Sejam muito bem-vindos a mais um Domingo Surpresa.

A Microsoft vem trabalhando desde 2014 em uma grande atualização de sua plataforma de desenvolvimento de aplicações. A intenção por trás de todo este esforço foi tornar o .NET Framework compatível com outros ambientes operacionais além do Windows, possibilitando a implementação de aplicações para sistemas como Linux e OS X (Mac).

Os carros-chefes dentro deste foco em interoperabilidade são o .NET Core 5 e o ASP.NET 5. Disponibilizados como projetos open source pela Microsoft, estes frameworks encontram-se atualmente em seus estágios finais de implementação. A previsão é de que a primeira versão estável dos mesmos seja lançada ainda durante os primeiros quatro meses de 2016.

Outra iniciativa que caminha em paralelo ao .NET Core e ao novo ASP.NET é o Entity Framework 7, também contemplando grandes mudanças no mecanismo de acesso a dados dentro da plataforma .NET.

Na última semana (mais precisamente terça-feira, dia 19/01) a Microsoft notificou a comunidade de desenvolvedores sobre a alteração no nome destes projetos. Embora do ponto de vista estrutural tudo siga dentro do planejado e sem nenhuma reviravolta, tal mudança é parte de uma estratégia de negócio que procura enfatizar a completa reformulação pela qual passaram estes produtos:

• O .NET Core 5 será conhecido agora como .NET Core 1.0;
• O ASP.NET 5 passou a se chamar ASP.NET Core 1.0;
• O Entity Framework 7 foi renomeado para Entity Framework Core 1.0 (ou simplesmente EF Core 1.0).

O anúncio oficial pode ser encontrado no link abaixo:

http://www.hanselman.com/blog/ASPNET5IsDeadIntroducingASPNETCore10AndNETCore10.aspx

O TechNet Wiki também conta com artigos abordando as tecnologias aqui mencionadas:

Novidades do ASP.NET 5: utilizando o Helper Json

Novidades do Entity Framework 7: armazenamento de dados em memória

Visual Studio 2015: Implementando uma aplicação Web API

Para acompanhar o andamento destes projetos é possível ainda acessar os repositórios que a Microsoft mantém para os mesmos no GitHub:

ASP.NET

Entity Framework

.NET Core

E por hoje é isso... Até a próxima!

Wiki Ninja Renato Groffe (Wiki, Facebook, LinkedIn, MSDN)

システム準備 (Sysprep) ツールを利用し、展開している皆様、こんにちは。
Windows プラットフォーム サポートの河野 (コウノ) です。

Windows 8 / Windows 8.1 / Windows 10 の環境において、応答ファイルの設定で CopyProfile を有効にした状態でイメージ展開した場合、展開後の端末にて以下の事象が発生する可能性がございます。 

• 一部 WEB ページのコンテンツが空白となる。(DOM Storage という技術が利用できず、これを用いたページが正しく表示できない）
• Web ページの印刷を行う際に、印刷プレビューの画面が表示されない。
• エンタープライズモードが正常に機能しない。

上記事象は Sysprep のプロファイル コピーの処理によって、%userprofile%\AppData\LocalLow フォルダーにLow Mandatory Level のアクセス権が付与されないことに起因しています。
上記事象が発生している場合、以下の状況に応じた回避策をお試しください。


- 回避策

• 既に展開済み、使用中の端末の場合
• 展開中の場合

===========================================
既に展開済み、使用中の端末の場合
===========================================

既に展開済みで使用中の端末においては、icacls コマンドを利用して、以下のように各ユーザー フォルダ配下の対象フォルダーに対してアクセス権を付与することで解消されます。

  icacls %userprofile%\appdata\locallow /setintegritylevel (OI)(CI)L
  icacls %userprofile%\appdata\locallow\microsoft /setintegritylevel (OI)(CI)L
  icacls "%userprofile%\appdata\locallow\microsoft\Internet Explorer" /setintegritylevel (OI)(CI)L


===========================================
・展開中の場合
===========================================

展開直後の端末にて以下のフォルダーを削除します。

  C:\Users\Default\AppData\LocalLow

既定ユーザー プロファイルの配下の LocalLow フォルダーを一度削除することによって、新規ユーザー アカウントでログオンする際に、プロファイルの作成とともに Low Mandatory Level アクセス権が付与された形で自動生成されます。

