to help users stay up-to-date on the files that they are working on with others by surfacing relevant activity information. We will show file activity related to actions, such as, user comments, edits, share, and @mentions. When this will happen: We will begin rolling out this feature in mid-October (previously mid-September) and expect to complete rollout by late October (previously late October). How this will affect your organization: There is no impact to your organization. This feature will be delivered as a user interface update in the form of an additional column in My Files list view with activity information related to files (e.g., file shared, user comment, @mentions). What you need to do to prepare: There is nothing you need to do to prepare for this change. You may want to notify your users about this change and update your training and documentation as appropriate. MC405984 — (Updated) Site Limits for SharePoint Lists, Libraries, and Subsites Updated October 11, 2022: We are providing updates to provide you with additional information. Thank you for your patience. We would like to provide clarification on the enforcement of maximum count of lists and libraries per site. As described in the SharePoint limits - Service Descriptions, the service limit is 2,000 lists and libraries combined per site collection (including the main site and any subsites). Beginning February 2023, we will enforce the limit of 2,000 lists and libraries independently at the main (root) site and the subsite level. For instance, a site collection can have 2,000 subsites (including the main site) and each subsite (including the main site) could have 2,000 lists and libraries (including the hidden and default out of the box libraries). These limits may get further re-aligned based on the service description in the future, but the timeline is TBD. In the meantime, we still recommend customers to follow the limits defined in the service description to achieve the best performance and service reliability. SharePoint recommends a maximum of 2,000 lists and libraries per site, and 2,000 subsites per site. These have been long standing limits for SharePoint but have not been formally enforced. There have been cases where some sites exceeded these limits, resulting in poor site performance and low-quality viewing experience. One of the most impacted areas is the API performance that degrades significantly when users access data on the sites that exceed their recommended limits. The API calls may time out or get throttled, blocking the users from opening the site or resulting in unexpected failures. In some extreme cases, the issue can impact functionalities beyond these sites. To ensure site performance and help customers have the best possible experience, Microsoft will implement a safeguard to prevent customers from exceeding these limits. When will this happen: The change will only impact the creation of new lists, libraries or subsites outside the approved limits starting in February 2023 (previously early November) and will be completely enforced by late April (previously late December). How this will affect your organization: Once these limits are enforced, sites that exceed the limit of 2,000 lists and libraries will no longer be able to have new libraries or lists added to the site. Similarly, any site that exceeds the limit of 2,000 subsites will no longer be able to have new subsites added to the site. When a site reaches these limits, users will see the following message on SharePoint web: On the API request to create a new list or document library, SharePoint will return the error code, ERROR_SHARING_BUFFER_EXCEEDED on the API request. Libraries, lists, and subsites that have been created before the enforcement rollout and exceed the corresponding limit, will continue to function and their access will not be blocked. The change will only impact the creation of new lists, libraries or subsites outside the approved limits starting in November. These new additions will get blocked at the time of creation once the site reaches the corresponding limit. What you need to do to prepare: Share these limits with people who manage SharePoint sites in your organization. If the sites in your tenant are below the limits, this change will not impact you. It is uncommon for the organic growth of site to reach these limits. However, there is a possibility that custom solutions can generate a high volume of lists and libraries. In that situation, our recommendation is to work with their solution providers to prepare an alternative solution in order to stay compliant with these limits. Additional Information: · SharePoint limits - Service Descriptions | Microsoft Docs MC394844 — (Updated) Stream on SharePoint: Inline playback of videos in Hero web part Microsoft 365 Roadmap ID 93351 Updated October 13, 2022: We have updated the rollout timeline below. Thank you for your patience. When users click to play a video in the Hero web part section of a SharePoint site, the video will play inline. This feature allows users to watch a video without being taken off the SharePoint page and allows users to browse or scroll through the other contents of the page while the video plays. When this will happen: We will begin rolling out by mid-July and expect to complete by early November 2022 (previously early October 2022). Note: Some users may see this feature before other users within your organization. How this affects your organization: Video consumers on Hero webpart will now be able to consume video on the same site page where they encountered the video. That allows them to browse through other site content while watching/listening to the video, thus saving their browsing time. What you can do to prepare: You may consider updating your training and documentation as appropriate. Microsoft Teams MC455193 — Delete or rename files in a channel and in your OneDrive folder in Teams Microsoft 365 Roadmap ID 98073, 98074 To rename or delete a file in a channel, go to the files tab and find the file you want. Then select More options (the three dots) on the file. To rename or delete a file from your OneDrive, select More at the bottom of the app, then select Files. Once you find the file you want, select the three dots and choose to rename or delete it. When this will happen: Standard Release: We will begin rolling out early November 2022 and expect to complete by late November 2022. How this will affect your organization: No impact to admins, no process required by admins. Users will be able to rename or delete their files from the Teams Mobile app now. What you need to do to prepare: You may consider updating training and documentation as appropriate. MC455187 — 2x2 Video in Gallery View for Web Meetings in Firefox Microsoft 365 Roadmap ID 100983 Gallery view now can show up to 4 participant videos during a meeting in Firefox browser. Users can also start streaming their own video for the rest of the meeting participants. When this will happen: We will begin rolling out early December and expect to complete by mid-December. How this will affect your organization: Users joining meetings from Firefox browsers have now a richer video experience. What you need to do to prepare: You may need to update the documentation for your Firefox users to mention existence of this feature. MC454501 — Introducing Call Quality Dashboard v3 for GCC-High and DoD Tenants Call Quality Dashboard v3 (CQD) will be available to GCC-High and DoD tenants using Microsoft Teams. When will this happen: GCC-High and DoD tenants will be onboarded to Microsoft Teams Call Quality Dashboard v3 in mid-November. A notice announcing this change was sent on May 5th, 2022 (MC376244). How this will affect your organization: Accessing CQD v3 is the same as you previously accessed CQD v2. · GCCH: https://cqd.gov.teams.microsoft.us · DoD: https://cqd.dod.teams.microsoft.us Any building data files, or custom reports previously uploaded to or created in CQD v2 are no longer available and must be uploaded into CQD v3 again. Microsoft support staff will not be able to assist in retrieving these files from the decommissioned CQD v2. What you need to do now that the change is complete: Now that the cutover to CQD v3 has completed, we recommend that administrators: · Upload your building data files to CQD v3 using an administrator account with the 'Upload building data' permission. Only one administrator needs to perform this step. Verify that the correct date ranges are applied to each data file to ensure your building mapping is accurate in your reports. · Import any custom reports back into CQD v3, if desired. This is a per-user step, so User A can upload their own custom reports, but User B cannot do this on behalf of User A. MC454491 — Customizable dashboard in Teams admin center We apologize for not communicating about this change prior to it rolling out. Teams admin center has added support for customization of the widgets in the dashboard. Administrators can now personalize the dashboard widgets as per their preference. They can reorder the widgets and pin them at a position they would like to see. For widgets that are not being used frequently, Teams admin center now gives the flexibility to hide them from the dashboard. The widgets are now optimized for smaller screens too. When this will happen: This feature is available now. How this will affect your organization: Administrators will now see ‘re-order icon’ and ‘more icon’ on every widget in the dashboard. By clicking and holding the re-order icon, the placement of the widget can be changed by dragging it to the position preferred by the administrator. Using the ‘Remove’ option under the dropdown menu of more icon, administrators can hide the widget from the dashboard. To add widgets to the dashboard, administrators can click on the ‘Edit’ icon on the top-right corner of the page and click on the thumbnails of the widget. What you need to do to prepare: You might want to notify your Teams administrators about this new capability and update your training and documentation as appropriate. MC450498 — Sign Language View Microsoft 365 Roadmap ID 99452 We are introducing a new Sign Language experience in Teams Meetings to help meeting participants who use sign language to prioritize interpreters and other sign language users so that they remain visible in in a static, central location on the meeting stage, with higher video quality. Specific sign language users inside the organization that you work with regularly – such as regular interpreters – can be prioritized across all meetings by adding them to a prioritized signer list under Settings > Accessibility in the Teams app. Sign language view is a personal, user-level setting, and is visible only for those who have turned it on. It will not be shown to the rest of the meeting participants. The feature is presently available only on Teams Desktop. Sign Language View addresses three key concerns raised by Deaf/hard of hearing users: · It keeps interpreters and other signers in a static location, unaffected by the dynamic placement of other videos as people enter and exit a meeting. · It simplifies the meeting join process by providing settings for sign language and captioning that persist across all meetings. · It keeps interpreters and other signers visible and prioritized even when content is shared. When this will happen: Preview: We will begin rolling out early November. Production, GCC: We will begin rolling out early December and expect to complete by mid-December. GCC-H, DoD: We will begin rolling out January. How this will affect your organization: Here are the changes your end users will see as Sign Language View rolls out: · They will see a new option, “Sign Language” in the More menu accessed under three dots in the top menu bar. · A new Accessibility pane will appear in the main Settings menu that will include toggles for turning on Sign Language View and setting captioning to appear across all meetings. · Within the Accessibility settings pane, users can also create a list of people internal to their organization to always prioritize for sign language – for example, the regular interpreters they work with in meetings. If more than two individuals are prioritized for sign language, the first two to join a meeting and turn on video will be prioritized. · Within a meeting, Sign Language View will show the participants you designate as signers (people who use sign language) at a larger size, in a static location, with a fit-to-frame aspect ratio and higher quality video with low bandwidth scenario support. · When no content is shared, prioritized signers appear on the lower part of center stage; when content is shared, prioritized signers shift location, still with prioritized, larger video for up to two signers. What you need to do to prepare: You may need to update documentation for your users interested in using this feature. You may provide documentation and support for the scenarios below. Enable User-level setting and add signers Go to Settings > Accessibility and turn on the Switch for Sign language. Add sign language users that you would like to prioritize videos of across your meetings. In a meeting, add and remove signers Via the context menu on another person, try adding them as signer. You should be seeing maximum two signers prioritized for sign language in the center of the meeting. The rest of the signers will overflow to the side or top gallery. Change views and come back to Sign language view Use the overflow menu with view options to change among views. Main Gallery, Large Gallery and Together Mode. Only Sign Language view supports prioritizing sign language users. In a meeting go to the “More” context menu on the toolbar and select Accessibility Manage the list here or make captions on by default. The Live Captions will be turned on for the next meeting you join. MC450203 — My Activity retirement in Teams desktop and web clients As announced in MC411679 (August '22) we are retiring "My Activity" feature within the Activity app from Microsoft Teams desktop and web clients. Activity will now support only activities directed to you (the option to view activities initiated by you will be retired), where we will continue to invest our development resources. When this will happen: We will begin rolling this out mid-November and expect to complete by early December. How this affects your organization: Once this change is implemented Teams desktop and web client users will no longer see the "My activity" dropdown. What you can do to prepare: You may consider updating your training and documentation accordingly. MC450186 — Support PSTN attendees in meetings to join Breakout Rooms Microsoft 365 Roadmap ID 100297 This Breakout Rooms feature enables PSTN participants to be assigned and join breakout rooms. PSTN participants includes dial-in users, dial-out users, and call-me users. Scenarios supported in this version: · PSTN participants can be assigned to breakout rooms (manually or automatically) · PSTN participants can join breakout rooms and hear an announcement. · PSTN participants can join back to the main room and hear an announcement after breakout rooms are closed. (manually closed or timer ends) When this will happen: Preview: We will begin rolling late October and expect to complete by early November. Standard Release: We will begin rolling out mid November and expect to complete by late November. How this will affect your organization: Enabling dial-in, dial-out and call-me PSTN participants to join breakout rooms and come back to the main room when breakout rooms end. What you need to do to prepare: No preparation is needed. You may want to update your training materials indicating that PSTN users are now supported. MC449930 — (Updated) Microsoft Teams: Additional Filters in Approvals Microsoft 365 Roadmap ID 92486 Updated October 26, 2022: We have updated the rollout timeline below. Thank you for your patience. Microsoft Teams approval list within the personal app will include additional filters to filter your approval list such as key word search and other options such as Approved. When this will happen: Preview: We will begin rolling out early October and expect to complete by mid-November 2022 (previously mid-October 2022). Standard Release: We will begin rolling out mid-November (previously mid-October) and expect to complete by late November 2022 (previously late October 2022). What you need to do to prepare: There is no action needed to prepare for this change. You may want to notify your users about this change and update any relevant documentation as appropriate MC448362 — Changes Coming to the Call Routing behavior for the On-Behalf-Of PSTN Delegate Calling Experience Based on customer feedback, we will be changing the call routing behavior for the on-behalf-of PSTN calling delegate experience. When this will happen: We are planning to start rolling out mid-December and complete rollout by late December. How this will affect your organization: If your organization is not using call delegation in Microsoft Teams, please disregard this message. Today, when a Microsoft Teams user (the delegate) makes an outbound PSTN call on behalf of a delegator, the check for appropriate licensing, call restrictions, and the call routing are based on settings on the delegate. For example, today if a delegate with a Microsoft Teams Calling Plan phone number makes an outbound PSTN call on behalf of a delegator with a Direct Routing phone number, we will check that the delegate has the appropriate license, check dial-out restrictions on the delegate, and route the call based on the delegates Teams Calling Plan and called number. We will be changing this, so that the check for appropriate licensing, any dial-out restrictions, and the call routing are based on settings on the delegator. After the change, if a delegate with a Teams Calling Plan phone number makes an outbound PSTN call on behalf of a delegator with a Direct Routing phone number, we will check that the delegator has the appropriate license, check dial-out restrictions on the delegator and route the call based on the delegators Online Voice Routing Policy. The change will cover all the different PSTN connectivity options in Microsoft Teams (Teams Calling Plan, Operator Connect and Direct Routing PSTN connectivity). There will be no change to the personal outbound PSTN call experience for Microsoft Teams users, i.e., when a user makes an outbound PSTN call without calling on behalf of someone else. There will be no change in behavior for Location-Based Routing enabled delegates, it will continue to be based on the settings of the delegate. There will be no user interface changes in Microsoft Teams related to this change. There will be no licensing changes for delegate/delegator scenarios. What you need to do to prepare: You should ensure that any delegator have the necessary PSTN calling license, dial-out restrictions and PSTN call routing settings to enable any delegate to make outbound PSTN calls on their behalf. The change will not be configurable by administrators. Please click Additional Information to learn more. Outbound calling restriction policies for Audio Conferencing and user PSTN calls Share a phone line with a delegate) Shared line appearance in Microsoft Teams MC448356 — New praise compose experience in Teams and praise trends in Viva Insights Microsoft 365 Roadmap ID 101161 Praise in Microsoft Teams is designed to appreciate the effort that goes into the wide-ranging, collaborative work that Teams users do. Users can send praise to their colleagues through the messaging extension pinned to the Teams messaging bar or through the Microsoft Viva Insights app in Teams. For both, admins can use the Microsoft Teams admin center to enable/disable Praise. The praise composer and praise card design will be updated for all Teams users. The praise composer - accessible through the messaging extension pinned to the Teams messaging bar or through the Viva Insights app in Teams - is being refreshed to replace praise badges with emojis, introduce the ability to select gradient backgrounds. Additionally, in the Viva Insights app in Teams, praise trends are being introduced, privately surfacing analytics such as counts of praise sent and received, your top fans and top praises received. When this will happen: Standard Release: We will begin rolling out in early November and expect to complete by early December. How this will affect your organization: The new composer which loads through messaging extension and the Viva Insights app creates a more delightful composing experience when sending praise. Praise badges will be replaced with emoji pairings and the user can select from multiple gradient backgrounds to customize the praise card for a more celebratory feel. The praise page in Viva Insights Teams App will also be updated. The praise feed will show the 6 most recent praises and users can use the dropdown to filter between recent sent and received praises. For more praises, users can still go to their praise history page to see up to 6 months of their complete history, ordered by the latest month. All EXO users will continue to see recommendations on the right panel. Users with Viva Insights subscriptions will have access to the Trends tab. Praise trends shares analytics only visible to them, including praise sent and received counts, their top fans and top praises received. What you need to do to prepare: Refer to Praise with Viva Insights | Microsoft Docs which will be updated in sync with this roll out. MC446130 — Transcription for Calls on Microsoft Teams for Android Microsoft 365 Roadmap ID 98510 Transcription for 1:1 calls and group calls will be available on the Microsoft Teams app for Android. When this will happen: Standard Release: We will begin rolling out in late-October and expect to complete rollout by early-November. How this will affect your organization: Users in your tenant can now start transcription for Teams calls and view transcripts after calls have ended, including both 1:1 calls and group calls. What you need to do to prepare: You can configure the availability of transcription for calls via Transcription Meeting Policy in admin center. MC445744 — Teams admin center: View users and groups assigned to a policy Microsoft 365 Roadmap ID 97253 The Microsoft Teams admin center provides an ability to admins to view the list of users and groups that are assigned to a policy. This capability will help admins to better manage policies and get an understanding of which policies are in use and are assigned to whom all. When this will happen: This feature shall be available in Oct 2022 for all Microsoft Teams licensees. Standard Release: We will begin rolling out mid-October 2022 and expect to complete by late October 2022. How this will affect your organization: Now admins can see two columns – 1) Assigned to users, 2) Assigned to groups on various policy pages such as Meeting policies, Messaging policies, etc. As the name suggests, “Assigned to users” is for the users that are assigned via direct assignment and “Assigned to groups” is for user groups that are assigned via group policy assignment, to a particular policy. Both columns will have a clickable link to view, which will take you to the Users > Manage users page to view directly assigned users, and corresponding Group policy assignment page to view groups that are assigned to a policy via group assignment. What you need to do to prepare: Review how the policy assignment for users and groups works. You can then go to any policy such as Meeting policies and review various custom policies that are applied to users via direct assignment and to groups via group policy assignment. After clicking on the view link, you can review the list of users and group and then verify the correctness if those are correctly assigned. If a policy has no assignments, then clicking on view link will fetch zero results. Such custom policies can be deleted as per the need of the organization. MC445406 — Announcing Microsoft Teams Premium Today, we are excited to announce Microsoft Teams Premium. Built on the familiar, all-in-one collaboration experience of Microsoft Teams, this new offering makes every meeting from 1:1s to large meetings, to virtual appointments to webinars more personalized, intelligent, and secure. Unlike the disconnected experience and costs of multiple point products or add-ons, with Teams Premium you get advanced meeting solutions you need for just one low price. As part of the Teams Premium announcement, these existing features will move to Teams Premium when it becomes available in February. · Live Translated captions · Custom Together mode scenes · Timeline markers in Teams meetings recordings (join/leave meetings) · Virtual Appointments: o SMS notifications o Organizational analytics in Admin Center o Scheduled queue view These features will continue to be usable in Teams until Teams Premium becomes generally available in February. We will share more details prior to Teams Premium public preview in December. Learn more about Teams Premium here: Introducing Microsoft Teams Premium, the better way to meet. MC443385 — Microsoft Teams: Music on Hold for Call Transfer for GCCH and DoD Microsoft 365 Roadmap ID 98431 Microsoft Teams users can now play music to callers on hold when a call transfer is initiated. This feature ensures that music can be played to caller on hold when call transfer is initiated, feature applies to 1-1 VoIP and PSTN calls. When this will happen: We will begin rolling out in mid-October and expect to complete rollout by late October. How this will affect your organization: There is no change for users as this feature will take place automatically. This feature will be applied to 1:1 VoIP and PSTN calls transferred. What you need to do to prepare: There is no action required to prepare for this change. You may want to notify your users and update training documentation as appropriate. MC437263 — (Updated) Unread Toggle in Activity Feed Microsoft 365 Roadmap ID 88389 Updated November 1, 2022: We have updated the content below to show as intended. Thank you for your feedback. Unread toggle will help users quickly view all the unread activities in their activity feed. When this will happen: Preview: We will begin rolling out late September and expect to complete by early October. Standard Release: We will begin rolling out early November and expect to complete by late November. How this will affect your organization: There are no tenant level settings. Defaults will not change. What you need to do to prepare: There is no action needed to prepare for this change. You may want to notify your users about this change and update any relevant documentation as appropriate. MC430094 — (Updated) Microsoft Teams: Build and Deploy Connectors Microsoft 365 Roadmap ID 96290 Updated October 28, 2022: We have updated the content below for clarity. Thank you for your patience. GCC customers are able to build and deploy Connectors in their Microsoft Teams environment. Previously, Connectors were disabled by default with this change we will be enabling Connectors by default. When this will happen: We will begin rolling out in early October and expect rollout to be completed by end of October (previously mid-October). How this will affect your organization: GCC customers will now have access to Connectors. What you need to do to prepare: There is nothing you need to do to prepare for this change. You may want to notify your users about this change and update your training and documentation as appropriate. MC423128 — (Updated) Dynamic caller ID in Voice-enabled channels for government clouds: GCCH, DOD Updated October 6, 2022: We have updated the rollout timeline below. Thank you for your patience. Last year we enabled the capability where agents can use Dynamic Caller ID to call on behalf of a Call Queue or Auto Attendant from within Voice Enabled Channels. We are now bringing this capability to government clouds including GCCH and DOD. We apologize for not meeting our commitment of providing notification prior to implementation and for any inconvenience. When this will happen: This has begun rolling out and will be complete by end of November (previously end of September). How this affects your organization: You can assign outbound caller ID numbers for the agents by specifying one or more resource accounts with a phone number. Agents can select which outbound caller ID number to use with each outbound call they make. What you can do to prepare: Review the Additional Information and consider updating your training and documentation as appropriate. MC420060 — (Updated) Microsoft Teams: Leave a Meeting From All of Your Devices Microsoft 365 Roadmap ID 97397 Updated October 31, 2022: We have updated the rollout timeline below. Thank you for your patience. We will be rolling out a new feature in Microsoft Teams that will allow multi-device users to leave all of their devices at once when leaving a meeting. When this will happen: Rollout began out in early August and is expected to be completed by late November (previously early October). How this will affect your organization: When a Teams user attempts to leave a meeting or call from multiple personal devices, there have been challenges to fully disconnect from the meeting or call on all devices. With this new feature, there will now be an option displayed to multi-device users in a call that will prompt the user to leave the meeting or call from all devices when selected. This feature will be enabled for desktop, iOS, and Android clients. What you need to do to prepare: There is nothing you need to do to prepare for this change. You may want to notify your users about this change and update your training and documentation as appropriate. MC400206 — (Updated) Microsoft Teams: Usability Improvements to In-Meeting Notifications Microsoft 365 Roadmap ID 96283 Updated October 31, 2022: We have updated the rollout timeline below. Thank you for your patience. Microsoft Teams is updating the user experience for how in-meeting notifications are displayed. With this update, there will be less distractions during meetings and it will be easier to understand important information (e.g. a meeting being recorded). When this will happen: We will begin rolling out in mid-September (previously early August) and expect rollout to be completed by early November (previously mid-October). How this will affect your organization: Notifications will now be consistent in design and in a consistent position when displayed (top center of the meeting stage) as bubbles stacked on top of each other. This will avoid overlaps and give the user a cleaner visual experience. In addition, users can also snooze repeat notifications, such as chat bubbles. What you need to do to prepare: There is nothing you need to do to prepare for this change. You may want to notify your users about this change and update your training and documentation as appropriate. MC392295 — (Updated) Disable chat write access for anonymous or unauthenticated users Microsoft 365 Roadmap ID 91142 Updated October 12, 2022: We have updated the rollout timeline below. Thank you for your patience. Financial institutions consider chat messages as a form of data exfiltration, so it's imperative for IT admins to gain flexibility and control over chat access for anonymous or unauthenticated users. The latter may be expected to join Teams meetings, but they should be restricted from seeing and accessing any type of electronic communication on chat. This feature provides additional security by only disabling chat write access for non-federated users and unauthenticated users who join Teams meetings through a link, so it must be used in conjunction with disabled meeting chat policy applied to financial advisors to remain compliant. When this will happen: · Standard: early June through mid-July · GCC: late July through mid-August · GCC High: late August through late November (previously early September) · DoD: mid-September through early December (previously late September) How this affects your organization: With this change IT admins can now disable chat write access at the policy level for non-federated users and unauthenticated users who join Teams meetings through a link. What you can do to prepare: There are two ways IT admins can disable chat write access for non-federated users and unauthenticated users who join Teams meetings through a link: · PowerShell: Admins can run the syntax [-MeetingChatEnabledType ] with current supported values Enabled, Disabled, or EnabledExceptAnonymous. · Teams Admin Portal: Admins can select the option, "Turn it on for everyone but anonymous users" in the "Chat in meetings" dropdown and apply this meeting policy to a subset or all tenant users. Note: the scope of EnabledExceptAnonymous or "Turn it on for everyone but anonymous users" is limited to disabled write access. Once this meeting chat policy is applied to user/s, an organizer cannot override this policy through meeting options. MC391950 — (Updated) Viva Topics in Teams Microsoft 365 Roadmap ID 72189 Updated November 2, 2022: We have updated the rollout timeline below. Thank you for your patience. Viva Topics in Teams allows users to mention topics in their chat conversations so that others in the conversation can easily learn more about a topic by hovering over the topic name and viewing the topic card. This feature requires users to have a Viva Topics license. When this will happen: · Public Preview: We began rolling out in April and will continue rolling out through June and expect complete rollout by late June. · General Availability: We will continue rolling out through late June and expect complete rollout by early November (previously mid-October). · GCC: We will continue rolling out in early July and expect complete rollout by mid-November (previously late October). How this will affect your organization: If your organization has users with Viva Topics licenses, those users will be able to mention topics by typing the # character and choosing a topic from the topic picker. The topic picker will narrow selections based on what the user types. Once a topic is selected, users can post the message. Recipients with Viva Topics licenses will see the selected topic's name as highlighted text and will be able to hover over the highlight and see details of the topic in the topic card such as the alternate names for the topic, descriptions, associated people and resources. What you need to do to prepare: There is nothing you need to do to prepare for this change. The topics being displayed will be the same topics that are shown in Outlook Web and SharePoint. MC383876 — (Updated) Collaborative Annotations on Presenter Shared Screen Microsoft 365 Roadmap ID 86732 Updated October 11, 2022: We have updated the content below for clarity. Thank you for your patience. Collaborative Annotation helps you collaborate with others while screen sharing in Teams meetings. For example, if you want to ask for feedback on a design or if you’re working with a group on a project, Collaborative Annotation helps you get work done faster and with more voices included. When this will happen: · Standard: begin rollout in mid-June and expect to complete rollout by late June. - Complete · GCC: begin rollout in early August (previously late July) and expect to complete rollout in late August (previously early August). · GCC-High: begin rollout in late September (previously late August) and expect to complete rollout by late October (previously early October). · DoD: begin rollout in late January (previously late October) and expect to complete rollout in late February (previously early November). How this will affect your organization: During screenshare, meeting attendees with Presenter roles will see the Annotation button in meeting controls at the top-center of their screen. To turn on Collaborative Annotation while you're sharing your screen in a meeting, select the pen icon to Start annotation in meeting controls at the top-center of your screen, as shown below: Note: You must be a Presenter role in a meeting to turn on Collaborative Annotation. The red outline around the screenshare will turn blue, indicating Collaborative Annotation mode is on. All participants will see the Microsoft Whiteboard toolset at the top of the shared screen, as shown below. Everyone in the meeting can begin annotating right away in real-time. Collaborative Cursors show the name of every attendee as they annotate and are turned on by default. Collaborative Cursors can be turned off by anyone attending the meeting from the Settings menu in the Collaborative Annotation toolbar. To control who can annotate, the main Presenter can select Only I can annotate and unselect Everyone can annotate from the Settings menu in the Collaborative Annotation toolbar, as shown below: To begin annotating, select one of the tools in the Whiteboard toolset, such as text, Sticky notes, Reaction tags, or digital ink, and begin typing or drawing on the screen. To end the annotation session for everyone, select Stop annotation in meeting controls at the top-center area of your screen. Collaborative Annotation is only available for full-screen sharing, not individual window sharing at this time. Note: Mobile users cannot start Collaborative Annotation while sharing content. However, if a desktop user shares the screen and starts Collaborative Annotation mode, mobile users are able to participate in annotating as well. Annotations for Teams web users is not supported at this time. Exporting annotations is not supported at this time, but you can take screenshots during the meeting to save annotated content for later if necessary. Meeting rooms using Android-based devices are not supported. What you need to do to prepare: This feature is enabled by default so there is no action needed. Note: Annotation is powered by Microsoft Whiteboard. If Microsoft Whiteboard is disabled, it will also disable Annotations. Learn More: · Enable Microsoft Whiteboard for your Organization MC333941 — (Updated) New Fluent Emoji style coming to Teams emojis and reactions Microsoft 365 Roadmap ID 88277 Updated October 17, 2022: We have updated the rollout timeline below. Thank you for your patience. This update will have Teams joining Microsoft 365 and Windows in updating all emojis and reactions to the new Microsoft Fluent emoji style, bringing users a more vibrant and expressive emoji experience. When this will happen: We will begin rolling this out in late February and expect to complete rollout by mid-November (previously late September). How this will affect your organization: This update will only change the styling of the emojis and reactions in Teams. There is no functional change to the features. What you need to do to prepare: You might want to notify your users about this change and update your training and documentation as appropriate. Learn More: · An Emoji For Your Thoughts Microsoft Viva MC448361 — Microsoft Viva: MyAnalytics dashboard redirects to Viva Insights web app MyAnalytics dashboard users will be automatically redirected to the Viva Insights web app as a central place to explore work-pattern insights alongside actionable experiences to improve productivity and wellbeing. Select MyAnalytics functionality (focus time booking and insights, quiet time settings and insights, meeting habits, and settings) will continue to be available as a part of the Viva Insights apps in Teams and web. Additional functionality from MyAnalytics (including some personal network and collaboration insights) will be included in the Viva Insights web app with future updates. When this will happen: We'll begin redirecting users from the digest email in mid-November, and from the MyAnalytics dashboard by mid-December. How this will affect your organization: MyAnalytics dashboard, in its current form, will no longer be accessible after mid-December 2022, and users will be redirected to the Viva Insights web app to discover key work-pattern insights. Since Viva Insights Teams and web apps are becoming the central place for personal insights, we are streamlining the user experience. · Currently, users access the MyAnalytics web dashboard via https://myanalytics.microsoft.com/ or https://myanalytics-gcc.microsoft.com/ or via links in the Viva digest email and Outlook add-in. · After this change, users will be automatically redirected to Viva Insights or Viva Insights. Users will also be able to find the Viva Insights web app in the Microsoft 365 app launcher on office.com Select MyAnalytics functionality (focus time booking and insights, quiet time settings and insights, meeting habits) will continue to be available as a part of the Viva Insights apps in Teams and web. In the future, additional work pattern insights from MyAnalytics will be highlighted alongside productivity and wellbeing experiences in the Viva Insights apps in Teams and web to support building better work habits. A unified settings experience for users will be available in the Viva Insights Teams and web apps moving forward. These unified settings will let users modify: Digest email settings, Briefing email settings, some MyAnalytics settings and Viva Insights Outlook add-in settings. · Users of the semi-monthly Digest and daily Briefing emails will now get redirected to the relevant email setting on Viva Insights web app if they click the settings modification link within one of the emails. Currently, users are directed to the email settings on the MyAnalytics web dashboard. · Users will also be able to use a new Briefing email setting on Microsoft Viva Insights dashboard (previously known as MyAnalytics dashboard), and Viva Insights app in Teams and web to personalize their favorite and snooze preferences. · Viva Insights Outlook add-in settings that currently only exist in the add-in experience (Productivity inline suggestions, Set Lunch hours and Schedule send suggestions) will now also be available on the settings page on Viva Insights Teams app and web app. · Currently, the ability to opt out of Digest email and Outlook add-in exists in MyAnalytics web dashboard. After this change, these two settings will be available on Viva Insights app in Teams and web Please click Additional Information to learn more. MC448014 — Viva Connections is available for GCC Microsoft 365 Roadmap ID 101152 Microsoft Viva Connections is your gateway to a modern employee experience designed to keep everyone engaged and informed. Viva Connections is a customizable app in Microsoft Teams that gives everyone a personalized destination to discover relevant news, conversations, and the tools they need to succeed. Some experiences in Viva Connections that are powered by other services and/or other Viva apps are not ready for GCC. When this will happen: Viva Connections 1st party app experiences for desktop and mobile will be available for GCC starting November 2022. How this will affect your organization: This update allows organizations using GCC to deploy and use Viva Connections 1st party app experiences. What you need to do to prepare: Admins wanting this update will need to enable Viva Connections in the Teams Admin Center. GCC is a government cloud that ensures certain security, compliance, and administrative capabilities tailored for government entities. Learn more here: Office 365 Government MC445412 — Microsoft Viva: Viva Insights web app in Government Community Cloud (GCC) Microsoft 365 Roadmap ID 100496 Updated October 19, 2022 to show the rollout dates correctly. A new web interface for the Microsoft Viva Insights app is being released in GCC, providing GCC users an additional way to access the Viva Insights app in Microsoft Teams. The new web app will be discoverable via Viva Insights and the Microsoft 365 app launcher on Office.com. Like the Viva Insights app in Teams, the Viva Insights web app will provide personal insights to improve productivity and wellbeing and data-driven recommendations to help users build better work habits. · The Home page provides timely suggestions and access to personal wellbeing experiences, such as o A curated set of guided meditations and focus music from Headspace accessible to help users start the day grounded, relax their mind before a big meeting, or find focus before starting an important project o Praise: users can schedule reminders to send praise to their top collaborators and build a habit of sharing gratitude o Reflect: users can schedule reminders to check in on how they are feeling and privately reference their personal reflection history o Virtual commute: users can schedule a virtual commute to help them wrap up their tasks from today, prepare for tomorrow’s activities, and mindfully disconnect from work · The Stay connected tab makes it seamless to pin an important collaborator to see communications from emails, chats and shared documents that might require follow up in one place, and schedule regular 1:1s to maintain strong relationships. · The Protect time tab makes it seamless to schedule time in the week before it fills up with meetings for focused, uninterrupted work. Notifications from Teams chats and calls are silenced while focusing. The tab also offers quiet time settings to silence after-hours mobile notifications from Teams and Outlook. · Inspiration Library: Users can use the Inspiration library in Viva Insights to learn more about the things that matter most to them. This library brings together thought leadership from industry experts that’s designed to inspire users in life and at work to get the most out of both. The inspiration library article sources include Microsoft, Harvard Business Review, and Thrive. Updated documentation will continue to be available here. The opt in opt out privacy setting already available in Viva Insights Teams app will also be available on the Viva Insights web application to allow end users to opt out of receiving personal insights on both web & Teams app with a single click. Users can also opt out using the existing Viva Insights toggle on Viva Insights dashboard. The insights in the Viva Insights web and Teams apps will remain completely personal and private; no administrator or manager can see another individual’s insights. All data is stored inside the user’s mailbox. The Viva Insights app complies with GDPR requirements. Learn more about how Microsoft protects your privacy. When this will happen: In GCC, the new Microsoft Viva Insights web app will be rolled out to users between late November and mid-January 2023. How this will affect your organization: Users with provisioned Exchange Online mailboxes and access to Microsoft Teams can access features within the Viva Insights app in Teams and on the web. There are no installation requirements to access Viva Insights web app. The Viva Insights web app will be discoverable via Viva Insights and the Microsoft 365 app launcher on Office.com. Microsoft Purview MC447330 — Microsoft Purview | eDiscovery (Premium): New role for review set tag management Microsoft 365 Roadmap ID 100498 We are introducing a new role in Microsoft Purview eDiscovery (Premium) for review set tag management. When this will happen: Rollout will begin in mid-October and is expected to be complete by late November. How this will affect your organization: In eDiscovery (Premium), reviewers can apply tags to items in a review set to better organize and refine content included within a case. This update introduces a new role called "manage review set tags" which will enable granular permissions for creating, editing, and deleting review set tags in eDiscovery (Premium) cases. What you need to do to prepare: No action is needed to enable this update. You can assign users to the new role via the Permissions page in the Microsoft Purview compliance portal: · Microsoft Purview compliance portal for WW and GCC cloud environments · Microsoft Purview compliance portal for GCC-High cloud environments · Microsoft Purview compliance portal for DoD cloud environments Learn More: · Tag documents in a review set · Set up eDiscovery (Premium) in Microsoft Purview MC447310 — Important Azure Information Protection (AIP) Portal updates Microsoft 365 Roadmap ID 100505 We are moving the admin configuration of the Azure Information Protection (AIP) Scanner from the Azure portal to the Microsoft Purview compliance portal, and with the migration will be deprecating the Azure Information Protection (AIP) portal on 1/15/2023. When this will happen: The migration of the AIP Scanner admin configuration is currently rolling out to public preview (as of 10/15/2022) and will be available within your environment shortly. The new admin experience will be generally available by mid-November. On 1/15/2023, the AIP portal will be deprecated, and all subsequent admin actions will need to be completed through the Microsoft Purview compliance portal. How this will affect your organization: Within the Microsoft Purview compliance portal, the admin configuration will be available under Settings as "Information protection scanner". The pages that will be moved are clusters, nodes, and content scan jobs. As previously communicated, the network scan jobs functionality has been removed. The AIP PowerShell cmdlets used to configure the AIP Scanner on-premises will remain unchanged. AIP Scanner configurations on existing content scan jobs will remain unchanged, and this portal change will not affect any scanners already deployed. Please ensure that your organization transitions to using the functionality within the Microsoft Purview compliance portal before 1/15/2023 to not be impacted by the AIP portal deprecation. What you need to do to prepare: We encourage you to begin using the admin experiences for the Information Protection scanner within the Microsoft Purview compliance portal as soon as the public preview begins in mid-October. Until the end of the year, you can use either admin portal for your scanner configuration and relevant changes will appear in both portals. Starting 1/15/2023, the admin configuration will only be available from the Microsoft Purview compliance portal. The AIP portal will be deprecated on that date as all functionality will have either been deprecated or moved to the Microsoft Purview compliance portal. Configure the Information Protection scanner in the Microsoft Purview compliance portal: · Microsoft Purview compliance portal for WW and GCC cloud environments · Microsoft Purview compliance portal for GCC-High cloud environments · Microsoft Purview compliance portal for DoD cloud environments Refer to documentation for guidance on how to perform admin actions for the Information Protection scanner in Microsoft Purview compliance portal: · Configuring and installing the Azure Information Protection (AIP) unified labeling scanner · Running the Azure Information Protection scanner MC443391 — Microsoft Purview | eDiscovery API for Microsoft Graph now generally available for U.S. Government clouds Microsoft 365 Roadmap ID 93348 We are excited to announce the general availability of the Microsoft Graph API for Microsoft Purview eDiscovery (Premium) to help you automate common eDiscovery workflows and integrate 3rd party applications into eDiscovery (Premium). When this will happen: Rollout will begin in early October and is expected to be complete by early November. How this will affect your organization: In many organizations, eDiscovery workflows are frequent, critical, and high volume. In the cases where there are common repeated tasks or a high volume of activities, the API will help provide a scalable way to repeat processes consistently and effectively. Tenants can use the Graph API to integrate with 3rd party or in-house legal systems, holds databases, or review tools to automate workflows. Partners can use the Graph API to build applications that enhance the Microsoft Purview eDiscovery (Premium) capabilities. For more details, refer to the Graph API reference documentation: Use the Microsoft Graph eDiscovery API Note: The following eDiscovery endpoints (preview) are currently only available in beta. · Search > Purge data (preview) · Hold policy (preview) · eDiscovery export operation (preview) · eDiscovery export operation > Get download URL (preview) · Review set > Export (preview) · Review set > Query > Export (preview) · Review set > Query > Run (preview) · eDiscoveryFile (preview) What you need to do to prepare: The following licenses provide the rights to the APIs for eDiscovery (Premium) capabilities: · Microsoft 365 G5 · Microsoft 365 G5/F5 Compliance and F5 Security & Compliance · Microsoft 365 G5 eDiscovery and Audit · Office 365 E5/G5/Advanced Compliance Note: The use of the ‘addToReviewSet’ API requires a premium license (listed above) which provides a seeded capacity without consumption cost until the seeded capacity is reached. Seeded capacity is how much volume an app can consume before having to pay usage fees. Capacity is pooled at the tenant level—the seeded capacity for all users in the tenant is added up and compared against the app's usage in the tenant. Once seeded capacity is exceeded, consumption meters will kick in. Consumption meter charges for the ‘addToReviewSet’ API usage beyond available seeded capacity is planned to commence in CY2023. A 90-day notice will be provided before these charges go into effect. Get started with eDiscovery (Premium) in the Microsoft Purview compliance portal: · Microsoft Purview compliance portal for GCC cloud environments · Microsoft Purview compliance portal for GCC-High cloud environments · Microsoft Purview compliance portal for DoD cloud environments Learn More: · Manage your eDiscovery workflows · Use the Microsoft Graph eDiscovery API MC442111 — (updated) Microsoft Purview Information Protection: User-defined permissions support domain name restrictions Microsoft 365 Roadmap ID 98131 Updated October 21, 2022: We have updated the rollout timeline below. Thank you for your patience. Coming soon to public preview and general availability, we're updating the options for custom permissions, also referred to as user-defined permissions, to support domain name restrictions. When this will happen: Rollout to public preview will begin in mid-November (previously mid-October) and is expected to be complete by late November (previously late October). Rollout to general availability will begin in early December (previously early November) and is expected to be complete by end of December (previously end of November). How this will affect your organization: Within Microsoft Office files (Word, Excel, PowerPoint), when you choose a sensitivity label configured for user-defined permissions, you can now use domain names to restrict file access to specific individuals, or to all individuals from that domain. For example, you can specify "someone@example.com" or "@example.com" and permissions will be restricted based on those parameters. What you need to do to prepare: If you have previously configured user-defined permissions for your organization, no further action is needed to enable this feature. Configure and manage sensitivity labels in the Microsoft Purview compliance portal. Learn More: · Let users assign permissions · Support for organization-wide custom permissions MC301684 — (Updated) General availability of AIP client and scanner audit logs in Microsoft 365 Audit and Activity explorer Microsoft 365 Roadmap ID 89777 Updated October 19, 2022: We have updated the rollout timeline below. Thank you for your patience. Azure Information Protection (AIP) administrators will soon be able to access data in Microsoft 365 compliance center Audit logs and Activity explorer, in addition to the AIP Analytics (Preview) portal. When this will happen: Rollout will begin in early December 2021 and is expected to be complete by mid-November 2022 (previously late September 2022). How this will affect your organization: As part of our unified labeling and analytics experience across the Microsoft Information Protection (MIP) solution, we are expanding your ability to access and review data logged by AIP client, scanner, and MIP SDK beyond the existing AIP Analytics (Preview) portal. · With this update, audit logs reported by the AIP client, the AIP scanner, and MIP SDK flowing today into the Log Analytics workspace will also be available in Microsoft 365 Audit logs. · Additionally, you can use the Activity explorer screen for additional insights into labeling activity and history. What you need to do to prepare: Your data will be available in Activity Explorer, and you will be able to explore your AIP audit logs in Microsoft 365 portal. No action is needed as audit log data will flow into Activity Explorer by default. If you wish to opt-out, please follow the procedure explained here. Administrators will be able to continue exploring AIP Audit logs in the Log analytics workspace in the AIP Analytics (Preview) portal. This is a supplemental access point. You might want to notify your administrators about this new capability and update your training and documentation as appropriate. Get started with Activity explorer in the Microsoft 365 compliance center: · Microsoft 365 compliance center for GCC · Microsoft 365 compliance center for GCC-H · Microsoft 365 compliance center for DoD Learn More: · Azure Information Protection unified labeling client - Version release history and support policy · Get started with Activity explorer · Search the Audit log in the Microsoft 365 compliance center Microsoft Defender MC447340 — Microsoft Defender for Endpoint on Mac is Retiring Support of MacOS Catalina A newer version of macOS will be released later this year. With Apple’s release of macOS Ventura (13), macOS Catalina (10.15) will become the third oldest version and will cease to be supported at that time, As a result, Microsoft Defender for Endpoint will no longer support macOS version Catalina (10.15). Note: this message applies only to organizations with macOS devices in their environments. When this will happen: Microsoft Defender for Endpoint will no longer support macOS version Catalina (10.15) after mid-December. How this will affect your organization: After mid-December, if your environment still has macOS devices running macOS version Catalina (10.15), after the change any macOS Catalina machine running Microsoft Defender for Endpoint (Mac) will remain protected until the agent expiration, however it will fail to update (error will be logged in /Library/Logs/Microsoft/autoupdate.log ). What you need to do to prepare: To eliminate risk of losing protection, review the version of macOS devices in your environment and ensure macOS devices that are still running macOS version Catalina (10.15) are updated to a more recent macOS version. We will send another announcement soon as a reminder. Microsoft Defender for Endpoint (MDE) on Mac currently supports macOS versions Ventura (13), Monterey (12) and Big Sur (11). · Refer to MDE (Mac) public documentation for list of system requirements: Microsoft Defender for Endpoint on Mac · Monitor “what’s new on Mac” page for incremental changes across versions of MDE (Mac): What's new in Microsoft Defender for Endpoint on Mac MC447684 — Retirement of Legacy Microsoft Defender Online Alerts Based on customer feedback and tendency to surface false positives in investigations, Microsoft 365 Defender is retiring a number of default alert policies. These legacy alerts are past their intended usage. When this will happen: We plan to retire these alert policies by mid-November. How this affects your organization: The following default alert policies will be retired: 1. Malware campaign detected after delivery 2. Malware campaign detected in SharePoint and OneDrive 3. Unusual increase in email reported as phish 4. Malware Campaign detected and blocked 5. Users targeted by malware campaigns 6. Users targeted by phish campaigns 7. Unusual volume of file deletion 8. Unusual External User File Activity 9. Unusual volume of external file sharing As part of the retirement, the following changes will happen: These policies will no longer be available in 'Default Alert policies' in the Microsoft 365 Defender portal or the Microsoft 365 Purview compliance portal. Existing alerts that have already been generated from these alert policies will be in the system (as part of Alerts) until data retention policies (Refer : Data retention information for Microsoft Defender for Office 365) are applied and the alerts expire. What you should do to prepare: Review your existing policies to see if you are utilizing any of the default policies outlined above. As a work around, customers can recreate these retired alert policies as custom alert policies to continue generating these alerts. Note that there are a couple of ways that you can replace these alerts: 1. If you want a literal replacement of what is being retired, use Anomaly or Threshold to build the custom alert. 2. If you want specific users, groups, activities to fire with entity information, we suggest creating scoped single event alerts. MC362283 — (Updated) Updates to the Zero-hour auto purge (ZAP) alerts Microsoft 365 Roadmap ID 93206 Updated October 31, 2022: We have updated the rollout timeline below. Thank you for your patience. We will be updating the current zero-hour auto purge (ZAP) alerts and introduce a new ZAP alert that will notify you if a message has not been removed by ZAP. Updates to the ZAP alerts will include: · Scoping the success ZAP alerts for only ZAP related scenarios. You will no longer be alerted as part of the ZAP alert for Dynamic Delivery scenarios. · A new failure ZAP alert is being introduced. You will receive an alert when a message was not successfully removed from the mailbox. Manual action will be required to remediate the message. The alert will be correlated and linked to both Automated Investigation and Response (AIR) and Incidents. The alert will be on by default and can be configured in alert policies. When this will happen: We expect these updates to roll out in early November (previously mid-October) and expect to be complete by early December (previously mid-November). How this will affect your organization: Due to these new changes, you can expect a change in the volume of the successful ZAP alerts. The new ZAP failure alert will be on by default and can be configured in the alert policy settings. You can review both default alerts in the portal. However, if you’re exporting these alerts into external systems, you will need to include the new alert generated by the new policy. What can you do to prepare: Review the following resources below to Learn More: · Microsoft 365 alert policies · Zero-hour auto purge in Microsoft Defender for Office 365 Exchange Online MC454500 — Office for the web: Suggested Replies Expansion to GCC High Microsoft 365 Roadmap ID 101160 GCC High users will now receive suggestions for short replies on received messages in Office for the web. When this will happen: Rollout for this feature will begin in late November and should be fully completed by early December. How this will affect your organization: A user may choose to click on this suggestion, which will generate a draft reply with the suggested response pasted into the draft. If a user does not wish to take this suggestion, they may simply ignore it. What you need to do to prepare: This feature will be enabled automatically and there is no action required from you at this time. To turn off this setting, select Settings > Mail > Suggested Replies. Swipe the toggle for Show suggested replies to turn this feature off. For more information, please visit this page. MC454497 — Announcing Retirement of Legacy Exchange Data Loss Prevention As communicated previously, we will be retiring the Data Loss Prevention experience from the classic Exchange Admin Center. Instead, we recommend the utilization of Data Loss Prevention (DLP) in the Microsoft 365 compliance center which enables you to extend your protection to locations such SharePoint online, OneDrive for Business, Teams chats, Devices, and more. Microsoft 365 compliance center provides access to advanced classification capabilities like EDM, ML etc. along with rich alerts, incident management features, and more. When this will happen: Starting December 1, 2022, policy management experience in Exchange Admin Center will be retired. Administrators will still be able to view rules that are associated with a policy using the mail flow rules experience. How this will affect your organization: To use the Migration Wizard for moving DLP policies, please follow the below steps: 1. Launch the Microsoft 365 Compliance Center DLP console. 2. A banner will appear if there are Exchange DLP policies that can be migrated. 3. Click on the Migrate policies button in the banner to open the migration wizard. 4. Select the Exchange DLP policies to be migrated individually or in groups and click on Next. 5. Resolve any issues with regard to warnings or messages that may appear on the flyout pane. 6. Select between Active, Test, or Disabled modes for migrating the policies to the Microsoft 365 compliance center. 7. Click on Complete import after reviewing the migration wizard session settings and the migration report for warnings and errors. 8. The selected Exchange DLP policies will appear in the compliance center DLP console. What you need to do to prepare: If you currently have DLP policies being maintained in the classic Exchange admin center, you can use the migration wizard which will help you migrate policies to the Microsoft 365 compliance center in just a few clicks, and then you can disable/delete policies from the classic Exchange Admin center. Please click Additional Information to learn more. MC450188 — Changes to navigation in Outlook for Android Microsoft 365 Roadmap ID 100570 Outlook for Android is making it easier to find all your contacts, files, and more. See our blog post at Navigating Outlook for Android and iOS - Microsoft Community Hub Users will see changes to the tab bar at the bottom of Outlook for Android, a new Floating Action button, search will be renamed Feed with a new Icon, and Contacts and Files will be found under the “More” button. When this will happen: These changes are available now in Android Beta. We will begin rolling out to production late October and plan to complete rollout by mid-November. How this will affect your organization: There is no admin-level control of this change. Admins can learn more about these changes and why they are happening in our blog post at Navigating Outlook for Android and iOS - Microsoft Community Hub MC447339 — Quarantine Admin Role Required for Exchange Admins for Quarantine Operations Tenant Exchange Administrators who visit the Quarantine Security Portal (Sign in to your account) need to be a Quarantine Administrator to perform Quarantine operations in the portal. When this will happen: Starting early February 2023, we will stop honoring the execution of Quarantine operations by Exchange Administrators who are not Quarantine Administrators, Security Administrators or Global Administrators in the security portal We will first provision a Quarantine Admin role for all Exchange Administrators who have performed Quarantine operations in the past on the security portal. This will allow those Exchange Admins to continue executing Quarantine operations successfully in the security portal in early to late January 2023. How this will affect your organization: Exchange Admins were able to perform Quarantine operations (such as release, delete, download, preview of quarantined messages) in the security portal on behalf of users in their organization without being in the Quarantine Administrator role. With this change, Exchange Administrators will also need to be assigned a Quarantine Administrators to perform these Quarantine operations. What you need to do to prepare: Admins should update their organization roles as they see fit and update and relevant training documentation. Learn More: · Manage Quarantined Messages and Files as an Admin in EOP · Permissions in the Microsoft 365 Defender Portal MC445411 — (Updated) Exchange: Message Recall Option to Disable the Recalling of Read Messages Microsoft 365 Roadmap ID 59438 Updated October 14, 2022: We have updated the content below to show as intended. Thank you for your patience. We are releasing a new Message Recall for Exchange Online feature that will recall messages that are flagged as "read” – the classic Message Recall in Outlook doesn’t recall read messages. Before we release the new feature, we want to let you know that tenant admins now have the option to disable the recalling of read messages for your organization. When this will happen: The new Message Recall feature will begin rolling out in mid-November. The ability to disable the recalling of read messages for your organization is available now. How this will affect your organization: Once the new Message Recall is rolled out, by default the feature will recall read messages, which is different from how the classic Message Recall feature in Outlook behaves. This change in behavior will be welcomed by many, but it could be confusing for recipients who read a message only to have it disappear from their mailbox shortly thereafter. While recalling read messages can significantly increase the success rate of recalls, tenant admins concerned about potential user confusion or frustration can disable the ability to recall read messages for their entire organization. What you need to do to prepare: If you want to accept the default behavior for the new Message Recall to recall read messages, there’s nothing you need to do to prepare. If you want to disable the recalling of read messages for your organization, you can do it either via the EAC or via Remote PowerShell: 1) Via the EAC uncheck the following setting: EAC > Settings > Mail Flow > Message Recall > Allow users to recall messages read by the recipient 2) Via Remote PowerShell: Set-OrganizationConfig -RecallReadMessagesEnabled $false MC406647 — (Updated) General availability of Advanced Message Encryption - Office 365 Message Encryption portal access logs Microsoft 365 Roadmap ID 93372 Updated October 28, 2022: We have made the decision to make additional changes prior to proceeding with this feature rollout. We will communicate via Message center when we are ready to proceed. Thank you for your patience. With this update, admins will be able to enable logging of external user activities accessing the Office 365 Message Encryption Portal to retrieve encrypted mail. When this will happen: We will communicate via Message center when we are ready to proceed. How this will affect your organization: This feature will enable logging of external user activities accessing the Office 365 Message Encryption Portal to retrieve encrypted mail. These logs can be retrieved using the Audit Logs functionality in the Microsoft Purview compliance portal. You can also access these audit logs through the management API. What you need to do to prepare: This feature is not available by default unless you have enabled auditing. To enable the feature, go to Microsoft Purview compliance portal > Audit log search page and select Turn on auditing. · Microsoft Purview compliance portal for GCC cloud environments · Microsoft Purview compliance portal for GCC-High cloud environments · Microsoft Purview compliance portal for DoD cloud environments You can enable the portal logs using Exchange PowerShell: · Set-IrmConfiguration -EnablePortalTrackingLogs $true Learn More: · Search the audit log in the Microsoft Purview compliance portal · Advanced Message Encryption MC383901 — (Updated) Microsoft Defender for Office 365: Hourly option for notifications Microsoft 365 Roadmap ID 93304 Updated November 1, 2022: We have updated the rollout timeline below. Thank you for your patience. We are adding a new hourly option to end user quarantine notifications, which will allow users to rely on receiving prompt notifications about quarantined items when appropriate. With this feature, users will be updated frequently once new items land in their quarantine folder. When this will happen: Standard: will begin rolling out in late November (previously early October) and be completed by late February 2023 (previously early November). Government: will begin rolling out in early July 2023 (previously early March 2023) and be completed by late July 2023 (previously late March 2023). How this will affect your organization: Using the quarantine policy, Admins will be able to configure an hourly notification frequency for users in their organization. What you need to do to prepare: You might want to notify your users about this change and update your training and documentation as appropriate. MC382821 — (Updated) Custom organization branding for quarantine notification (custom sender address and Custom subject) Microsoft 365 Roadmap ID 93301 Updated October 13, 2022: We have updated the rollout timeline below. Thank you for your patience. We will be adding capabilities to making it possible for Security Operations (SecOps) to customize end user quarantine notifications with their respective organization sender address and custom subject. When this will happen: Standard: will begin rolling out in late August (previously late July) and is expected to be complete by early November (previously early October). Government: will begin rolling out in early November (previously early October) and is expected to be complete by late November (previously late October). How this will affect your organization: This change will enable admins to customize the sender address of the quarantine notification as well as the subject of the notification. What you need to do to prepare: You might want to notify your users about this change and update your training and documentation as appropriate. MC373880 — (Updated) Migrating the Safe Links Block List to Tenant Allow Block List Updated October 06, 2022: As a reminder Tenants will have until January 2023 to review and take action on any entries in the Safe Links Block List that were unable to be migrated. Any entries that are unable to be migrated will be marked as such and organizations will have the ability to resolve that entry and run the migration again. In January 2023 the Safe Links Global Block List will be retired. We have stopped the automated migration efforts to migrate all entries from your Safe Links Block List to the Tenant Allow Block List. Organizations will have the ability to review and take action on the entries that were unable to be migrated. Any entries that are unable to be migrated will be marked as such and organizations will have the ability to resolve that entry and run the migration again. Tenants will have until January 2023 to complete this activity, at which point the Safe Links Global Block List will be retired. Note: Any entry migrated from the Safe Links Block List to the Tenant Allow/Block List will adopt the behavior of TABL. This means that any message with the URL present will be moved to Quarantine. If deleting an already migrated entry from TABL, it needs to be removed from BlockURLS to avoid migration. As a reminder beginning in June tenants will no longer have the ability to add to the Safe Links Block List in the Global Setting menu. Then we will attempt to migrate the Safe Links Block List to the Tenant Allow Block List (TABL) on behalf of the organization. Any entries that are unable to be successfully migrated, they will be marked as such in the Block List and organizations will have the ability to take action as needed beginning in July. Another update will be sent closer to July as a reminder for tenants to review the migration status of the Block List. Beginning in June organizations will no longer have the ability to add to the Safe Links Block List in the Global Setting menu. Following this, we will attempt to migrate the Safe Links Block List to the Tenant Allow Block List (TABL) on behalf of the organization. For any entries that we are unable to migrate, they will be marked as such in the Block List and organizations will have the ability to take action as needed. When this will happen: · Early June: Organizations will no longer have the ability to add to the URL/Domain entries to the Safe Links Block List in the Global Settings flyout and we will attempt to migrate all the entries in an organization's Safe Links Block List to TABL on their behalf · Mid-June through December: Organizations will have the ability review entries that were not able to be migrated and resolve the issue(s) · January: The Safe Links Block List will be retired How this will affect your organization: Organizations who are utilizing the Safe Links Block List will need to review the list to ensure all entries were migrated successfully. Any entries that are unable to be migrated will be marked as such and organizations will have the ability to resolve that entry, at which point migration will run again. Organizations will use the Tenant Allow Block List to manage URL/Domain blocks moving forward. What you need to do to prepare: In June an update to this Message center post will be sent notifying organizations that the first migration has been completed and they will need to review their Safe Links Block Lists for potential actions. Power Platform MC443282 — Important - Canvas apps in Dataverse environments associated with a security group On October 24, 2022, we will begin releasing an update for canvas apps in Dataverse environments associated with a security group. The update will be fully completed in all regions by November 11, 2022. How does this affect me? Currently, in environments associated with a group, group membership doesn't influence users' ability to access canvas apps. Users with a sufficient license and have been shared canvas apps can run those apps. After October 24, 2022, users will not be able to run canvas apps regardless of app share status unless they are in a security group associated with Dataverse. Instead, they will see an error page that informs them that they must contact their governance admin to continue using canvas app resources within the environment. How do I prepare for this change? There is no required action. It is recommended that you review any security group associated with Dataverse environments in Power Platform admin center and the memberships within those groups to ensure that all users have the correct access. For additional information see the following: · How to add users to a security group · Move apps between environments by exporting and importing solutions Microsoft 365 MC455190 — Graph connectors available with index capacity Microsoft Graph connectors for Microsoft Search are now available with index capacity for G5. Microsoft Graph connectors for Microsoft Search provide a set of out-of-the-box search connectors and search & indexing APIs that enable Microsoft 365 customers to connect Microsoft Search to data sources outside of Microsoft 365. This release of Microsoft Graph connectors includes several connectors available within the Microsoft 365 Admin Center such as ServiceNow, Enterprise websites, MediaWiki, Azure Data Lake Storage Gen2, and Azure SQL and more. For a detailed list of available connectors see also Microsoft Graph connectors gallery. Upon rollout completion, index quota utilization from connectors content will become subject to billing. For more information on licensing and pricing details see also License requirements and pricing. When this will happen: We will begin rolling out early November and expect to complete by late December. How this will affect your organization: There is no change to the user experience for users and/or administrators. What you need to do to prepare: Review the following material to learn more about Graph connectors: · Microsoft Graph connectors overview for Microsoft Search MC452253 — Announcing the New Look of Office for the Web Microsoft 365 Roadmap ID 87307 We are excited to announce a new look in Office for the Web. We've changed the visuals to give you a clean modern look to help you focus, but nothing has moved. We will start flighting at this date. When this will happen: Targeted Release: We will begin rolling out mid-November and expect to complete rollout by mid-December. Standard Release: We will begin rolling out mid-December and expect to complete rollout by late February. How this will affect your organization: People will notice the look and feel changes and might have questions if commands moved. We have not moved location of commands nor changed any icons. Functionality and how you use things will not be affected. What you need to do to prepare: There is no action required from you at this time. We recommend sending this link to your organization for more information and updating any relevant training materials as necessary. MC450856 — IE11 desktop app will be permanently disabled as part of the February 2023 Windows security update (“B”) release As previously announced, the Internet Explorer 11 (IE11) desktop app has been retired as of June 15, 2022. IE11 retirement is occurring through two phases: 1. A redirection phase, currently in progress with devices progressively redirected from IE11 to Microsoft Edge 2. An upcoming Windows Update phase that includes IE11 being permanently disabled. The Windows security update (“B”) release that will permanently disable IE11 is scheduled to be available for roll out on February 14, 2023. When this will happen: The Windows Update containing the permanent disablement of IE11 is scheduled to be available in the following releases: · January non-security preview release, also known as 1C, scheduled for January 17, 2023 · February security release, also known as 2B, scheduled for February 14, 2023 The permanent disablement of IE11 will be included in all subsequent Windows Updates after the January non-security preview release and February security release. How this will affect your organization: · All IE11 activity, including shortcuts using IE11 and invoking iexplore.exe will be redirected to Microsoft Edge · Opening shortcuts or file associations that use IE11 will be redirected to open the same file/URL in Microsoft Edge · The IE11 icons on the Start Menu and the taskbar will be removed · This Windows Update will only affect in-scope SKUs (see our FAQ for in-scope SKUs) At this time, IE11 has been retired, but if your organization has not yet completed your transition away from IE11, continued reliance on IE11 when the Windows Update becomes available may cause business disruption. What you need to do to prepare: For organizations that are ready to remove IE11, it is strongly recommended to use the Disable IE policy to remove IE11 on your organization’s devices to control the timing of permanent IE11 disablement on your own schedule before the Windows Update. Please see this blog for information on how and when to configure the Disable IE policy to replicate the effects of the Windows Update. If you need help moving off IE11, please reach out to the App Assure team for help with app compatibility and open a support ticket for help with technical issues. Microsoft Edge brings you a faster, more secure, and more modern web experience than Internet Explorer and is the only browser with built-in compatibility for legacy IE-based sites and apps with IE mode. Learn More: · For cost-free help with web app and site compatibility, especially if you have legacy site concerns after configuring IE mode, learn more about the App Assure program. · Read our June 15 retirement blog here. · Read our FAQ to help answer your questions. We always value feedback and questions from our customers. Please feel free to submit either feedback or questions via Message center (where available). MC446132 — The Office app is becoming the Microsoft 365 app Microsoft 365 Roadmap ID 98173 On October 12, 2022 at Microsoft Ignite we announced that the Office app for web (office.com), Windows, iOS, and Android will be rebranded to become the Microsoft 365 app. In the coming months, these apps will automatically update to the Microsoft 365 app, which will include a new icon, styling, and features. When this will happen: Changes will begin rolling out to customers of the Office web app (Office.com) in November 2022. This will be part of a phased rollout, so not every customer will receive the update at the same time. Users will be able to experience the new Microsoft 365 app at microsoft365.com or office.com. In mid-2023, office.com will begin automatically redirecting to microsoft365.com. The Office mobile apps for iOS and Android and the Office app for Windows will update to become the Microsoft 365 app at a later time. In November 2022, users of these Office apps will begin seeing in-product messaging notifying them of the upcoming change. In January 2023, these apps will automatically update to become the Microsoft 365 app. When that update occurs, users will see the new Microsoft 365 icon on their device home screens instead of the current Office icon. How this will affect your organization: Users in your organization should understand that the Office app is changing to the Microsoft 365 app. The web app will be accessed at a new URL (www.microsoft365.com) although the experience can also be used at the existing URL (www.office.com) for a limited time. Users of the Windows and mobile versions of the app will use the Microsoft 365 app represented by a new icon instead of the Office app represented by the Office icon. The Microsoft 365 app is an evolution of the current Office app. Existing users will be familiar with many of the core experiences. The app provides a single destination for users to find all their content across multiple file types and storage locations, start new files in the Create module from a wide variety of apps and templates, and find all the applications entitled to them through their Microsoft 365 plan. Additionally, mobile-centric capabilities, such as scanning documents and using voice to create content, will continue to be part of the mobile application. The apps will also include some new features: • Feed – a new page that uses intelligence from the Microsoft Graph to surface relevant content based on who they work with and what they do. • Tagging (web and Windows only) – a new feature that helps users to individually group content with “tags” that they determine, regardless of where the content is stored. • Apps module – a new apps module connects users to Microsoft 365 apps beyond Word, Excel, and PowerPoint, including third-party apps that have integrated with Microsoft 365. What you need to do to prepare • Ensure that the microsoft365.com domain is added to the Allow list for your organization’s firewall to ensure the new domain is not blocked. Additional security configuration details are in Microsoft 365 endpoints documentation. • Update any internal documentation that references office.com or the Office app to refer to microsoft365.com or the Microsoft 365 app. • Review the blog announcement from Microsoft Ignite for more information about the Microsoft 365 app. MC428511 — (Updated) Grid view for Planner "Assigned to me" and plan drill-down views in Planner Web Microsoft 365 Roadmap ID 98104 Updated November 2, 2022: We have updated the rollout timeline below. Thank you for your patience. In addition to the existing board, chart, and schedule views, customers can now view their tasks in a grid/list format. When this will happen: The grid view will be available in Planner web in the mid-December timeframe (previously late October). How this will affect your organization: Once available, users can now view more tasks on your screen at once and more easily compare task metadata like like "Priority" with one another. This applies to the Web version of Planner and is available for both the "Assigned to me" and the plan drill-down views. What you need to do to prepare: You may consider updating your training and documentation as appropriate. Microsoft 365 IP and URL Endpoint Updates Documentation - Office 365 IP Address and URL web service October 31, 2022 - GCC September 29, 2022 – GCC High September 29, 2022 - DOD Continue reading...

Introduction An edge deployment model commonly constitutes many smaller, independently managed environments where the total cost of ownership needs to be optimized. In today's configurations, infrastructure runs on the same servers and CPUs that host customer workloads. Infrastructure overhead (for example, processing network traffic) places a significant drain on resources which necessitates larger cluster deployments and increased cost. SmartNICs or Data Processing Units (DPUs) bring an opportunity to double down on the benefits of a software-defined infrastructure without sacrificing the host resources needed by your line-of-business apps in your (virtual machines) VMs or containers. With a DPU, we can enable SR-IOV usage removing the host CPU consumption incurred by the synthetic datapath, alongside the SDN benefits. Over time, we expect that DPUs will provide even larger benefits and redefine the host architecture for our flagship edge products, like Azure Stack HCI. Recently, we demonstrated how to build and run CBL-Mariner on an NVIDIA BlueField-2 DPU. DPUs enable the use of Software-defined networking (SDN) policies alongside traditional kernel-bypass technologies like SR-IOV. This is a powerful combination that yields the security and agility benefits only possible through hardware accelerators in a software-defined network. In this blog, we’ll demonstrate a prototype running the Azure Stack HCI SDN Network Controller integrated with the NVIDIA BlueField-2 DPU. Topology There are several components to this demonstration: Two hosts with: An NVIDIA BlueField-2 DPU running CBL-Mariner on its system-on-chip (SoC) A host agent that communicates with the NVIDIA BlueField-2 DPU [*]The Microsoft SDN Network Controller [*]Two tenant virtual machines in an SDN virtual network, one on each host [*]One virtual machine using Windows Admin Center for remote management Prototype Description In a traditional (non-DPU) SDN environment, Virtual Filtering Platform (VFP) is loaded as an extension in the Hyper-V virtual switch. Since policy is enforced in the Hyper-V virtual switch, and SR-IOV bypasses this component on the data path, Access Control Lists (ACL) and Quality of Service (QoS) cannot be enforced. In this prototype, we move VFP to the DPU so that policies can be applied to the SR-IOV data path as well. In this prototype, the policy application now works in the following way: We use Windows Admin Center to set ACLs for an SR-IOV enabled virtual machine on the Microsoft SDN Network Controller. The Network Controller communicates with the host agents running on each host. The host agent uses a gRPC communication channel to program the policy to the VFP component on the DPU. Prototype Configuring SDN Policies In the image below you can see the hosts have a virtual network, tenant1, configured in Windows Admin Center. In this image, there is a Network Security Group with a Network security rule (ACL) named, NTTTCP_Allow_All that allows NTTTCP to receive inbound traffic for all virtual machines in the tenant1 virtual network. Comparing Synthetic and SR-IOV Network Performance The image below shows the workload VMs running traffic over the synthetic network stack which must be processed by the host CPU cores. Looking at the _Total report you can see that 42% of the hosts CPU cores (on this system, 8 cores) were spent processing (in this case 60 Gbps) network traffic over the synthetic data path. This host CPU consumption will continue to grow as bandwidth consumption by VMs and containers increases. Now we enable an SR-IOV VF on the guest VMs, offloading the data path while still enforcing the SDN policies. This image shows NTTTCP output from within the guest reaching line rate of 96 Gbps. In this image, the host CPU remains nearly untouched. This returns the 8 cores previously used by the synthetic data path (42% of the host CPU for 60 Gbps) to be used by customer workloads (VMs or Containers). This means more VMs on the same servers, or less servers needed for your workloads. Conclusion In a common edge deployment model, there are many smaller, independently managed environments where the total cost of ownership needs to be optimized. In today's configurations, infrastructure runs on the same server and CPUs that host customer workloads placing a significant drain on resources which necessitates larger cluster deployments and increased cost. In this prototype we demonstrated the host CPU reduction with SR-IOV alongside the Microsoft SDN stack, enabled by a Nvidia BlueField-2 DPU. Stay tuned for more prototypes! Thanks for reading, Alan Jowett Continue reading...