Xbox One の下位互換機能で動作する Xbox 360 用ゲームが追加されました。

皆さんからいただいたフィードバックにより、1 か月に一度公開していた下位互換機能対応タイトルの追加を、今後は対応タイトルが追加され次第随時公開していきます。

対応タイトルおよび詳細については xbox.com/ja-JP/xbox-one/backward-compatibilityをご参照ください。

新たに追加された対応タイトルは下記となります。

• Aegis Wing
• Counter-Strike: GO
• Jeremy McGrath’s Offroad
• Sam & Max Save the World
• Skullgirls
• Small Arms
• SOULCALIBER
• Space Giraffe

 ※対応時期および対応タイトルについては国や地域によって異なる場合があります。

下位互換機能について

ファンの皆さんからのフィードバックのなかでも搭載して欲しい機能として要望の高かった本機能は、すでに本機能に対応した Xbox 360 タイトルを所有していれば、ダウンロード版、パッケージ版にかかわらず無料で Xbox 360 のゲームを Xbox One でプレイすることができます。また、Xbox Live ゴールド メンバーシップに加入していれば、Xbox 360 のセーブ データをクラウド上に保存することにより、Xbox One でプレイした際にセーブ データを引き継ぐことができます。

さらに、Xbox 360 のゲームを Xbox One でプレイすることにより、Xbox One の Game DVR によるゲーム画面の録画やスクリーンショットの撮影、Windows 10 搭載 PC に標準搭載されている Xbox アプリによるストリーミング プレイなどの機能を使ってゲームをさらに楽しめます。またXbox One で Xbox 360 のゲームをプレイしている際も Xbox 360 でプレイしているフレンドとのオンライン マルチプレイを楽しめます。*

※オンライン マルチプレイには Xbox Live ゴールド メンバーシップ (別売り) が必要です。

When software malfunctions, product support teams attempt to narrow the issue down to user error, configuration, or code. If the software attempts to perform a function where a specific result is expected and the actual results are different, we classify that as a bug. Of course, there is great debate on what is perceived as a bug, or is simply “by design” meaning the software was doing exactly what it was programmed to do – it just may be completely different from what the end user expected.

Let’s assume we are not having the “by design” vs. “bug” debate. When a bug confirmed, the next common item that is measured is the impact of that bug - impact within the specific customer’s environment, the frequency and likelihood of the bug occurrence. Bugs that have only occurred one or two times where the impact is minimal is usually referred to as an “outlier bug.”

Outlier bugs can be tricky – especially if there is not a known workaround. Software vendors have to weigh the risk and cost of implementing bug fixes via current version patches (as opposed to correcting the code for the next release.)

A while back I encountered one of those outlier bugs in which this bug only affected one customer (at the time) and it only revolved around one specific App-V package. It involved the App-V Client Reporting Agent failing to upload reporting XML data. The following issue was occurring.

Client machines were failing to upload reporting data. Upon a manual test using the Send-AppVClientReport cmdlet, it would yield the following error:

PS C:\Windows\system32> Send-AppvClientReport

Send-AppvClientReport : No reporting data has been sent to the specified URL. Verify the URL and try again.

Operation attempted: Send reporting data to reporting server.

AppV Error Code: 1300000013.

Please consult AppV Client Event Log for more details.

At line:1 char:1

+ Send-AppvClientReport

+ ~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidResult: (:) [Send-AppvClientReport], ClientException

    + FullyQualifiedErrorId : SendReportError,Microsoft.AppV.AppvClientPowerShell.SendAppvClientReport

==============

This issue was NOT occurring on all of the clients, so the first major step was to find the common denominator. Eventually we found the common denominator was a specific package. In addition, we actually got quite lucky. In many cases, the machines getting this issue only had one specific package deployed to them.

So we grabbed the XML file (C:\ProgramData\Microsoft\AppV\Client\Reporting\0dd6c24e-be93-48f7-b531-4eaa007128ec.xml) to view the Reporting cache and eventually narrowed it down to only occurring when the specific application was published.

What makes this issue an outlier is that the element that was causing the issue involved a package where the primary application had a version field that was greater than 16 characters. On a lark, we started modifying the XML data manually and found that if the reporting XML file was manually edited, and enough digits were removed from the version field, the upload worked. For some reason, only 16 characters were allowed in the version field. All of the fields were supposed to allow for 32.