On December 13, 2022, all editions of Windows 10, version 21H1 will reach end of servicing. The December 2022 security update, to be released on December 13, is the last update available for this version. After that date, devices running this version will no longer receive monthly security and quality updates containing protections from the latest security threats. This article serves as a reminder of this upcoming change and as a guide to help you with the next steps. Staying protected and productive To help keep devices protected and productive, Windows Update will automatically initiate a feature update for devices running Home and Pro (non-domain joined) editions of Windows 10, version 21H1 that are reaching end of servicing. This keeps devices supported and receiving monthly updates that are critical to security and ecosystem health. Remember that you and your users can choose a convenient time for devices to restart and complete the update while remaining productive. We will automatically update devices nearing end of servicing to the latest version of Windows 10, but you can opt to upgrade eligible devices to Windows 11. For information about servicing timelines and lifecycle, see: Windows 10 release information Windows 11 release information Windows lifecycle FAQ Upgrading to Windows 11 Windows 11, version 22H2 – also known as the Windows 11 2022 Update – is available to you on eligible Windows devices. Just check for updates as explained on the Update Windows support page. Please note, if we detect that your devices might have an issue, such as an application incompatibility, we might put a safeguard hold in place and not offer the update until that issue is resolved. Find information regarding safeguard holds on the Windows 11, version 22H2 known issues and notifications page, which is part of the Windows release health experience. If you are interested in experiencing the latest feature update, follow three easy steps: Open Windows Update Settings. Select Check for updates. Click the option to Download and install. Note: You’ll only see this option if your device is ready. If you are using Windows 10, you can check if your device is eligible for the upgrade to Windows 11 by using the PC Health Check app or checking Windows 11 specs, features, and computer requirements. In the meantime, enjoy IT tools to support Windows 10, version 22H2. For more information on the Windows 11 upgrade experience for Window 10 devices, watch How to get the Windows 11 2022 Update or read the blog article What’s new for IT pros in Windows 11, version 22H2. Windows 11 was designed to empower productivity and inspire creativity, and we hope you take advantage of the best experiences Windows can offer you. Continue the conversation. Find best practices. Visit the Windows Tech Community. Stay informed. For the latest updates on new releases, tools, and resources, stay tuned to this blog and follow us @MSWindowsITPro on Twitter. Continue reading...

What's new this month? We're recapping recent events, launching an episode of our video series Behind the ccreens with Windows Autopatch" about device registration (and more), and highlighting updates to the service, including the new tenant management blade, regional data centers, Azure Virtual Desktops support, and expanded SKU availability. Recap: Microsoft Ignite and Technical Takeoff We're grateful to everyone who participated in Microsoft Ignite and Technical Takeoff events: thanks to your feedback and enthusiasm for the service, the Windows Autopatch team is on a roll. Autopatch was a big story at Microsoft Ignite this year! Satya Nadella's keynote, the session Windows: Building what matters most for your business, and the breakout Secure your workforce with Windows + Intune all highlighted the ways in which Autopatch helps improve security and productivity. Our "Ask Microsoft Anything" session at Microsoft Technical Takeoff was full of great questions and answers – catch up on everything we covered in this recording. If you missed our Microsoft Ignite sessions, don't worry – we created a to help you find all the news about Autopatch in one place. New episode: Behind the screens with Windows Autopatch We're also pleased to announce a new episode that takes a deep dive into the device registration flow is now live: Our "Behind the screens" series will continue to introduce you to our product team and provide insights into how the service works – and if there are any topics that interest you, be sure to let us know about them, or any other questions you have about Autopatch on our Tech Community. New resource: click-through demos We're also launching our interactive demos for IT admins who want to get a detailed look at the service before adding a single device. Visit aka.ms/AutopatchDemo to experience tenant enrollment, device management, release management and support, and reporting. Screenshot from the interactive demo series that can guide you through common Autopatch tasks New feature: Tenant management blade You'll notice a new selection available in the Windows Autopatch Tenant Administration area of Intune: Tenant management. Screenshot of where to find tenant management in the Endpoint Manager admin center This new feature will centralize any actions customers may be required to take at the tenant level. For those who enrolled in Windows Autopatch before July 11, 2022, the blade will display an action 'Tenant access' that will remove the conditional access policy, service accounts, and groups that were required before Autopatch went to an "app-only" authorization model. (There's more on that in the new "Behind The Screens" episode, and you can read about the specific changes for those early adopters here: What's New in Windows Autopatch - New Feature: Tenant Management Blade - Microsoft Community Hub) Important announcements regarding Tenant management actions will also be displayed as a banner on the Device Management > Windows Autopatch > Devices blade. New feature: global data storage As of October 31, 2022, the Autopatch data of customers located in the European Union (EU) will be stored in an EU data center. Plans to regionalize more data are in the works, so subscribe to this newsletter if this is a topic of interest, and for more information regarding Windows Autopatch data storage, check out Privacy - Windows Deployment | Microsoft Learn New feature – Azure Virtual Desktop support The versatility and power of Azure Virtual Desktop make them a favorite of IT pros – and, as of next month, the ability to update Azure Virtual Desktops with Autopatch will be generally available. Adding Azure Virtual Desktops to Autopatch is as simple as nesting your devices' Azure AD group into the Windows Autopatch device registration group. New update: SKU list The list of products that include Windows Autopatch will be expanded in Mid-November to include additional Windows E3/5 SKUs. The complete list of qualifying licenses for the Windows Autopatch product can be found here, Prerequisites - Windows Deployment | Microsoft Learn. Whether or when Autopatch may be available to Education (A), Frontline worker (F), or Government SKUs is still under consideration. That's what's new for November. Look for the next installment of "What's new" to drop in January, when we'll have some exciting new capabilities to announce. Until then, continue the conversation and send your feedback by participating in the Autopatch Tech Community. Stay informed. For the latest updates on new releases, tools, and resources, stay tuned to this blog and follow us @MSWindowsITPro on Twitter. For more frequent updates, please make sure to connect with me on LinkedIn and @Bela Lior on Twitter. Continue reading...

Following the release of the 2022 Microsoft Digital Defense Report, Microsoft Defender for IoT is proud to share our contributions and insights with our Tech Community readers. The annual cybersecurity and threat intelligence report analyzes over 43 trillion daily security signals and includes contributions from research teams and security groups from 77 countries, including Microsoft Defender for IoT’s research team, Section 52. The convergence of IoT and OT devices presents new challenges for organizations as the economy of malicious actors and cyber threats has shifted to target critical asset. Microsoft’s new report contains insights about the constantly evolving threat-landscape, cyber-security trends and mitigation guidelines to manage risks and improve security posture. The State of Cyber-Crime Microsoft’s security teams actively track global threats, from ransomware and phishing to cybercrime-as-a-service. Section 52 has shared insights on how threat actors abuse infrastructure in the State of Cyber-Crime section of the Digital Defense Report. Cyber-attacks are increasingly becoming more complex as cybercriminals are building sophisticated enterprises out of their activities. With the inclusion of our research on how unpatched routers are abused by malware operators for their operations, our researchers shared new insights on how devices are actively compromised for crypto-mining resources. We have shared strong indications that popular IoT devices such as routers are becoming active components of coordinated attacks and a popular target for inclusion in criminal operations. Devices and Infrastructure As more organizations are adopting internet-connected devices and solutions across a broad range of industries including critical infrastructure, Section 52 has worked closely with Microsoft’s global security groups to track the threats that are most relevant to your IoT and OT (operational technology) assets. The opportunity for organizations adopting these solutions is closely related to that of threat actors, with the business of cybercrime targeting these assets becoming a multi-billion-dollar business. This year, we have released insights on trends and attacks, supply chain risks, firmware hacking, and OT reconnaissance. IoT devices pose unique security risks as entry and pivot points in networks. Millions of IoT devices are unpatched or exposed. This year we have observed how IoT malware operators have updated modular botnets with new capabilities to increase attacks on architectures like ARM, and the abuse of non-IoT specific vulnerabilities to deliver malicious payloads to vulnerable IoT devices. As organizations are increasingly adopting security solutions like Microsoft Defender for IoT to protect their devices and networks, we have observed threat actors using creative methods and reconnaissance to target valuable assets. This year we have included information on supply chain risks, firmware hacking, and how threat actors can use sensitive design files, the files which are used to map environments and their assets, to gain new footholds into increasingly secure networks. Actionable insights Microsoft Defender for IoT encourages customers to take proactive action against potential security risks: Ensure devices are robust by applying patches, changing default passwords, and default SSH ports. Reduce the attack surface by eliminating unnecessary internet connections and open ports, restricting remote access by blocking ports, denying remote access, and using VPN services. Use an IoT/OT-aware network detection and response (NDR) solution and a security information and event management (SIEM)/security orchestration and response (SOAR) solution to monitor devices for anomalous or unauthorized behaviors, such as communication with unfamiliar hosts. Segment networks to limit an attacker’s ability to move laterally and compromise assets after initial intrusion. IoT devices and OT networks should be isolated from corporate IT networks through firewalls. Ensure ICS devices are not exposed directly to the internet. We hope you will read about these areas and more, in the 2022 report. Continue reading...