Once root cause was narrowed down, the time came to assess the impact of the bug. It was definitely viewed as an outlier bug due to the fact there was only one known occurrence (again – at the time.) The assessment of how likely this would reoccur soon became a moot point as the good news here as the issue was within the database itself. The App-V 5 reporting service is stateless and writes directly to the temporary tables in the AppVReporting database. So we were able to fix the issue for the customer without cracking open binaries for patching.

If you are interested in the database script, it was published out on the TechNet Gallery here:

https://gallery.technet.microsoft.com/App-V-5-Fix-for-App-V-f8c1ac29

This fix was included in the App-V 5.1 release.

Создание нового экземпляра PWA (Project Web App)в Project Server 2016 выполняется иначе, чем в Project Server 2013. Рассмотрим этот процесс сначала, с установки SharePoint.

• Nahrávání a práce se soubory pomocí metody drag & drop a to např. z Průzkumníka systému Windows. Stejně tak je možné ale pracovat i se soubory v rámci této aplikace.
• Rychlé vyhledávání – stačí jen zadat první znaky vyhledávaného souboru, není potřeba klikat na vyhledávací pole
• Interaktivní notifikace, díky kterým je možné přijmou pozvání ke sdílení složky bez nutnosti otevření aplikace
• Přihlašování do aplikace pomocí Windows Hello – využijte svůj prst, obličej nebo oční duhovku pro přihlášení
• Rychlé přidávání komentářů k souborům
• Rychlý přístup k posledním souborům pomocí funkce Jump List – stačí kliknout pravým tlačítkem myši na ikonu aplikace a máte ihned přístup k naposledy otevřeným souborům

В этой статье я рассматриваю последовательность создания комфортных условий для пользователей в среде Office 365 в процессе обучения.

In der zwischenzeit haben sich bei mir schon einige WIM Files angesammelt. Testing, Piolotierung und Rollouts tragen dazu bei. Wenn man die Build Nummer nicht direkt im Dateinamen mit integriert hat, kann das wirklich gelegentlich zum Problem werden.

Jedoch ist die Lösung einfach. Hier hilft das Microsoft MDT. Genauer gesagt, der DISM Befehl.

Sollten sie eine ISO prüfen wollen, müssen sie diese zuerst mounten.

Nun kann mit dem folgenden Befehl festgestellt werden, welche Version sich im WIM File verbirgt:
dism /Get-WimInfo /WimFile:G:\sources\install.wim /index:1

Am 03.03.2016 heißt es in Unterschleißheim zum dritten Mal #meetmicrosoft– und diesmal erwarten wir sogar einen ganz besonderen Gast. Was hinter dem Hashtag und dem Format steckt, was die Teilnehmer erwartet und wer der Special Guest ist, erzählen Euch heute @pina_me und @froileinmueller– ohne aber zu viel vorwegnehmen zu wollen.

Das erste #meetmicrosoft  fand vor fast genau einem Jahr in der Microsoft Deutschlandzentrale in Unterschleißheim statt. Höchste Zeit also mal wieder junge und junggebliebene interessierte Was-mit-Medienmenschen zu uns einzuladen.

Nach einem Zwischenstopp in Köln, findet das nächste #meetmicrosoft am 03.03.2016 wieder in Uschl, wie der Unternehmenssitz in Microsoft-Sprech liebevoll genannt wird, statt. Neben Eindrücken von lokalen Microsoft-Mitarbeitern zum Standort, zu smarten Geräten und Spielen, begrüßen wir Kevin Turner, Chief Operating Officer der Microsoft Corporation. Wir freuen uns über spannende Einblicke aus Redmond und ein spannendes #meetmicrosoft.

Eine detaillierte Agenda folgt mit der persönlichen Einladung. Seid gespannt!

Bei Interesse meldet Euch gerne bei uns oder unserem Kollegen Tim Lenke (t-Tilenk@microsoft.com).

Wir sehen uns in Uschl oder diesem netten Internet! :)

Pina und Anna-Lena

Ein Beitrag von Pina Kehren (@pina_me) und Anna-Lena Müller (@froileinmueller)       
Beide Communications Manager bei Microsoft Deutschland

 - - - -

Über die Autoren

Pina Kehren ist bei Microsoft Deutschland für die Kommunikation unter anderem rund um die Themen Lumia, Nokia Devices und Wearables verantwortlich. Nicht nur beruflich gilt ihr Interesse neuen Technologien und Entwicklungen, insbesondere dem Bereich Fotografie.