Ignite was here and gone before we could blink! The cool thing, Ignite shared so many of our incredible investments, announcements and new fun features we are all extremely excited about. Please take a read, learn about new integrations for PDFs, ways to collaborate using Video and the enhancements for Frontline Workers. Take a read, leave your comments and we thank you for being as enthusiastic about the October features as we are! Meetings Calling Devices Chat and Collaboration Power Platform and custom development Management Teams for Education Frontline Workers Government Meetings Assign seats in Together Mode Together mode makes meeting participants feel more like they’re in the same room during virtual meetings. With this latest innovation, meeting organizers and presenters can now assign seats to participants in Together mode. Pop out shared content into a separate window Previously, you could pop out individual Teams chat conversation, meeting, and calling experiences into a separate in window to help streamline the workflow. We are now bringing the ability for users to also pop out shared meeting content in a separate window so you can see both shared content and meeting participants with ease. Live Translated Captions in Teams Premium Live translated captions for Microsoft Teams delivers AI-powered, real-time translations from 40 spoken languages so meeting participants can read captions in their own language. This helps break down language barriers for your global meetings and calls to be productive and effortless. Live translated captions is temporarily available for all customers. Once Teams Premium is available, each user will need a Microsoft Teams Premium license. If an organizer has Teams Premium, all meeting attendees can enjoy live translated captions. For more information, see Teams Premium add-on for Microsoft Teams. Updated companion mode for Android users For a better hybrid meeting experience, we have updated companion mode in Teams mobile to give in-room attendees quick access to engagement features like chat, live reactions, and Microsoft Whiteboard. We are making it easier to access meeting and device controls, like the ability to join a meeting, cast a PowerPoint, mute the room, turn room cameras on and off, and more. Here are some areas companion mode in Teams mobile makes hybrid meetings better: Users can use a single tap to join a meeting on both their device and Microsoft Teams Room. Users can easily access chat, participant list (see who's in the meeting), live reactions, and raise hands to easily participate from the room Audio on the mobile device will automatically turn off to ensure echo doesn’t happen. This updated companion mode was previously available in iOS and now available in Android. Learn more. Calling Detailed call history Get a more comprehensive view of your call history to see how calls arrived, whether calls were transferred or forwarded, and how they were controlled once received. This detailed call history, combined with the ability to access call recordings and transcriptions from within call details, gives you the context you need to be efficient and productive. Creation of Contact Groups in Calls App Creation of Contact Groups is now available in the right rail pane of the Calls App. Users can now create new groups, and edit the membership of existing groups via the Calls App. Certified Devices Crestron Flex Crestron Flex Displays for Microsoft Teams provide a dedicated conferencing companion for Microsoft Teams-based collaboration that gives quick access to channels, chats, files, calendars, and all other Microsoft Teams features. The ideal desktop solution for both in-office hot desks and remote home offices, the Crestron Flex Display for Microsoft Teams were designed to facilitate cleaner management of daily workflow and activity while freeing up other devices for more specialized work. Sony YY2969 Earbuds Sony’s new LinkBuds headphones improve convenience of participating in online meetings with a truly wireless audio experience. The newly developed ring driver unit features an open central diaphragm for audio transparency, enabling users to tune in to their call and direct surroundings, which is ideal for multi-tasking and on-the-go work. Calls can be easily operated by tapping the headphones. For instance, to mute the microphone, tap the right earbud three times, a useful feature when you step away from your PC during a meeting and want to speak up in a hurry. These Microsoft Teams certified headphones also boast Teams specific features like joining a meeting, receiving calls, and raising hands for meetings in Microsoft Teams. By connecting to your PC through the included USB transceiver and mobile phone via Bluetooth, you can seamlessly switch between your PC and phone to ensure you don’t miss anything said. For instance, users can switch their Microsoft Teams meeting from their phone to their PC without having to reconnect their LinkBuds. Neat Frame Neat Frame is a portable, portrait-oriented personal video device that pairs well with laptops and desktop computers. This device caters to flexible hybrid work scenarios because it can be used in various environments: at home, in the office, in focus pods, or for hot desking. Users can sign into Microsoft Teams on Neat Frame and sync their calendar, files, and chats. Chat & Collaboration Microsoft 365 connected templates We are combining the best of Microsoft Teams templates with SharePoint site templates – into the same flow of creation. When you create a new team using a default template – for example the Manage a Project template, the project management channels and apps, and the connected SharePoint template gets applied automatically. Adobe PDF experience Tenant admins can set Adobe Acrobat as the default app in Teams admin center to view and edit PDF files in the Microsoft Teams. End-users can view, search, comment and annotate PDF files without an Adobe Acrobat subscription or an Adobe ID. This feature is in public preview. Learn how to set up Adobe Acrobat as the default app. Suggested Replies in Group Chat Instead of spending time typing a routine response to an incoming message, simply reply with one click by choosing a suggested response to your group chat. Suggested replies uses machine learning to generate responses that are most relevant to the conversation. Video clip You can now create short, lightweight, rich video clips allow you to express yourself, deliver a more personal touch and strengthen your connections. Simply record, send and view a video clip in chat. The recipient of the video clip can easily reply with a chat message or a video clip of their own. Generally available in desktop and will be in public preview in mobile by end of the year. Delete or rename files in a channel and in your OneDrive folder in Teams To rename or delete a file in a channel, go to the files tab and find the file you want. Then select More options (the three dots) on the file. To rename or delete a file from your OneDrive, select More at the bottom of the app, then select Files. Once you find the file you want, select the three dots and choose to rename or delete it. Teams calendar now includes scheduling form pop-outs In a Teams calendar, users will now be able to pop-out an existing meeting using the pop-up icon in a Teams calendar scheduling form. Users will be able to pop out the meeting and have it visible while creating a new meeting. This feature will allow users to view multiple meetings in separate windows while also being able to check their chats or edit their files without the need to switch apps. Power Platform and custom development ISV App Subscriptions instead of 3P app subscriptions in Teams Admin Center Ability for Admins to view and manage in single place all third-party app subscriptions they’ve purchased from Teams Admin Center, easily adding more licenses for the purchased subscriptions, cancel, upgrade and downgrade subscriptions and access invoices. Simplified app update experience Users will have a clear and transparent app update experience. Users will only need to approve an update once per app, and the new version will take effect seamlessly in all their chats, channels and meetings. Teams Platform Apps in One-on-One VOIP Calls All the familiar functionalities of meeting apps - tabs, bots, in-meeting dialogue, and meeting stage - will be supported in Teams VOIP Calls. Users of your apps will enjoy the same familiar app experience as seen in Teams Meetings, in their Teams VOIP Calls. Teams Platform Apps in Group VOIP Calls All the familiar functionalities of meeting apps - tabs, bots, in-meeting dialogue, and meeting stage - will be supported in Teams VOIP Calls. Users of your apps will enjoy the same familiar app experience as seen in Teams Meetings, in their Teams VOIP Calls. Zero install link unfurling Users can now see a preview card when a pasted link unfurls even when they don't have the app installed. Management Upgraded usage analytics for Teams administrators and users Updates and improvements were made to Teams related usage report in the Microsoft 365 admin center (and corresponding graph APIs) to be more accurate and upgraded. We are bringing consistency across different reporting surfaces, we are updating the Teams admin center usage reports and end user analytics in Teams with same underlying data source as Microsoft 365 Admin Center Teams usage reports. Individual usage metrics reported in different reports and in the end user analytics in Teams, as well as the Graph APIs for the usage data will have data consistency across Teams and M365 admin center usage reports. In addition to 7/30/90 days of aggregated metrics, Teams admin center usage reports and end user analytics for teams will have additional 180 days aggregated metrics. Thus, historical usage data up to 180 days will be available for reporting. Teams app usage report is updated to include more reporting metrics, data quality fixes for reported metrics and usage for Line of business applications as well. (Available only for Public/worldwide cloud customers) Team App usage and Teams team usage report will be available in both Teams admin center as well as M365 admin center. Teams user activity report and Team usage report is updated to include shared channel related usage metrics. To learn more: Microsoft 365 admin center activity reports - Microsoft 365 admin | Microsoft Learn , Microsoft Teams analytics and reporting - Microsoft Teams | Microsoft Learn, View analytics for your teams (microsoft.com), Microsoft 365 usage reports in Microsoft Graph | Microsoft Learn Enhancement to app usage report - support for Line of Business apps An updated version of Teams app usage report with support for Live of business apps in alignment with Teams app usage in M365 admin center. The new enhancements includes the support for usage of line of business (LoB) apps, Tenant level install trend, enhanced quality of metrics reported, tenant wide usage of Microsoft, 3P and LoB apps etc. These enhancements will help the admin measure the usage of Teams app across their organization and to categorize them. Teams for Education We're showcasing one of this months Teams for Education features here but be sure to take a look at the monthly Teams for Education blog for a look at the great new updates. Education Insights - Student Support Card New AI-based Student Support spotlight in Education Insights helps educators better support students before they fall behind. Frontline Workers Approvals as a PDFs can be saved, printed and transferred Approval creators will be able to save a completed approval request to a PDF file and have the option to print it. This feature will also allow customers to easily transfer their proof of approval as a PDF to another system or store as a file. Approvals in integrated SharePoint Lists List users will now be able to create and manage simple approval requests directly within integrated SharePoint Lists. Assign Approvals to a Tag in Teams For an approval assigned to a tag, the tag will expand and send to the correct members when the approval requestor hits submit. Rich notes in Tasks field Tasks will also support rich text support in the notes field, so you can include more detailed instructions with the help of rich formatting such as bold, italic, and underlined text, bulleted and number lists, and hyperlinks. Learn more about how to get started with Tasks in Teams. Government These features currently available to Microsoft’s commercial customers in multi-tenant cloud environments are now rolling out to our customers in US Government Community Cloud (GCC), US Government Community Cloud High (GCC-High), and/or United States Department of Defense (DoD). Enhancement to app usage report - support for Line of Business apps An updated version of Teams app usage report with support for Live of business apps in alignment with Teams app usage in M365 admin center. This will help admins track all app usage metrics over time. Music on hold for Voice over IP calls, consultative transfer, and call transfer for GCCH and DOD Music on hold is available for VoIP calls placed on hold, as well as VoIP and PSTN placed on hold for a call transfer and consultative transfer. Live Share SDK support for meeting extensions Live Share is a new developer capability designed to transform Teams meeting apps into collaborative multi-user experiences without writing any dedicated back-end code. Live Share SDK support for meeting extensions enables general-purpose collaboration features, turn-key media synchronization to co-watch videos in meetings, and inking, cursors & annotations. Text prediction for Teams mobile in GCC-High and DoD When you compose or reply to a message in Teams, Editor Text Predictions anticipates your writing and suggests a suitable word or phrase inline. This saves time and helps you reduce typos. Connectors in GCC Teams Connectors, which support webhook integrations, will be made available in GCC. Firefox Meeting Support for Outgoing Screen Sharing Extend outgoing screen sharing capabilities for Teams Meetings from the Firefox browser. Updated companion mode for Android users for GCC, GCC-High and DoD For a better hybrid meeting experience, we have updated companion mode in Teams mobile to give in-room attendees quick access to engagement features like chat, live reactions, and Microsoft Whiteboard. We are making it easier to access meeting and device controls, like the ability to join a meeting, cast a PowerPoint, mute the room, turn room cameras on and off, and more. Here are some areas companion mode in Teams mobile makes hybrid meetings better: Users can use a single tap to join a meeting on both their device and Microsoft Teams Room. Users can easily access chat, participant list (see who's in the meeting), live reactions, and raise hands to easily participate from the room Audio on the mobile device will automatically turn off to ensure echo doesn’t happen. This updated companion mode was previously available in iOS and now available in Android. Continue reading...

With the announcement of Microsoft Store for Business retiring in early 2023, organizations that use Windows Autopilot to register devices and create and manage Windows Autopilot profiles will need to use a different platform. Microsoft Intune and the Microsoft 365 admin center are two available options. Microsoft Intune If you don't already use Intune, you can use an Intune tenant to register devices and create and manage Windows Autopilot profiles. To access a free Intune tenant, refer to Microsoft Intune Licensing for more information. Using Intune to register devices and create and manage Autopilot profiles doesn't require a paid subscription. Once you have access to Intune, set up and manage Autopilot profiles at Home > Devices > Windows > Windows enrollment > Deployment profiles. A screenshot of the Windows Autopilot deployment profiles screen in Microsoft Intune Microsoft 365 admin center The Microsoft 365 admin center can also be used to register devices and to create and manage Windows Autopilot profiles. Access the Microsoft 365 admin center at www.admin.microsoft.com and select Devices > Autopilot > Create profile. A screenshot of the Autopilot devices and profiles options in Microsoft 365 admin center Other considerations What happens to profiles I have created in the Microsoft Store for Business? Profiles created within the Microsoft Store for Business will still exist in Windows Autopilot. However, you may not be able to edit or access the profile once the changes take effect. We recommend reviewing whether any of the profiles you created are available in either Microsoft Intune or Microsoft 365 admin center prior to the Microsoft Store for Business retirement in early 2023. If they're not available, the Autopilot profiles will need to be recreated and re-targeted to devices within one of the two platforms as they may not be migrated. Learn more at Configure Autopilot profiles. What permissions do I need to access the Autopilot devices menu in the Microsoft 365 admin center? Global administrator rights are currently required to make changes in the Microsoft 365 admin center. When will the original equipment manufacturer (OEM) consent form move from the Microsoft Store for Business? The consent form for OEMs to register devices to your tenant is available in the Microsoft 365 admin center and will coexist with the Microsoft Store for Business link until March 2023. Contact your OEM to provide the updated link. If I have already consented to my OEM, do I need to do it again? All existing relationships will remain. There is no need to re-establish consent with an OEM. Continue reading...

Welcome to Microsoft Ninja training! This blog post will walk you through Microsoft Defender Threat Intelligence (Defender TI) level 400 training and help you become a Defender TI master. Curriculum This program is comprised of six training modules that will enable users to get to know and get the most out of their Defender TI instance. Throughout this training, you'll get familiar with Defender TI, how it collects and analyzes threat intelligence, and how to use it to unmask adversaries and their tools and infrastructure. Once complete, you'll be ready to leverage the advanced intelligence in Defender TI to up-level your threat hunting and incident response. The modules listed below are split into four groups: Part 1: Overview Module 0: Other Learning and Support Options Module 1: Use Cases, Users, and How to Get Started Part 2: Data Collection, Threat Analysis, and Defender TI's Dataset Overview Module 2: Data Collection and Threat Analysis Module 3: Understanding Internet Datasets and their Investigative Use Part 3: Integrated Use Cases Module 4: Microsoft Defender Threat Intelligence Detections in Microsoft Sentinel Part 4: Using Defender TI for Cyber Threat Investigations Module 5: Making Use of Projects Module 6: Understanding & Utilizing Finished Threat Intelligence Part 1: Overview Module 0: Other Learning and Support Options The Ninja training is a level 400 training. If you don't want to go as deep or have a great feature request to share, other resources might be more suitable: Already a Ninja? Join our Private Preview program to be informed of new features. We will update this Ninja training as new features or integrated use cases are introduced. Have a good feature idea you want to share with us? Let us know on the MS Defender Threat Intelligence channel of the Cloud Security Private Community [EXTERNAL] Teams site. Think you're a true Microsoft Defender Threat Intelligence Ninja? Take the knowledge check and find out. If you pass the knowledge check with a score of over 80%, you can request a certificate to prove your ninja skills! Disclaimer: This is not an official Microsoft certification and only acts as a way of recognizing your participation in this training content. Take the knowledge check here. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got wrong, study more, and take the assessment again. Module 1: Use Cases, Users, and How to Get Started Defender TI is an analyst workbench aggregating many intelligence data sources in a way that is searchable and pivotable. Data sources include both raw data ingested via a world-wide collection engine as well as finished intelligence in the form of articles. The workbench allows for correlating data and aggregating identified attributes or entities by grouping them into projects or assigning tags, which can be shared within an organization. The intent of the platform is to enable organizations to derive insights, which will be utilized to defend themselves against threat actors in cyberspace (read more). Defender TI aids the following target user functions: Security Operations Incident Response Threat Hunting Cyber Threat Intelligence Analysis Cybersecurity Research Common tactical use cases include: Identify Existing Threat Intelligence Data Enrichment Infrastructure Chaining Monitoring Internet Infrastructure Changes Collaborating on Investigations For more information regarding Defender TI's target user functions and use cases, see "Microsoft Defender Threat Intelligence's Target User Functions and Use Cases". If you want to get an initial overview of Microsoft Defender Threat Intelligence's technical capabilities, the Microsoft Security Public Community webinar, "Special Report: Ukraine | A Microsoft Overview of Russia's Cyberattack Activity in Ukraine" and our Microsoft Security Digital Event "Stop Ransomware with Microsoft Security" are good starting points. You might also find the What is Microsoft Defender Threat Intelligence (Defender TI)? useful. Lastly, want to try it yourself? Defender TI 30-day Premium trials are available to start in the M365 Admin Center (read more). If your organization is not ready to trial the Premium Defender TI experience, you can also register for Community Defender TI access with your standard Microsoft authentication when accessing the Defender TI standalone portal. Community access presents users with limited datasets and data history as well as limited access to articles (read more). Part 2: Data Collection, Threat Analysis, and Defender TI's Dataset Overview While the previous section provides an overview of our Defender TI platform, use cases it supports, and how to get started, this section provides thorough information regarding Defender TI's data collection processes, threat analysis, and data sets. It also provides dataset investigative examples to provide more information regarding the value Defender TI's datasets can bring to analysts. Module 2: Data Collection and Threat Analysis It is oftentimes difficult to make a determination as to whether a security alert identified truly malicious activity without the ability to conduct additional research into the entities associated with the alert. Entities could include IP addresses, domain names, host names, URLs, file names or hashes, and more. Analysts will have to turn to outside sources in order to gather needed context on these entities to properly triage the activity that has been identified. Defender TI is built on top of well over a decade's worth of collection against Internet datasets. The technologies in place enable the collection, processing, and storage of data at a scale unmatched by most in the industry. Improvements to the ability to search across and pivot through datasets occur on an ongoing basis, in conjunction with improving the ability for analysts to collaborate across research and investigations. This module will provide an overview of the primary methods by which Internet data is collected. Defender TI collects internet telemetry data via its' Passive DNS sensor network, web crawling with virtual users, global proxy network, internet scanning, and select 3rd parties. As a result, the following datasets are available in the Defender TI platform: Resolutions Whois Certificates Subdomains Trackers Host pairs Components Cookies Reverse DNS DNS Services For more information, see "How Does Microsoft Defender Threat Intelligence Collect Internet Telemetry Data?". Note: As mentioned previously in Module 1, Community users will have access to limited datasets and history of those datasets (read more). By collecting these internet datasets, Defender TI leverages a ML algorithm to produce real-time reputation scores for IP addresses, domains, and hosts. In addition, analysts can gain more context into these IP addresses, domains, and hosts by leveraging Defender TI's Analyst Insights feature (read more). Module 3: Understanding Internet Datasets and their Investigative Use Microsoft collects, analyzes, and indexes internet data to assist users in detecting and responding to threats, prioritizing incidents, and proactively identifying adversaries' infrastructure associated with actor groups targeting their organization. We learned how Defender TI provides raw and finished threat intelligence in Module 2. The focus of this module is to dive into the raw intelligence, in the form of internet datasets, Defender TI includes. Defender TI's internet data is categorized into two distinct groups: core and derived. Core datasets include Resolutions, Whois, SSL Certificates, Subdomains, DNS, Reverse DNS, and Services. Derived datasets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies datasets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details. To learn more and practice working with Defender TI's datasets, see "Microsoft Defender Threat Intelligence's Datasets and How to Use Them During Investigations." Part 3: Integrated Use Cases Now that we have a foundational understanding of Defender TI's use cases, features, and raw and finished intelligence, let's learn how Defender TI's threat intelligence can be used to drive more detections within Microsoft Sentinel. As Defender TI evolves, more integrated use cases will come to speed up security operations, incident response, threat hunting, and threat intelligence workflows. Be on the lookout for new content in this section as new integrated use cases present themselves natively across the Microsoft Security ecosystem or through configuration. In addition, if you have ideas for new integrated use cases, feel free to email mdti-pm@microsoft.com, add a comment in the Module 4's blog, or join our Cloud Security Private Community and start a discussion in the MS Defender Threat Intelligence channel. Module 4: Defender TI Detections in Microsoft Sentinel Defender TI provides free threat intelligence indicators to Microsoft Sentinel customers. These indicators come from Defender TI's malware and phishing indicator feeds as well as indicators from Defender TI's articles. While users cannot export the indicators and ingest them into their TIP or SIEM, they can enable "TI map*" Analytic rules in Sentinel. These rules run every hour and correlate these indicators against logs stored in their Log Analytics workspace to generate more high-confidence detections. Once a detection happens, they will be able to view the associated entities (threat intelligence indicators from Defender TI) in their Microsoft Sentinel Threat Intelligence blade (read more). Part 4: Using Defender TI for Cyber Threat Investigations At this point, you've learned a great deal about how Defender TI can be used within its user interface and how it can integrate with Microsoft Sentinel to generate more detections. These next modules will focus on how you can apply what you've learned from the previous modules by putting those teachings into practice. Note: For those of you with Defender TI Community access, your dataset, dataset history, and feature access will be limited compared to our Defender TI Premium experience. As such, many of the exercises below in Module 6 may be difficult to execute without a Defender TI Premium license. Module 1 covers how you can work with your team to start a Defender TI Premium Trial if you'd like to practice the following exercises and evaluate full access to our Defender TI solution. Module 5: Making Use of Projects The Microsoft Defender Threat Intelligence (Defender TI) platform allows users to develop private personal or team project types for organizing indicators of interest and indicators of compromise from an investigation (read more). Module 6: Understanding and Utilizing Finished Threat Intelligence Threat intelligence is the data that organizations need in order to map threats to the enterprise and enable the best possible decision making related to risk. Defender TI serves as a valuable source of attack surface threat intelligence on global, industry, and local threats, with content from hundreds of OSINT sources complementing original research shared from Microsoft's own Defender, MSTIC, and Section52 research groups. As an analyst working with threat intelligence, it's easy to become overwhelmed by the volume of data out there, but within the Defender TI portal, the ability to quickly find data relevant to your needs is kept top of mind. For more information regarding Defender TI's articles, vulnerability articles, and exercises to practice gathering raw intelligence, see "Understanding and Utilizing Finished Threat Intelligence with Microsoft Defender Threat Intelligence". Continue reading...

Want to simplify your on-premises management of updates? Try the public preview of the Unified Update Platform (UUP)! Following on a successful limited private preview, the UUP on premises is available for commercial organizations now. UUP on premises is an integration with Windows Server Update Services (WSUS) and Microsoft Configuration Manager. This new capability simplifies Windows content management and streamlines the process for upgrading to Windows 11 for those who manage Windows devices with these update management platforms. Prepare yourself and your organization for the complete transition of servicing to UUP by early 2023. Let's see how UUP on premises simplifies quality and feature update deployment and act now to enroll in our public preview! What is the Unified Update Platform? The Unified Update Platform (UUP) is the next iteration of our system for delivering Windows OS quality and feature updates. It offers improved delivery technologies in response to IT admin requests for more seamless updates, more control over installation time, more battery life, and lighter download size. After five productive years, UUP is becoming even better through seamless integration with Configuration Manager and WSUS. UUP on premises is stepping up to the growing demand for Windows 11 security and productivity standard across leading enterprises. In fact, starting in early 2023, all new releases of Windows will be serviced with UUP updates. Here's the timeline that has led to the currently available public preview of UUP on premises, as the last stage in preparation for UUP servicing. Estimated timeline for the preview and general availability of UUP on premises Let's look at the key benefits, version requirements, and the process to sign up for the public preview of UUP on premises today. Simplifying the upgrade from Windows 10 to Windows 11 The UUP makes OS upgrades easier for you to manage. You no longer need to create your own custom images or complicated task sequences to retain installed optional features or language packs. New capabilities include: Simplified content management via servicing, instead of media-based task sequences Upgrading the OS to the latest security compliance level with one reboot Installed optional features on demand (FODs) and language packs (LPs) are retained during upgrades If desired, the ability to implement well known task sequences for other custom actions needed in your environment If your organization has already moved to the Software Updates model for feature updates, you'll automatically get UUP updates. You'll want to remove any feature update steps you are performing today to work around previous gaps. For example, remove Setup custom actions to migrate FODs since the UUP feature update will now do this automatically. If you are using a Task Sequence using OS media to perform feature updates, this is a great opportunity for you to consider switching to the Software Updates model. You can continue to use a Task Sequence but integrated with the Software Update instead of needing to build a custom OS image. Note: When UUP launches early next year, customers will get UUP updates automatically. Quality and feature updates delivered for Windows 11, version 22H2 and later releases will be UUP updates. To upgrade to Windows 11 from Windows 10, the minimum required version of Windows 10 is 21H1 or later. Quality updates for Windows 11 Quality updates with the UUP continue to be cumulative and include all released Windows quality and security fixes. New capabilities are: Ability for end users to acquire FODs and LPs in WSUS or Configuration Manager environments. Automatic corruption repair Minimized quality update client download sizes Note: To receive quality updates on Windows 11, we recommend that the latest security updates be installed on your devices. Minimally, devices should be updated through April 2022. Participate in the UUP on premises public preview Aside from the Windows version and updated requirements listed above, make sure you are managing your PCs with a supported platform then follow the simple process outlined below to sign up for the public preview. Supported platforms To take advantage of UUP on premises, you must be using a supported platform: Configuration Manager, version 2203 or later All supported versions of Windows Server Update Services (WSUS) How do I sign up for the public preview? To sign up for UUP on premises public preview, complete this short form, which gives us the information necessary to provide access to UUP updates in your environment: Microsoft Forms. After we've received your information, we'll let you know when you can expect to be added to the preview. Find complete onboarding instructions at Onboarding guide: Preview of Unified Update Platform (UUP) on premises update management, which include the following steps. Once you've been added to the preview, enable UUP and sync updates: Synchronize software updates to allow the new products to populate. In the Configuration Manager console, navigate to Administration\Site Configuration\Sites. Select your top-level site (CAS or standalone primary). Open Configure Site Components\Software Update Point. On the Products tab, a new product should appear once your WSUS server is added to the preview. This product will contain the UUP preview content. Select "Windows 11 UUP Preview" in order to see Windows workstation UUP updates. On the Classifications tab, ensure you have selected: Security Updates in order to see the UUP cumulative updates. Upgrades in order to see the UUP feature updates. [*]Synchronize software updates to see the new UUP updates. Finally, find the synced UUP updates in WSUS or Configuration Manager and test them! You can find more information about what and how to test at Onboarding guide: Preview of Unified Update Platform (UUP) on premises update management. Looking ahead We love learning from our preview participants and helping you get ready for upcoming improvements. Be a part of this journey and apply today at Microsoft Forms! During preview, all Windows 11 quality updates and feature updates, starting with the July 2022 security update, will be available as UUP updates. Stay tuned for upcoming blog posts and Demo Bytes on the Windows IT Pro YouTube channel (subscribe here!) to learn about the behind-the-scenes magic that is improving your update experience on the latest versions of Windows. For more information, refer to the following resources: Get started with Windows Update Migrating and acquiring Windows optional content Preview Unified Update Platform for on-premises update management Introducing the Unified Update Platform (UUP) Continue the conversation. Find best practices. Visit the Windows Tech Community. Stay informed. For the latest updates on new releases, tools, and resources, stay tuned to this blog and follow us @MSWindowsITPro on Twitter. Continue reading...

Take advantage of expedited quality updates in Intune and Windows Update for Business to address zero-day security vulnerabilities and fast-tracking installation of security updates. It works seamlessly if you are managing a mix of Windows 10 and 11 devices, ensuring quick deployment even in complex environments. This feature is available to those enrolled in Windows Update for Business deployment service. Working closely with Intune users, we have invested in improving the experience by adding new and more intuitive alerts and notifications. To help you get the very best out of the expedite capability, this blog explores: Prerequisites for expedited updates Monitoring and reporting Common alerts and resolutions Best practices Prerequisites for expediting updates To expedite quality updates, make sure you meet the following requirements for eligibility, joining your devices to Azure Active Directory (Azure AD), connecting them to Windows Update services, and equipping your devices with necessary tools. See the Common alerts and resolution section for how to make sure you meet these prerequisites! Prerequisite category Description Licensing Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)Windows 10/11 Virtual Desktop Access (VDA) per userMicrosoft 365 Business Premium Azure Active Directory (Azure AD) JoinedHybrid joined Note: Workplace joined devices are not supported for expedited updates. For details, see What is an Azure AD joined device? Windows Update services Devices must be configured to scan the Windows Update service and be receiving updates from it. Update Health Tools Client Update Health Tools KB4023057 must be installed on all relevant devices. Note: If the devices are configured to scan the Windows Update service, then the client should automatically be installed on the device. Recommended: Client/device data processing in Intune Devices are configured to send diagnostic data for better experience. Please refer to the full and current list of prerequisites to qualify for installing expedited quality updates. Most needs in troubleshooting arise from not fully meeting these prerequisites. Thankfully, this post is here to help you! Monitor and report on expedited updates in Intune Have you asked yourself where you can monitor and see any errors triggered for an expedite policy that you’ve created? After an expedite policy has been created, you can monitor the update status and view any errors using intuitive reports available in Intune: the summary report and the Windows expedited update failures report. Access the summary report from Intune’s Reports > Windows updates. View the status of deployment by checking the Update Aggregated State column of the device-by-device portion of the report (see image below). A summary report view of Windows expedited updates in Intune. The bottom portion lists device by device, with its respective identifiers, update aggregate state, and other details. Review some important update states and substates that indicate successful progression of the policy below. For more information on all update states and substates, see the Update states section of Microsoft Intune documentation. Update state Update substate Workflow state Pending Validation Device has been added to the expedited update policy and is being validated. Note: The devices that do not meet the prerequisites will show this state. Resolve this by checking the Common alerts and resolutions tips below. Pending Scheduled Device has passed validation and will be expedited soon. Offering OfferReady The expedite instructions are ready for the device. The next time expedite client on the device scans for updates, these will be offered to the device. Installed UpdateInstalled Device has received the update successfully. Needs Attention Needs Attention Device has encountered an error. Please check the Windows Expedited update failures report in Intune, as shown next. The Windows Expedited update failures report provides a view of all devices within a policy that have encountered an error. Access the Windows Expedited update failures report from Intune (Home > Devices > Monitor) to troubleshoot expedite deployments. Windows expedited update failures in Intune show error devices, along with full details Upon selecting the Alert message, you can view the details of each error and steps needed to remediate the error. The report also gives the capability to filter by a specific error type and see all impacted devices. About 57 alert types are included with detailed explanations and recommended remediation for each issue. Common alerts and resolutions If the devices are active and meet the eligibility criteria for expedited updates, then you shouldn’t encounter any issues while using the service. Devices are considered active when they are connected to the internet and are operational for more than 6 hours a month in total, with continuous activity of at least 1 hour. Let’s review some common error messages you can find in our reporting and how to remediate them. Why do I not see detailed status and alert information for my devices? Alert Description Windows Health Monitoring not enabled Windows Health Monitoring is not enabled for Windows Update scope for this device. Update status from the device will not be available. This issue is often related to the prerequisite of Windows health monitoring and will cause all your devices to only show the OfferReady status. Please make sure you have enabled the required Windows data processing settings in Intune. From Home, go to Devices > Windows 10 and later > Windows health monitoring. Enable Health monitoring for Windows updates (see image below). For detailed guidance on how to do this, refer to Use Update Compliance reports for Windows Updates in Microsoft Intune. Windows health monitoring configuration settings in Intune set Health monitoring to Enable. Scope allows to select items like Windows updates and Endpoint analytics. The other possible reason for the devices to remain in this update substate is if they are not active or are experiencing issues while connecting to Windows Update. How to check if tenant has the appropriate license required to use Windows Update for Business deployment service? Alert Description Missing E3 license (Not eligible to be updated) This device does not meet the licensing requirements and is not able to be updated. The easiest way to check if your tenant has the required license to use the service is to use Microsoft Graph. Go to Microsoft Graph Explorer and log in to your tenant. Run the API https://graph.microsoft.com/v1.0/subscribedSkus?$select=servicePlans Check the response to see if there is “WINDOWSUPDATEFORBUSINESS_DEPLOYMENTSERVICE” as a service plan name. If yes, then your tenant meets the licensing eligibility criteria. Microsoft Graph API shows that your tenant meets the licensing eligibility criteria under Service Plan Name. How can I verify if the Update Health Tools client is installed on my device(s)? Alert Description Expedite client missing The device does not have the expedite client needed to expedite. Another prerequisite is verifying that Update Health Tools are running on the device correctly: Look for the installation files at this location: C:\Program Files\Microsoft Update Health Tools. Check if the Microsoft Update Health service is running on the device (illustrated below). Microsoft Update Health Tools shows a list of services running on the device. Microsoft Update Health Service is highlighted. As an admin, run the following PowerShell script: $Session = New-Object -ComObject Microsoft.Update.Session $Searcher = $Session.CreateUpdateSearcher() $historyCount = $Searcher.GetTotalHistoryCount() $list = $Searcher.QueryHistory(0, $historyCount) | Select-Object -Property “Title” foreach ($update in $list) { if ($update.Title.Contains(“4023057”)) { return 1 } } return 0 Interpret the results as follows: If it returns a 1, the device has UHS client. If it returns a 0, the device does not have UHS client. In this case, you can manually download and install Update Health Tools from the Microsoft Download Center. How can I verify that my devices are configured to connect to Windows Update? Alert Description Not connected to Windows Update This device is not connected to Windows Update and therefore cannot download the update. Windows Update must be configured as the scan source for quality updates. Most common policies, if configured alternatively from the default settings, could lead to devices not scanning Windows Updates correctly. If your devices are receiving regular updates from Windows Update, then your devices have the correct configurations. Learn more at Use Windows Update for Business and Windows Server Update Services (WSUS) together. On Windows 10: Configure scan source for quality updates from Windows Update. Ensure Disable Dual Scan is Not Configured or is configured to Disabled. Note: If you don't have a WSUS URL configured, ALL updates will come by default from Windows Update without you needing to configure scan source. On Windows 11: Configure scan source for quality updates from Windows Update. Note: If no scan source policy is configured, ALL updates will come by default from Windows Update. If using Microsoft Intune co-management, ensure the Windows Update for Business workload slider is set to Intune or Pilot with the desired devices. How do I ensure that devices in my organization are Azure AD joined? Alert Description Device Registration Invalid Azure AD Device ID Device is not able to register or authenticate properly with the Deployment Service due to having an invalid Azure AD Device ID. Leverage another API to help you assess whether the devices are Azure AD joined or not. Go to Microsoft Graph Explorer and log in to your tenant. Run the API https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/?$filter=isof(‘microsoft.graph.windowsUpdates.azureADDevice’). Review all devices that are Azure AD joined in the returned list. Note: If a new device is added to the tenant, then it could take up to 24 hours to reflect in the response list Microsoft Graph API shows a list of three device IDs that are Azure AD joined. Additional alerts to explain why devices are not expedited Alert Description Workplace joined devices not supported Workplace joined devices are not supported. Register your device to be Azure Active Directory joined or hybrid joined to update this device. Alert Description In multiple Expedite profiles A device should only be in one expedite policy at once. When a device is in more than one expedite policy with different settings, it can lead to potential conflicts that the service can’t resolve automatically. As a result, the device will not be expedited. Review the policies that the device is assigned to and remove the device from all but the desired policy. Otherwise, change the policy settings to match. This can be done by reviewing the policies created in Intune via Select Devices > Windows > Quality updates for Windows 10 and later. Alert Description Past end of servicing (Applying latest update) This device is on a Windows 10 or later build that is past the End of Servicing date. As a result, the specified update is not available for this device. This device does not have the latest update available for that build, so the latest update available is being expedited. This is a security measure to ensure that the device is as secure as possible. Update the device to a supported version of Windows to ensure the highest security of the device and your organization. Best practices If you are not yet familiar with the Expedite feature of Windows quality updates in Intune, consider trying it out! Create and configure an Expedite policy in Microsoft Intune admin center. If you select the August 2022 security updates for Windows in the policy, devices without the corresponding August quality update will get an expedited update. If a newer update is available, then that update gets installed on your device with all the added benefits of the intended update. To fully understand the behavior, please review Example of installing an expedited update. To receive the best experience when expediting quality updates, we have these recommendations: If you are using the expedite capability for the first time, then prior to reaching a zero-day vulnerability scenario, identify if your devices are eligible to receive expedited updates or not. If your devices are up to date and active, do a test run and expedite them to an older security update. For example, if your devices have the August security update, then you could test the expedite capability by using target release as June. The Summary and Device reports in Intune will notify you if there are devices that could not be expedited, along with reasons and mitigations. Note: We are exploring a future capability to test the expedite capability without having to create an expedite policy for a quality update. Since the objective of expedited updates is to handle zero-day vulnerabilities, expedite to the latest security release. Unless immediacy is absolutely required, we recommend setting the Days to Reboot to 1 or 2 days (see image below). This setting will avoid immediate forced reboot of devices and minimize disruption in work for the employees in your organization. It gives you 1 or 2 days to choose when to reboot the device, before the reboot requirement is enforced, possibly during working hours. Expedite settings in Microsoft Intune admin center. The options for the number of days to wait before forced reboot include 0, 1, and 2 days. To be continued In summary, most issues that might prevent you from enjoying the expedite capability arise from a set of prerequisites. Thankfully, our reporting tools are here to help! While this feature is focused on security updates, we are additionally working on a future functionality to expedite non-security quality updates and will soon be releasing the capability through both Graph APIs and Intune. Keep an eye on the Windows IT Pro Blog for updates! For example, check out Expediting updates in the real world to learn how the expedite capability is used in general IT services, education, and banking, as well as ways to get informed and engaged. To learn about how to use expedite capability, please review Expedite Windows quality updates and Deploy an expedited security update using the Windows Update for Business deployment service. Continue the conversation. Find best practices. Visit the Windows Tech Community. Stay informed. For the latest updates on new releases, tools, and resources, stay tuned to this blog and follow us @MSWindowsITPro on Twitter. Continue reading...

Microsoft has released Security Updates (SUs) for vulnerabilities found in: Exchange Server 2013 Exchange Server 2016 Exchange Server 2019 SUs are available in a self-extracting auto-elevating .exe package, as well as the original update packages (.msp files), which can be downloaded from the Microsoft Update Catalog. The October 2022 SUs are available for the following specific versions of Exchange Server: Exchange Server 2013 CU23 Exchange Server 2016 CU22 and CU23 Exchange Server 2019 CU11 and CU12 The SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Our recommendation is to immediately install these updates to protect your environment. These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating any Exchange servers in their environment. NOTE The October 2022 SUs do not contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this blog post to apply mitigations for those vulnerabilities. We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready. Also note that in this update, we have re-released fixes for some CVEs published in August 2022, to highlight the resolution of known issue. More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family). Enable Windows Extended Protection Starting with the August 2022 SUs, Exchange Server supports the Windows Extended Protection (EP) feature, which can help you protect your environments from authentication relay or "man in the middle" (MitM) attacks. If you have not yet enabled EP in your environment, please install the October SUs which address a known issue in Exchange EP support (see below). Then, review the information in the Manual Enablement of Extended Protection section of our August announcement for more details. Customers who have already installed the August 2022 SUs and have enabled EP do not need to re-run the EP script after installing the October SUs. Update installation The following update paths are available: Inventory your Exchange Servers to determine which updates are needed using the latest release of the Exchange Server Health Checker script. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs, SUs, or manual actions). Install the latest CU. Go to Microsoft 365 Deployment Guides and Setup Wizards | Microsoft 365 Apps and choose your currently running CU and your target CU to get directions. If you encounter errors during or after installation of Exchange Server, see the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates. Known issues with this release We are not aware of any known issues with this release. Issues resolved by this release In Exchange 2013, Exchange 2016, and Exchange 2019 various Outlook and compliance-related monitoring probes show as Failed once EP is enabled. FAQs My organization is in Hybrid mode with Exchange Online. Do I need to do anything? Exchange Online is already protected, but the October 2022 SUs need to be installed on your Exchange servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard after installing these updates. Do I need to install the updates on ‘Exchange Management Tools only’ workstations? Servers and workstations running only the Management tools role (no Exchange services) do not need these updates. This post might receive future updates; they will be listed here (if available). The Exchange Server Team Continue reading...