In der Freizeit findet sie im Sport (Skaterhockey, Fitness, Laufen) den perfekten Ausgleich zur digitalen Welt.

Als Communications Manager Digital Transformation and Cloud beschäftigt sich Anna-Lena Müller (Link auf unseren PR Twitter Blogpost) mit den digitalen Chancen und Auswirkungen aus dem #Neuland für die Wirtschaft sowie die gesamte Gesellschaft. Bevor sie zu Microsoft kam, war sie bei dem BizSpark Startup Testbirds für PR und Marketing verantwortlich. Unter @froileinmueller zwitschert sie unsortiert über Digitales gleichwie Analoges, Sonniges und Wolkiges.

- - - -

#meetmicrosoft

Unter #meetmicrosoft laden wir künftig regelmäßig junge Journalisten, Blogger und Interessierte an unsere Microsoft Standorte in Deutschland ein und informieren über Microsoft als Unternehmen, allgemeine und aktuelle IT-Themen und Trends, bieten einen Blick hinter die Kulissen und eine Dialogplattform mit unterschiedlichen Sprechern und Mitarbeitern. Bei Interesse an eine Teilnahme könnt ihr Euch gerne an Anna-Lena wenden.

Summary: Use Windows PowerShell to find running services.

 How can I use Windows PowerShell to quickly produce a sortable list of running services on my computer?

 Use the Get-Service cmdlet to return the services, and the Out-GridView to produce a sortable list:

gsv | ogv

Note   gsv is an alias for Get-Service, and ogv is an alias for Out-GridView.

Объявлено о доступности релиз-кандидата (RC) SharePoint Server 2016. SharePoint Server 2016 RC – это практически полнофункциональная версия, выход которой является важным этапом для заказчиков и партнеров, планирующих развернуть и оценить SharePoint Server 2016 до выхода общедоступной версии весной 2016.

К настоящему моменту более 5000 заказчиков скачали предварительную версию SharePoint Server 2016, и их отзывы положительным образом сказались на качестве версии RC.

SharePoint Server 2016 на данный момент является самым надежным, масштабируемым, безопасным и высокопроизводительным выпуском сервера. Встроенные возможности Hybrid Cloud делают его наиболее предпочтительным для организаций, которые хотят воспользоваться преимуществами последних инноваций Microsoft Cloud, в то же время сохраняя критически важный контент или локальные пользовательские приложения. SharePoint Server 2016 поможет организациям добиться рекордной производительности и отказоустойчивости, а также быстро создавать решения и распространять данные локально и в Office 365 с должной степенью безопасности для их защиты.

SharePoint Server 2016 RC представляет значительную ценность для ИТ-администраторов, разработчиков и конечных пользователей благодаря:

Расширенной ИТ-поддержке — SharePoint Server 2016 обеспечивает беспрецедентную гибкость развертывания локально, в облаке, или в гибридном сценарии. Потребности бизнеса и технологические достижения совпадают, и поэтому ИТ-профессионалы получают уникальную возможность воспользоваться преимуществами последних инноваций в своих организациях локально и в Office 365.  Чтобы узнать больше посетите hybrid.office.com.

Кроме того, SharePoint Server 2016 помогает обеспечить повышенную безопасность и соблюдение требований к данным, предлагая упрощенную настройку и администрирование регулирующих политик. SharePoint Server 2016 помогает ИТ-профессионалам еще лучше контролировать доступ к конфиденциальным данным клиентов и организации, обеспечивая гибкую и централизованную авторизацию и управление аудитом.

Непрерывному совершенствованию — Оптимизируйте труд разработчиков при помощи унифицированной разработки для сервера и облака с современными API. SharePoint Server 2016 предоставляет доступ к широкой экосистеме разработки посредством стандартизированного набора API локально и в облаке.

У разработчиков появились новые способы создавать контекстуальные решения, охватывающие SharePoint Server 2016 и Office 365 в интернете, мобильные решения и Office. Упрощенные и более надежные API и улучшенные инструменты позволят создавать приложения проще, чем когда-либо. И у всех ваших решений будет возможность охватить огромное число клиентов среди бизнес-пользователей, государственных организаций и школ, которые каждый день пользуются Office или Office 365.