Continuing with our release cadence, we are pleased to announce the release of SQL Server 2022 Release Candidate 1 (RC 1) for Linux. To download the latest RC 1 container images, please use the ‘2022-latest’ tags for both RHEL and Ubuntu based container images. Or you could also use the following tags : For RHEL-based SQL Server containers : "2022-RC1-rhel-8.5" For Ubuntu-based SQL Server containers : "2022-RC1-ubuntu-20.04" Please see SQL Server 2022 public preview blog for detailed instructions on how to get started with the container images. To install the SQL Server 2022 RC 1 packages, follow these steps: For RHEL-based installations see RHEL: RHEL: Install SQL Server on Linux For SLES-based installations refer: SLES: Install SQL Server on Linux For Ubuntu-based installations refer: Ubuntu: Install SQL Server on Linux In addition to the new features added in RC 1, this Linux release includes a preview of SQL Server 2022 packages for SLES 15 distributions. Also, the configuration of PMEM for SQL Server on Linux is supported since SQL Server 2019, you can read Configure persistent memory (PMEM) - Linux - SQL Server for further details. For information on the features supported, see : Editions and supported features of SQL Server 2022 Preview - Linux - SQL Server , and for release notes, see  Release notes for SQL Server 2022 Preview on Linux - SQL Server Continue reading...

Microsoft 365 Defender Monthly news September 2022 [attachment=23497:name] This is our monthly "What's new" blog post, summarizing product updates and various assets we have across our Defender products. Legend: [attachment=23498:name] Product videos [attachment=23499:name] Webcast (recordings) [attachment=23500:name] Docs on Microsoft [attachment=23501:name] Blogs on Microsoft [attachment=23502:name] GitHub [attachment=23503:name] External [attachment=23504:name] Product improvements [attachment=23505:name] Previews / Announcements Microsoft 365 Defender [attachment=23506:name] Discover XDR integrations and services in the New Microsoft 365 Defender Partner Catalog. We’re excited to introduce the new Microsoft 365 Defender Partner Catalog, which enables you to easily discover technology and services partners that work with the Microsoft Defender suite of products, all from a central place. Microsoft Defender for Cloud Apps [attachment=23507:name] If you could not join the Webinar "Manage your SaaS Security Posture with Microsoft", it's available on YouTube for you to watch. [attachment=23508:name] Top Threat Protection Use Cases in Microsoft Defender for Cloud Apps [attachment=23509:name] Egnyte API connector is generally available The Egnyte API connector is generally available, providing you with deeper visibility and control over your organization's usage of the Egnyte app. For more information, see How Defender for Cloud Apps helps protect your Egnyte environment. [attachment=23510:name] Log Collector version update We've released a new log collector version with the latest vulnerabilities fixes. More details here. [attachment=23511:name] Onboarding application to session controls (Preview) The process of onboarding an application to be used for session controls has been improved and should increase the success rate of the onboarding process. More details here. Microsoft Defender for Endpoint [attachment=23512:name] New Device Health Reporting for Microsoft Defender for Endpoint is now generally available. We’ve redesigned the dashboard so that you can view sensor health and antivirus protection status across platforms and easily access detailed Microsoft Defender for Endpoint information. [attachment=23513:name] Attack Surface Reduction (ASR) Rules Report 2.0 in Microsoft 365 Defender. We are excited to bring a new ASR Rules report 2.0 to you. Try out the report and let us know what you think. Email: ASR_Report_Support@microsoft.com [attachment=23514:name] New features available for Mobile Threat Defense on Android & iOS. Privacy Controls, Optional Permissions and Disable Web protection. As of 9/20/22, privacy controls and web protection configuration for Android MAM are now generally available. [attachment=23515:name] Tamper protection will be turned on for all enterprise customers. To further protect our customers, we are announcing that tamper protection will be turned on for all existing customers, unless it has been explicitly turned off in the Microsoft 365 Defender portal. [attachment=23516:name] We are excited to announce that Microsoft Defender for Endpoint is now available on Android Enterprise (AE) company-owned personally enabled (COPE) devices. This release adds to the already existing support for installation on enrolled devices for AE bring your own device (BYOD) and AE fully managed modes, the legacy Device Administrator mode, and the unenrolled mobile application management (MAM) devices. [attachment=23517:name] Improving device discoverability and classification within Defender for Endpoint using Defender for Identity. Leveraging Microsoft Defender for Identity as a data source for Microsoft Defender for Endpoint device discovery can help improve discovery coverage and fine tune the classification accuracy. In this blog post, we show how deploying Microsoft Defender for Identity alongside Microsoft Defender for Endpoint can increase both your discovery of devices by ~11% as well as enrich findings by another 33%. [attachment=23518:name] Device health reporting is now available for US Government customers using Defender for Endpoint. Device health reporting is now available for GCC, GCC High and DoD customers. [attachment=23519:name] Troubleshooting mode is now available for more Windows operating systems, including Windows Server 2012 R2 and above. [attachment=23520:name] Check out the "What's new in Microsoft Defender for Endpoint on Windows" page on docs. Microsoft Defender for Identity [attachment=23521:name] If you could not join the Webinar "Microsoft Defender for Identity | Identity Targeted Attacks - A Researcher's Point of View, it's available on YouTube for you to watch. [attachment=23522:name] More activities to trigger honeytoken alerts New for this version, any LDAP or SAMR query against honeytoken accounts will trigger an alert. In addition, if event 5136 is audited, an alert will be triggered when one of the attributes of the honeytoken was changed or if the group membership of the honeytoken was changed. [attachment=23523:name] New health alert for verifying that the NTLM Auditing is enabled, as described in the health alerts page. [attachment=23524:name] Updated assessment: Unsecure domain configurations The unsecure domain configuration assessment available through Microsoft Secure Score now assesses the domain controller LDAP signing policy configuration and alerts if it finds an unsecure configuration. For more information, see Security assessment: Unsecure domain configurations. Microsoft Defender for IoT [attachment=23525:name] If you missed the Webinar "The Last Piece of the XDR Puzzle - Augmenting IT SecOps with IoT Security", it's now available on YouTube for you to watch. Microsoft Defender for Office 365 [attachment=23526:name] Step-by-step guides v2 has been released! These guides are there to help you with common tasks across the product in a flash, with the minimum information & clicks needed, reducing the time needed by your admins to secure your enterprise. [attachment=23527:name] Introducing the Microsoft Defender for Office 365 Security Operations Guide. When Defender for Office 365 is used, SecOps need to onboard the new tools and tasks into their existing playbooks and workflows. That might come with challenges and questions, such as: “Where do I start? What actions/tasks should I take? How do I integrate with my existing tools and processes?” The Microsoft Defender for Office 365 Security Operations Guide provides useful information to answer these questions. (Security Operations Guide for Defender for Office 365 - Office 365) [attachment=23528:name] Email Protection Basics in Microsoft 365: Spoof and Impersonation. The blog series continue to demystify how Microsoft 365 email protection works. [attachment=23529:name] Automatic redirection from Office 365 Security and Compliance Center to Microsoft 365 Defender portal - for Government environments. Automatic redirection for users accessing the security solutions in Office 365 Security and Compliance center (protection.office.com) to the appropriate solutions in Microsoft 365 Defender portal (security.microsoft.com). This impacts the following Gov environments: GCC, GCC-High and DoD [attachment=23530:name] Defense in Depth guidance has been published. Guidance designed to get the best security value from Microsoft Defender for Office 365 when you have third party email filtering. Microsoft Defender Vulnerability Management [attachment=23531:name] As of 9/26/22, Vulnerability assessment of apps on iOS devices is now in Public Preview. To configure the feature, read the documentation. Continue reading...

These are the best practices and tips to set yourself up for success with Windows Autopilot. Windows Autopilot is a feature within Intune that allows you to send devices directly from hardware providers to end users. New device provisioning is foundational to cloud attach and cloud-based update management. During initial Windows setup, Autopilot enables users to enroll their device through Intune device management, so PCs get to a managed and productive state without reimaging. Principal GPM for Microsoft Windows, Jason Githens, compares the benefits and tradeoffs of Azure AD Join versus Windows Autopilot and shows how to enable Windows Autopilot for easy device enrollment. No pre-prep. Direct delivery to end users. Get automatic policy and app implementation. Configure profile and security baselines that scope to all devices. Set up enrollment to be co-managed when installing dozens of apps for new device provisioning. Watch our video here. QUICK LINKS:  — Introduction  — Options to enroll devices into Intune  — Benefits and tradeoffs of Windows Autopilot  — Admin setup  — Autopilot settings  — Tips for success  — Wrap up Link References: Get started at Windows Autopilot documentation Check out our playlist for Windows cloud-based management at https://aka.ms/ManagementMechanics Unfamiliar with Microsoft Mechanics? As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries?sub_confirmation=1 Talk with other IT Pros, join us on the Microsoft Tech Community: Microsoft Mechanics Blog Watch or listen from anywhere, subscribe to our podcast: Microsoft Mechanics Podcast To get the newest tech for IT in your inbox, subscribe to our newsletter: Why, How & When to use New Microsoft Tech. - Revue Keep getting this insider knowledge, join us on social: Follow us on Twitter: Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ Enjoy us on Instagram: Instagram Loosen up with us on TikTok: TikTok Video Transcript: -Coming up, we’ll go inside Windows Autopilot with the mechanics of how the service works, best practices for configuring it, as well as a few tips to set yourself up for success. Continuing on in our series on cloud-based Windows management, where we’ve demonstrated the importance of cloud attach and cloud-based update management, new device provisioning is foundational to the experience. And Windows Autopilot is a feature in Intune that allows you to send new devices directly from your hardware providers to end users. Then, during initial Windows setup, Autopilot enables the user to enroll their device into Intune device management, so that the PC gets to a managed and productive state without needing to reimage it. -Windows Autopilot is actually one of four primary options to enroll Windows device into Intune. I’ll start with the options using a device that has already been set up and is running Windows 10 or Windows 11. Here, users can self-enroll their personally own devices by installing the Company Portal app, then register the device using a Microsoft 365 work or school account. If you have set up auto enrollment in Azure AD and Intune, the user will only need to enter their credentials once. -The second option that you’re probably familiar with is Workplace Join. Enrolling from Windows settings and the access work or school menu, then choosing connect and signing in with your org account. Both of these options are intended for personally owned devices. The option from the Windows settings is called MDM only enrollment and isn’t recommended. That’s because it does not register the device with Azure Active Directory and can prevent access to things like your organization’s email or security capabilities like conditional access. So those are the options for enrolling a running PC, but for a new corporate owned PC, you have a few additional options. -First, you can sign into Windows using the same Microsoft 365 work or school account during Windows setup. This is called Azure Active Directory Join. And again, if auto enrollment is enabled for your Azure AD and Intune environment, the device will get automatically enrolled in one step. Then, Windows Autopilot is another option where the user is offered the option to sign into their work or school account with a streamlined experience for the user during setup. With these two options during Windows setup, devices will be marked as corporate-owned devices in Intune. And using any of these four options after the device is enrolled with Intune, and based on what you’ve set up as required configurations, Intune will install your apps and apply policies required to connect your organization’s data and services. -The advantage of the first user self-enrollment and Azure AD join options are primarily with flexibility, in that any Windows 10 or Windows 11 Pro or Enterprise device can use this approach without any pre-prep or coordination with your hardware providers. And as long as your users are aware of Intune enrollment options and procedures, those devices can also be directly delivered from hardware providers to end users. And after device enrollment, devices will have your required policies and apps applied automatically. This option works well for unregistered devices, also referred to as commercial OOBE. -Windows Autopilot on the other hand is used when you want to register devices to your tenant and establish organizational ownership of devices in advance. Now let’s go deeper on the benefits of Autopilot compared to the other options. To display a few benefits versus Azure AD join, I’ll walk through the screens for Windows 11 setup with and without Autopilot enabled. On the left, we’re using Azure AD join and on the right we’re using Autopilot. As we go through the experience, you’ll see that with Autopilot, the big advantage for the user is in its streamlined setup, removing the keyboard config screens, Microsoft license terms, and after the enrollment status page, the privacy setting screen is also taken care of. Then importantly, Autopilot can also enforce that the user account setting up the device is set up to be a standard user account for security reasons, not a local device administrator. -Another capability worth noting that applies to both Azure AD join and Autopilot methods that you just saw, is the enrollment status page, which is a screen that displays installation progress to the user during setup. And as an admin, you can optionally block device usage until all apps and profiles are installed, ensuring the device is fully business-ready before a user can interact with it. -So now that I’ve shown the options for device enrollment and the Windows Autopilot experience versus Azure AD join, let’s switch gears to the admin options for setting up your Intune environment, so that any Intune enrolled device receives your required apps and policies, then I’ll show you how to set up Windows Autopilot. First, you can use configuration profiles to configure all of your required policy settings, as well as default Wi-Fi settings and more. You’ll see that I have several created here, and many of these are targeted to all devices. To save time, in endpoint security, security baselines, you can easily create policies with Microsoft security recommendations enabled by default, that you can scope to all devices. Here, you can see all of the categories. I’ll expand this one for application management, and you’ll see a few important settings to block unwanted app installation. Finally, if I navigate to my Windows apps, these ones marked all are installed on all enrolled devices, and the ones without the all prefix are optional apps that users can self-install. -Again, regardless of how a device enrolls into Intune management, it will automatically get the settings applied for my configuration profiles and security baseline, as well as the apps I just showed their defaults for all devices. Now with my foundational configuration set, let’s move on to Windows Autopilot settings. I’ve navigated to device enrollment, under Windows Autopilot deployment program, you’ll see the deployment profiles as well as devices. Now to give you an idea of how the devices and deployment profiles apply in this scenario, here’s how the Autopilot workflow works. Windows Autopilot works by using unique hardware IDs that get assigned to your organization. -When a device with a hardware ID that you own connects to the internet and the Autopilot service during setup, it applies a set of policies that you’ll configure using an Autopilot deployment profile that I’ll show in a minute. Then after the user signs in, it’s just the standard Intune device enrollment with the option to display the enrollment status page, or go straight to an active desktop. Let me show you how this works. In my case, my hardware provider registered hardware details for each machine on my behalf. And in the admin center, I can optionally assign a user to a device so that once they connect to the internet, it will automatically show their username for initial sign-in like we saw before. And by the way, you have the option to block unregistered devices, so that only devices you trust can enroll. -Now, the Autopilot service knows that those devices belong to my organization, so I just need to provide the service a few instructions so it can streamline the setup experience. To do that, I’ll create the deployment profile, give it a name, Mechanics, I’ll select the mode, the most common mode is user-driven, in my case, I’ll stick with that. I’ll also keep Azure AD joined, but hybrid Azure AD joined is another option. For the rest, I’ll keep the defaults to skip licensing, privacy, and keyboard configuration screens. And before I move on, this option here for pre-provision deployment allows IT to take initial delivery of the device to set it up with apps and policies, then forward it onto its user. -Next, in assignments, I can add the groups I want to scope for this profile, and now I just need to review and create the profile. To complete the experience, I’ll show you how to set up the enrollment status page. This configuration isn’t in the Autopilot section for device enrollment, because it applies to both Azure AD join and Autopilot as I mentioned earlier. I’ll go ahead and create a new instance, name it Mechanics. This is where you enable it, so I’ll set the show app and profile configuration progress to yes, and here I can define a timeout period and whether to show a custom message. Below that is where I can block device usage if I want until provisioning is complete. And I’ll keep the rest of the defaults. Now I just need to assign, add optional tags, and review, that’s it, and I have everything set up for my hardware partner to start delivering devices to my user. -Next, with everything running, let me give you a few tips that will help ensure success with your Autopilot Azure AD join or self-enroll based deployments. First, if you’re currently using tools like task sequences and Configuration Manager for image based deployment or app sequences, Windows Autopilot should not be thought of as a direct replacement to that. And even if you’re amazing at scripting complex multi-app installs, it won’t be as reliable as a task sequence. If you need to install dozens of apps for a new device provisioning, you’ll probably want to set up Azure AD join or Autopilot device enrollment to be co-managed. Then let Configuration Manager take over once the device is under management, so it can run an app only task sequence. -Another option to look into is just installing a small core set of apps like Office, a VPN client, and a few other must-have apps. If you recall, those are the ones I had marked as all before in my apps list. Then, let the users self-select additional apps they might need using the company portal, like the ones we saw before without the all naming prefix. If users are okay installing apps with Google Play or on Android or the App Store on iOS, there are probably happy to self-select a few apps they need from the company portal and Windows too. -So now, you know how Windows Autopilot works and how it compares with other enrollment and provisioning options using Intune. To learn more, check out aka.ms/WindowsAutopilotDocs. Check out our complete list for Windows cloud-based management at aka.ms/ManagementMechanics. And keep checking back to Microsoft Mechanics for all the latest tech updates. Subscribe if you haven’t already, and thanks for watching. Continue reading...

Apple Business Manager (ABM) is a program with the combination of Automated device enrollment (ADE, formerly called DEP) and Volume purchase program (VPP). This is a web-based application which helps organizations to seamlessly onboard and manage devices starting with initial device setup. We recently implemented Apple Business Manager internally for managing corporate procured devices (before this implementation, these devices used to enroll as BYOD). In this blog, I will be sharing our observations and learning.   As most of us are curious about what benefits/challenges we will have by having this additional service, here are some of the immediate benefits we observed during the implementation. Apple Business Manager service can be used for any Apple device procured by organizations like Mac Devices, iPhone and iPads. Simplifies the device lifecycle, for both IT and end users, from initial deployment to end of life. Devices can be managed and configured with corporate policies from the initial device setup. Automated enrollment increases the security of the device and decreases the time for devices to be ready for productive use. Users will no longer have to configure their device manually, with a few simple operations from the user it will make the device ready to use. IT professionals can control the behavior of the device setup and user experience based on the organization requirements. You can have multiple enrollment profiles based on group/division requirements to control the user experience. Same as benefits, we observed some of the challenges during the implementation of ABM service. If the company portal app is installed manually before Intune deployed (with required intent), then the device registration will not work, and user see the error “Couldn’t add your device”. If your organization has conditional access (CA) enforced, then CA requires the device to be registered in Azure AD. When device is enrolled to Intune using the ABM approach, by default device is not getting registered. To get the device to reregister without any problem the Company portal application requires to deploy from Intune and requires user sign-in to the app (currently there will be a user experience difference between IOS and Mac devices). If the required company portal app (which deployed from Intune) is not the latest or no longer supported, then the users get a notification saying “Version is not supported” during the device registration action. This notification can potentially cause user confusion or delay in the device registration until it updates. This will be a challenge to IT professionals to keep the required application as latest version. It is possible to have multiple ABM instances tied to a single MDM instance but there are some limitations: There will be a challenge in verifying the device assignments for all the devices in one location, you need to toggle between them. Apps and Books tokens (VPP) can’t be shared between two instances. [*]There is a potential issue if users try to migrate data from old device to new device during device setup. You can avoid this by hiding the “Restore” setting in the enrollment profile. If your organization allow users to do the migration, you should allow users to unenroll the device by configuring the Enrollment profile setting “Locked enrollment” settings to “No”. And ensure that users do not perform a backup whilst the device is enrolled. Now you might be wondering about the requirements to implement Apple Business Manager Setting up a new Apple Business Manager Account is required to establish a process to get the device added to the service when organization procured any Apple device. Sign up for Apple Business Manager - Apple Support [*]To control the permissions and provide access to operate the service, it requires managed Apple IDs and these can be created in ABM portal. (These accounts are not end user accounts, they are specific to ABM) [*]Apple MDM push certificate (APNs) is required to manage Apple Devices, and the certificate is valid for one year. Failure to renew the certificate before expiry interrupts the device management and requires re-enrolling all Apple devices. Get an Apple MDM Push certificate for Intune [*]Apple device enrollment program Token is required to establish communication between Intune and Apple Business manager service. With this token, new device details and enrollment profiles settings can sync between both the services (Once the device added to ABM, device show-up in Intune within 12 hours automatically but you can do manual sync once every 15 minutes). This certificate is valid for one year and requires renewing before expiry to avoid any synchronization issues between Intune and ABM. Tutorial - Use Apple Business Manager to enroll iOS/iPadOS devices in Intune - Microsoft Intune [*]Configuring Volume Purchasing Program Token is required to sync the content between services and to purchase apps and manage licenses for organization and deploy them using Intune. Manage Apple volume-purchased apps - Microsoft Intune [*]Once you have completed the enrollment token configuration, now it is time to create enrollment Profiles to apply defined settings and control the behavior on the device. Based on your organization requirements you can configure multiple profiles (limit is 1000 enrollment profiles per token). I hope this blog has helped in understanding the implementation of Apple Business manager service and integrate with Intune. Continue reading...

In the digital era, contacts have become increasingly important. They help users to create new relationships and nurture existing ones, which form building blocks to lasting relationships that enable users to do more. We often hear from our users that their contacts get stale over time, and they would like them to update automatically. Our users also find organizing contacts challenging. They want an easy way of organizing contacts into relevant categories of people from mail, calendar, and People hub. You asked and we delivered We understand and appreciate this need and have some exciting news to share with you! Today, we’re pleased to announce that we’ve introduced a new set of intelligent experiences to help you better access and manage your contacts: Self-updating contacts (for enterprise users only) to always keep contacts up to date. Contact categories to easily organize, find, and connect with contacts. New contact editor to add, update, and manage contacts. Upgraded People hub to view, manage, and collaborate with contacts. Self-updating contacts (for enterprise users only) All the new contacts you add from the people card of a person belonging to your organization will be self-updating contacts. These contacts automatically stay up to date based on the organization directory. Any modifications made to contact details, such as phone number, department designation, etc., will automatically be updated in the contact. We also ensure that users can choose what information to persist in their contacts without losing any data. Users can choose whether they wish to keep their personal edits or override their edits with the suggested update. No more stale contacts! An image of the People card demonstrating the new self-updating contact feature (for enterprise users only) in OWA. Organize contacts using Categories Moving away from the traditional way of organizing contacts, we’re introducing Categories—a new, easy, modern, and flexible way of managing contacts replacing the existing folders. Categories are just like tags; you can apply these tags to contacts to group contacts into desired categories. Categorizing helps selectively view contacts associated with that category for faster retrieval and collaboration. You can add categories to a contact from their people card in mail, calendar, or in the People hub. Your existing folders are migrated to categories, and you'll see them as categories in the left navigation pane. Contacts that were in a particular folder(s) are stamped with categories that share the same name as the folder. These can be accessed by clicking on the category in the left navigation pane. An image of a screenshot demonstrating how contacts are migrated to Categories in the People hub. New contact editor Introducing our new contact editor, which brings a new and better visual experience. The new contact editor allows you to create, update, and categorize contacts, and manage them from the email, calendar, and People hub so you can focus on your core job while simultaneously managing your contacts. An image of a screenshot demonstrating how contacts are migrated to Categories in the People hub. People hub The abovementioned new experiences and the Outlook Web App (OWA) People hub are powered by the new, rich, and intelligent contacts schema. What can you do in People hub? View, manage, and organize your contacts Create and manage personal contact lists Access important contacts by favoriting them Quickly call, message, and email contacts/contact lists All of this and more! How can you access the new contacts features? Sign into OWA and select the People icon  in the left navigation pane that shows a list of apps within Outlook. An image of a screenshot demonstrating how to access the People hub when signed into OWA. We’re listening!  Our goal is to make it easier for you to manage contacts with our latest technology in the People hub. With this latest update, we hope you'll find it easier to access and manage your contacts. Let us know how you feel about these features. If you have any questions, feedback, suggestions, or any issues to report, please post it in the blog's comment section below, or email us at: contactMgmtFeedback@microsoft.com. We'll use this feedback to improve our offerings.  Gargy Shekhar Senior Product Manager  Continue reading...

For our latest MVP Feature Focus, Sharon Sumner takes us step by step through setting up and managing approvals in Teams, and Vesa Nopanen talks through a great way to get real time feedback from your audience with Teams Polls. We hope you enjoy this new show and as always, welcome your feedback at IMT@microsoft.com on what we can continue to do to help make the show a key resource in your deployment, adoption, management, and securing of Microsoft Teams. Approvals in Teams with MVP Sharon Sumner (Sharon Sumner [MVP] | LinkedIn) SharePoint Sharon, as she is affectionately known, has been an Office 365 and SharePoint online advocate since inception. She is a Microsoft Business Application and Microsoft 365 Apps & Services MVP who is passionate about community events and runs the Cambridge Power Platform User group, as well as being a speaker at worldwide community events. Sharon is the CEO of Business Cloud Integration Ltd, who are a Microsoft Gold ISV partner, as well as a Charter Partner of Microsoft's SharePoint Business Applications Program and Associate Partners in the Content Services Program. Microsoft Teams is setting the standard in cloud service development, and the team is delivering new or improved features as fast as the adoption curve is growing. One of the areas of Teams that is continuing to evolve is the use of approvals, so I picked approvals as the “what’s new” topic to discuss with Stephen Rose on his “Inside Microsoft Teams” show. Approvals – what are they? As a Business applications MVP, I’ve been playing with approvals since they first appeared in Microsoft 365. The principle is simple: something needs approval – that something can be a document, like in the old days with SharePoint workflows, or a list item or now, anything you can describe in a form. Behind every approval is a flow, running the rules of who to ask for approval and how. This is something that you can leave as simple or customize to be as complex as you like. Figure 1 - Approvals in Teams pinned to the left rail. The process advanced to then allow you to display adaptive cards (actionable approve / reject within a Teams channel) and then to summarizes all your approvals in one view inside Teams, and while it feels like we’ve had the functionality forever, this is literally just over a year old. The Approvals app has been created by Microsoft so most organization allow the app to be installed and, if you use it as often as me, you’ll pin it to the left rail for speedy access. As you can see from the image, Adobe Sign and DocuSign integration are also now available. Stephen did a great video on this already in the series for Adobe Sign – you simply login and all your approvals are in one place. Genius! So, what’s new? Well, the part that is new is the ability to export your approvals…but before we get to the good stuff, a little more functionality needs to be explored to show you why I like it. :smiling_face_with_smiling_eyes: Custom approvals The ability to create an approval in SharePoint is pretty old now; you can create a simple or super complex flow off the back of a SharePoint list directly or via a Power App etc. They can do cool stuff, like in the image below where we are clicking a button to start an approval process that adds a watermark to your document (created using the document name and version number) and then waits for approval before either sending out to the customer or back to the requestor with the feedback for improvement. Figure 2 - Approvals in Power Automate In true Microsoft style though, they have worked on the most common use case of a simple approval and made it so that there is now a way to make your own approval, your way with NO CODE. As the functionality is in Teams, it’s also able target a specific team or org wide. This means you can now create your own custom approvals just for your own small or large group who to approve, well, anything! Figure 3 - Approvals templates in Teams In the interview with Stephen, I showed the Microsoft templates again, covering the most common use cases and the scenarios that will likely be close to what you need, or you can start from scratch and use the wizard to create your form and approval process. Each approval flow has a form creation/edit experience just like that of Microsoft Forms, where you can add text, choice, or date fields to your form. As an advocate of getting to business value faster, I think that this is something that needs to be added to any organization’s standard Teams training agenda. The days of hooking up a form to some back-end functionality and/or writing coded solutions for simple, everyday business requirements is simply gone. And the new bit…. Well, hopefully you saw in the recording the part that I think adds to the whole value for the process is the ability to export your approvals. You can decide to export a data range of either the approval requests sent to you or those that you have sent for approval. Why do I like this: well, I see this as a great way to evaluate the effectiveness of the process because the data has the date it was requested and approved and by whom. This means we can take the Excel output, which is conveniently saved to your OneDrive, and point Power BI directly at it. Any business process that has the built-in ability to review and create insight is something that can improve and affect performance. The outputs of the export process are split into one file for the standard approvals and another one for each custom approval process – again, this is a bit more thought from Microsoft on how we are likely to use the data. We can now combine into a single report a single targeted process for audit/compliance/confidential processes easily, and more importantly, this is directly in the hands of the teams that need to create and report on that data. I do love a tool that gives the business control of creation all the way though to reporting, and the approvals app in Teams now has this end-to-end feature set delivered directly to the users. I hope you found this summary useful, please let us know if you’d like more content like this by using the thumbs up or comments below. :smiling_face_with_smiling_eyes: Here are some reference materials for those that want to go and play. Create an approval from a chat or channel - Power Automate | Microsoft Docs Create an approval from the approval’s app - Power Automate | Microsoft Docs Get started with Power Automate approvals - Power Automate | Microsoft Docs Manage your approvals in Microsoft Teams - Power Automate | Microsoft Docs Using Polls in Teams with MVP Vesa Nopanen Vesa Nopanen is a Principal Consultant and Microsoft MVP (Microsoft 365 Apps & Services), working on Metaverse and Future Work on Microsoft Cloud. As a trusted advisor, he helps organizations in future technology, collaboration, and productivity. Metaverse enables businesses to innovate new models and processes with the help of AI, while enabling new ways to meet, work, collaborate, and share experiences together. He is guiding organizations on the road into the Metaverse. Vesa is extremely passionate about Metaverse and how it – with Microsoft Teams – can change how people work together now and in the future. Vesa has 25+ years of experience in IT in various industries, domains, and roles. He is also a futurist, active speaker, blogger, evangelist, and technology community member. Thank you, Stephen Rose, for inviting me to make a guest appearance on this excellent show that highlights recently added new features and capabilities for Microsoft Teams. There are several new features that have been added to Microsoft Teams Polls recently that everyone should be aware of. Rating and Ranking Polls make it easy to get feedback from your audience, Suggestions gives you ideas on what to poll from your attendees, and finally you have the option to Re-use Polls you have used in meetings earlier. Before going to these new features, I have found out that many people are not aware that you can add applications to Teams meetings. Polls is one of those applications you can add to meetings. So, I want to start by telling how you can do that. Adding Polls application to your meeting When you have created your meeting in Teams Calendar, go to edit it by opening the meeting. On the top tabs, you can see Chat, Files, Details and so on. The last one is a plus (+) sign. When you click it, you can add a new application to the meeting. After clicking + you can either select Polls directly or search for it and select it. It is good to note that applications you have recently added are displayed first – so in many cases you don’t have to even search for Polls. When you click on Polls the adding process begins. The next step is to confirm to add it. You do this by clicking on Save. And that’s it: you have just added an application to your meeting! You can see the application with options to add new polls and using recent ones or suggested polls. As best practice, create polls before the meeting begins. This means you have been thinking about the meeting, the audience, and the results and goals you want from the meeting. You can even activate polls to attendees before the meeting if you want to collect feedback or ideas in advance to make the actual meeting better and more efficient. You don’t have to use Suggestions or reuse recent polls – you can always go ahead and create a new one from scratch. Quiz is an excellent poll type that can be used to test knowledge or keep your audience on their toes, knowing you will be testing if they have been listening to you. Word Cloud lets you get feedback from attendees you didn’t think ahead – getting open text responses helps with innovation and collecting ideas, or setting goals you want to address in the workshop. Polls are extremely important and flexible way to boost engagement and an easy way to collect feedback. Suggestions The new Suggestions area gives you ideas on what polls you could be using to engage your audience. It can be a warm-up, set the tone of the meeting (what’s the attendees’ knowledge level) or collect audience insights. There are number of use cases on how to use Polls to engage your attendees. In fact, one purpose of polls is to make sure the meeting is more interactive, and people are engaged. Suggestions help this by lowering the threshold to post new polls. Generic and warm-up questions are easily added to the meeting using polls. In the Suggestions pane on the right side, you get a selection of polls to pick from. For example, the image above is suggesting polls that give you insights about the product to collect feedback from attendees easily. What Suggestions also does is gives you an idea of what kind of polls you could create. There are options to use different symbols and graphics for Rating (numbers 1-5 and starts in the image) and different types of polls (Rating and Ranking). When you click on a suggested poll you feel would work for the meeting, it opens. Rating We selected one of the suggested Rating polls. This means we want to collect feedback about something, and people can answer us very simply by clicking the number that resonates the best for them. In the view above, you can edit the shown options. Suggested polls are a kind of automated template – you choose the one that you feel would work and then edit it to suit your needs. Everything is editable in this screen: you can change the title, how many rating levels you want to have, what’s the symbol you want to use, and what the bottom and top levels mean. As the above image shows, there are lots of fun options for Rating symbols. You can also change the option to record names of people who answer to the poll and share aggregated results to everyone in the meeting, and of course, allow your co-presenters to edit your poll before it is launched. Co-presenters are important in workshops, webinars, townhalls, and other events that have more than one presenter. When you click Save as draft, it will appear in the Polls application where you can edit it more or delete. Ranking The second suggested poll is a Ranking type. As before, you are able to edit all options in this view. Ranking lets people select the order of answers from preferred (on top) to least preferred (bottom). This way you can rank different ideas, prioritize tasks, vote on options, or even find the most preferred restaurant or swag. We have three options in this example, but it is easy to add more by clicking + Add option. What I especially like is the Shuffle options switch. This means that all attendees will get a shuffled list, instead of options being displayed in the order you chose, which might affect their own opinions. After saving the poll as a draft, it will appear in the Polls application. Using Polls in meetings When you have Teams meeting open you can see Polls in the top of meeting screen. When you click on Polls, the application opens to the right pane and lets you use pre-created polls easily. You can open the poll to attendees by choosing Launch. The audience can then select their answer and submit their responses. In the right pane, we can see the aggregated results of how attendees are answering. In the right pane, you can also use the dropdown menu to access other options for the poll. On the right pane you can also use the dropdown menu to access other options for the poll. You can close the poll, no more answers, view detailed responses, export results to CSV file and delete the poll. Response details is a very good way to see individual responses. When you close the poll, attendees can no longer answer to that. But you can re-open the poll in case you come up with the situation, or close poll by accident, where you need more feedback. When you launch a rating poll into the meeting attendees have a similar dialogue. They get choices shuffled, because we switched that on during creation of poll. Attendees can then drag and drop options to their liking – the best one on the top. They can also use arrows on the right to move options upwards or downwards. This is how easy it is to use Polls in meetings, especially when you have created polls in advance. But we don’t always remember to do that. Adding Polls application ad hoc to meeting Sometimes we have meetings we didn’t think we would need or use polls there. And when you have suddenly the need you think “How I can add polls to this meeting”. Don’t worry – it easy! First you open application adding dialogue to the meeting by clicking the big + (Apps) icon. After submitting results we can see results on Polls application on the right pane. In that dialogue you can search for Polls – or like we have in this case – select it by clicking when you see it and confirm the adding to the meeting. After you have added the Polls just click on Polls on top meeting bar and you can add a + New poll, reuse poll you have used before or use suggested polls. New poll lets you create a new one from the scratch. Reuse and suggested polls can save you time in a meeting – especially if you keep using similar polls like How are feeling and so on during meetings often. After you close the meeting you can see all polls and results in the polls application / tab. On each poll you can use the dropdown to Reopen polls, export results to CSV file or deleting the poll. You can also create new polls even when the meeting is closed. Perhaps you want to use polls to collect feedback from your attendees also after the meeting. For example to vote on decisions. Why schedule a meeting again, when you can use polls to collect feedback? You can also use Polls in channels or chats. In there it is under name Forms and it has only the option for multiple choice questions available. As a small detail, Polls are part of Forms application in Microsoft 365. When a person creates a new poll, that poll ends up in that person's Forms forms. To access these you need to go to Forms application in Office 365 (or directly to Forms.Office.Com) and select All Forms on top right bottom in this picture. Then you can access all your Polls you have used in Teams. However all Polls are read-only in Forms application, so the purpose to use Forms application to manage them would be most often finding an old poll and re-exporting the result or removing old ones. What about if you don’t have Polls application available? This is something you need to contact your IT Administrators about. They need to enable Polls application in Microsoft Teams meetings – and also make sure that Forms is available to users. They need to make sure that the application is allowed in Teams Admin Center. Admins can also allow / restrict access to applications (such as Polls) with Permission policies – controlling the use of app for groups of people. For example Polls would be available to Product Development, but would be disabled for everyone else. The IT Admins can also control Microsoft Forms application in licensing to people. In case Forms has not been licensed to the person, they can not use Polls either. You can also refer to Microsoft Support article how to add and use Polls in meetings. Continue reading...

Today, Microsoft Viva unveiled a new service designed to help people find solutions and save time. Answers in Microsoft Viva connects employees to the answers they need by crowdsourcing knowledge from across the organization. Answers is a conversational experience for asking questions and connecting to experts for answers. Natural language processing helps match those questions with any existing answers, and the experience rewards experts who contribute back to the knowledge base. Answers works across the suite to connect employees based on their subject matter expertise captured in Viva Topics, to get their questions answered, connect with new experts, and increase their learning. Initially it will come to Viva Engage and then to Topic Pages in early 2023. Answers within Viva Engage A new Answers tab in Viva Engage will serve as a hub for employees to ask questions, find solutions, discover knowledge, and help coworkers. The Answers tab will be available within Engage to Viva Suite customers. Answers in Viva brings knowledge to you across Viva Engage web, client, and mobile experiences. Answers helps organize questions and solutions by connecting to existing knowledge and experts. A look at the Answers hub in Viva Engage Users can ask questions, see recommendations, and contribute their own answers to open questions. Add a Topic to see recommended similar questions Users can also follow individual topics and get notifications when new questions are available. Targeted feeds and rewards help encourage experts to share their knowledge and help coworkers. Get rewarded for participating and answering questions And analytics provide a view into both individual contributions to the organizational knowledge base and the value of the overall solution to the organization. Watch this Microsoft Mechanics video for a demo on how Answers shows up in Viva Engage. Answers within Viva Topics How many times have you faced a question but were unsure who to ask? Viva Topics can help. Since Viva Topics already lists suggested experts for a given subject, it's a natural place to connect questions with experts who can answer them. In time, Answers will come to Topic Pages. More resources In case you missed it, watch the Empowering Your Workforce in Economic Uncertainty event and hear from Satya Nadella, Chairman and CEO of Microsoft, Ryan Roslansky, CEO of LinkedIn, and Jared Spataro, Microsoft's CVP of Modern Work, for urgent insights every leader needs to know in a rapidly changing economic environment. To learn more about other Microsoft Viva innovations announced today, read the Microsoft 365 blog by Seth Patton, check out the Microsoft Viva website, and explore the Viva Innovation Brochure. Stay tuned as we’ll have more to share about Microsoft Viva soon! Continue reading...

Browsers are becoming a place for people to get a lot of focused work done. And we all know that when you multitask there is a high chance of losing focus and context. For instance, you might be reading an interesting article on the browser and suddenly receive an email notification and your browser tab is left open and never attended to again. Additionally, many a time you toggle between different tabs, to refer some web content while composing an email. The teams at Microsoft Edge and Outlook want to help people achieve more without losing their flow and focus. Microsoft Outlook is now integrated with Microsoft Edge sidebar and helps you access your emails/calendar/contacts/tasks side by side within the browser even when you navigate between tabs. Let’s say, you want to sign into a website and its asking for your email address to send you a verification code for validation. You can easily open Outlook in the sidebar to find the mail and copy/paste the code onto the prompt without switching tabs. It’s that simple! You can also open Outlook in full screen using the expand button on the top right, if you feel the side pane is too small for composing mails or reading a long mail thread. The sidebar is available for users in English markets with the latest version of Microsoft Edge only for personal accounts. Check out the other features you can access in the sidebar here. What's Next? This is just the beginning; we are continually updating Outlook and will be adding more capabilities in future. You will be able to access your work/school accounts very soon. Additionally, we are working to make the Outlook experience more interactive, with notifications. Support for multiple accounts and dark mode is also in the future plan. Continue reading...