Улучшенной продуктивности пользователей — SharePoint Server 2016 предоставляет улучшенный мобильный доступ к контенту, контактам и приложениям вместе с сенсорным управлением на различных устройствах с разными размерами экранов. SharePoint Server 2016 также предоставляет более простое и легкое использование файловых хранилищ и совместной работы над документами. А интеграция Hybrid Cloud с Office 365 позволяет воспользоваться всеми преимуществами новых и улучшенных средств для повышения продуктивности, таких как Delve, SharePoint Online и OneDrive для бизнеса.

Основа для будущего — В современной быстро меняющейся технологической и бизнес среде может быть сложно быстро отреагировать на изменения потребностей бизнеса и пользователей. Мы разработали SharePoint Server 2016, чтобы наши заказчики могли быстрее воспользоваться преимуществами инноваций локально, в облаке, или где-то посередине.

В дополнение к этим обновлениям, SharePoint Server 2016 RC также включает Project Server 2016 RC.

Скачайте SharePoint Server 2016 RC прямо сейчас из Центра Загрузки Майкрософт и поделитесь своим отзывом непосредственно с инженерной командой на форуме SharePoint Server 2016. Кроме того, мы можете предложить функцию или оставить отзыв на сайте SharePoint Server Suggestion Box или на портале UserVoice, @SharePoint в Twitter и в комментариях ниже.

Узнайте больше SharePoint Server 2016 на technet.microsoft.com.

Вопросы и ответы

В. Могу ли я обновить мою версию SharePoint Server 2016 Beta 2 до RC?

О. Да. Релиз-кандидат – это обновление к SharePoint Server 2016 Beta 2 и он может быть установлен поверх Beta 2.

В. Когда вышел SharePoint 2013 RC, с ним появились и новые версии InfoPath и SharePointDesigner. Будет ли SharePoint Server 2016 RC включать новые версии этих продуктов?

О. На протяжении последних десяти лет InfoPath и SharePoint Designer являлись передовыми решениями Майкрософт для профессиональных разработчиков и информационных работников, которые создавали легкие корпоративные бизнес-приложения. По мере нашего развития, мы дополняем наши существующие бизнес приложения новыми инструментами и возможностями и обновляем сроки поддержки вместе с SharePoint Server 2016, а именно:

• SharePoint Server 2016 будет включать постоянную возможность размещения служб форм InfoPath. Службы форм InfoPath Forms на SharePoint 2016 будут поддерживаться на протяжении жизненного цикла поддержки SharePoint 2016.
• Службы форм InfoPath в Office 365 продолжат поддерживаться.
• InfoPath 2013 и SharePoint Designer 2013 будут последними версиями этих продуктов. SharePoint Designer не будет перевыпущен в SharePoint Server 2016, хотя мы продолжим поддерживать пользовательские рабочие процессы, построенные с помощью  SharePoint Designer и размещенные на SharePoint Server 2016 и в Office 365. Поддержка InfoPath 2013 и SharePoint Designer 2013 будет соответствовать жизненному циклу поддержки SharePoint Server 2016, которая продлится до 2026.

Hi, The Captain here from Microsoft Enterprise Cybersecurity Group's Global Incident Response and Recovery team.  The kind curators of the Platforms PFE blog invited me to share some thoughts about building a strong security foundation in your enterprise.

It takes a lot of time, effort, expertise and money to protect an enterprise network against today’s cybersecurity threats. The security market thrives, and businesses have many products and consulting services to choose from. So how do you invest your security dollars most efficiently? Cybersecurity spending requires a plan, whether building IT infrastructure from scratch or improving an existing enterprise network. Consider the following Hierarchy of Cyber Needs, built from the experiences of an Incident Response team that has seen it all. This chart will help you identify and prioritize which layers of security need investment within your enterprise. Use this as a road map to improve your enterprise security as quickly and cost-effectively as possible.

^{Captain’s Hierarchy of Cyber Needs}

The foundation of your enterprise security rests with your device management capabilities. Only machines that can be inventoried and centrally managed can reasonably be secured against advanced attackers. An accurate inventory is a critical first step to protecting a network. Any action to protect those assets will involve pushing tools to and pulling data from those devices. While device management software such as System Center Configuration Manager (SCCM) is not traditionally seen as security software, a company’s information security capabilities are only as good as their core device management capabilities allow.

From time to time our team gets called to respond to targeted attacks against enterprise networks that lack any central management. In such cases it invariably takes much longer to identify their critical infrastructure. Frequently the customer sends employees from computer to computer to run tools and collect data necessary for the investigation. In all such cases our primary advice for the customer is to invest in deploying SCCM, which most customers already have licenses to use. Third party alternatives also exist that are also up to the task of managing global corporate networks. Whichever solution you use, make sure you invest in your device management capabilities before you invest further in your cybersecurity infrastructure.

If you already have a central management solution, I encourage you to test your capabilities. While most customers have SCCM or a third party equivalent deployed, many of them do not use it regularly. Deploy a package such as the Microsoft Safety Scanner to all machines. Pull a small amount of data – such as the last patch time – from all computers and measure the time it takes. Slower package deployment times indicate slower response times during a breach, and slower response times limit response effectiveness. The slowest time recorded by one of our customers to deploy a scanner company-wide was seven months. Can your IT staff do better?

The second layer of corporate cybersecurity is all about the software lifecycle. The Microsoft Security Intelligence Report (SIR) shows an industry-wide trend of a thousand high-severity vulnerability disclosures per year. Published vulnerabilities, especially those with proof of concept code, quickly become weaponized. To better understand the risk that users face with unpatched systems, go read about the Rolodex of Evil. Your ability to protect credentials and critical assets are limited if a large portion of your computers are vulnerable to exploits easily downloaded from the Internet. The risk is even greater with unsupported software such as Windows XP. Unsupported software no longer receives security patches but vulnerabilities are probably still being discovered. Consider the use of such software the same as implementing a corporate policy of never installing security patches.

There’s no such thing as a free lunch. Beware using pirated software or running license cracking tools, for they come with a hidden cost. The sites that distribute free software often come with unexpected extra software. One APT group in particular specializes in releasing cracked tools as a means of establishing a foothold in corporate networks, and the group is exceptionally successful.

How do you enforce software patching in your enterprise? Best practices call for an accelerated patch cycle for critical assets such as domain controllers and servers, and a regular patch cycle for all other devices. Also be sure to have a plan for emergency patching – for situations where very severe vulnerabilities require faster than normal patching. If your company delays security updates to perform tests and avoid business disruption, remember to balance that delay with the risks caused by unpatched software.

Enterprises with solid device and software management infrastructure spend most of their attention in the Identity Management layer of the hierarchy. Identity Management gets a lot of press due to the proliferation of powerful credential theft tools such as Mimikatz and Windows Credential Editor (WCE). Everything we do in business – with or without computers – is based on identity. Running an enterprise without robust Identity Management is like running a bank that doesn’t ask customers for identification when making withdrawals.

Identity management starts with several basic concerns about user accounts and passwords. Do not use shared accounts – make sure that your employees and customers are uniquely identified. Minimize or eliminate all guest and anonymous accounts. Verify your password policy for best practices regarding complexity, length, and expiration. Make sure that your service account passwords meet these requirements as well.

The local administrator account is an often overlooked weakness. If every computer shares a common local admin password, then the account is practically a Domain Administrator. Disable the local administrator account and rely on domain accounts instead, or better yet deploy the free Local Administrator Password Solution (LAPS), available from Microsoft here.

After the basic identity management steps comes the infamous Pass the Hash Whitepaper. Once steps have been taken to ensure credentials can reasonably identify users, the next step is to prevent credential theft and lateral account movement through your enterprise. This is part of the “Assume Breach” philosophy: assume that one or more user accounts will be compromised, and take steps to prevent one compromised account from compromising all accounts. Read more about the best practices for Securing Lateral Account Movement here.

Once you are able to inventory and manage your computers, keep systems up to date with security patches, and establish a reasonable measure of confidence with identity and account management, your next tier of security is the need for Access Control. The principle of least privilege is easily understood: the fewer people who know KFC’s secret blend of herbs and spices, the lower the risk of theft. Implementing least privilege in an enterprise is time-consuming and inconvenient but greatly reduces the risk and damages from a breach. Here are the top Access Control projects to invest in.

Make your users non-admin. Many enterprises make all users local administrators on their computers, and in doing so they make it easier for tools like WCE and Mimikatz to harvest credentials. Service accounts and third-party software frequently run as Domain Admin, when they very rarely need to. These service accounts widely expose DA credentials for theft. LUA Buglight is a fantastic tool that can help you lower the privileges of both your line of business software and third party software. And if you need assistance, Aaron Margosis lurks always in the shadows, waiting for an opportunity to remove another elevated application from the world.

Critical resources – the “crown jewels” of the company – are frequently not segmented away from the majority of the user accounts. In such an environment, compromising any account allows relatively unimpeded access to the corporate crown jewels. Compartmentalize your network and access to resources wherever possible. If your domain admins for the New York office are only tasked with administration of that one location, do not automatically grant them unlimited power over the London office. Users collaborating on highly sensitive documents such as upcoming SEC filings should store them on servers with limited access, not on your company’s general-purpose file server.

Your domain controllers, domain admin credentials, and trusted certificates are all part of your crown jewels and should be protected accordingly. Remember – and this really happened to a Fortune 500 company – you lower the risk of DA-level breach if you do not surf the web from your domain controllers. A best practice is to use dedicated workstations (PAW) to perform sensitive tasks such as administering domain controllers. Use a tiered containment model to protect critical credentials and resources as described in the PTH whitepaper.

The apex of cyber needs is Detection. This layer is the most sophisticated to implement successfully and has the greatest number of prerequisites. I have seen companies invest in network intrusion detection systems that report threats that could not be mitigated with their limited device management capabilities. I have assisted customers who subscribed to expensive threat intelligence feeds for IOCs that their companies lacked the ability to leverage. The detection layer becomes more valuable and relevant once your IT staff has the capability to exert control over your enterprise network, your software is up to date, and access to network resources has been restricted and segmented where possible. Focus additional resources here once you are ready and able to respond to threats to your network.

Build your detection strategy with two thoughts in mind: passive versus active detection and on-site versus managed detection. Passive detection contains elements such as logging, which exists to facilitate everything from forensic investigations to IT debugging. The greatest challenges for passive detection involve the ability to collect all the data you need while filtering out enough of the data you don’t to make storage possible. Anyone who has tried event log forwarding at an enterprise scale has discovered the need to reduce the amount of logging. Learn from the experience of others and monitor what matters most.   Active detection contains elements that send alerts and require action, such as intrusion detection systems and antivirus software. On-site detection capabilities cover investments such as a Network Operations Center and a SIEM, capabilities that require dedicated and trained personnel to operate effectively. Managed detection capabilities, on the other hand, are like home security monitoring services: they leverage remote experts to provide 24/7 protection for your enterprise. In theory, on-site detection has the ability to out-perform third-party managed detection due to greater knowledge of your network and better integration with your business. In practice, very few companies can retain the sort of specialists who hunt targeted attackers the way that dedicated cybersecurity companies can. Where possible, consider investing in managed detection services such as Microsoft Threat Detection Services (MTDS) and Advanced Threat Analytics (ATA).

Conclusion

Whether you are building your corporate security infrastructure from scratch or enhancing what you already have, it helps to have a plan. Companies that do not understand the implicit prerequisites that come with certain security products find themselves spending money on technology they cannot fully utilize. Using the Hierarchy of Cyber Needs to make security investment decisions helps you achieve the most with your time and money as well as build a multi-year plan of continuous security investment.

Jeff Stoffel

Enterprise Mobility Suite provides a large opportunity for us to help our SMB customers with mobile device management and security.  Hopefully you have all seen Tim’s blog on the Online Technical Training for Deploying Enterprise Mobility Suite.  Expanding on this we have some terrific additional sales and tech-ready resources.

Microsoft’s Enterprise Mobility Suite (EMS) offers you a great opportunity to upsell your existing Office 365 customers by offering mobile device management and security at a very reasonable cost. Partners selling EMS are seeing incredible profit increases per Office 365 customer. I wanted to make sure you were able to learn more about EMS and how to start building it into your practice so have outlined upcoming free training to help you get started.

Get Sales and Tech-ready to drive up cloud revenue with Enterprise Mobility Suite-  in just 4 steps:

1. Learn how to Grow a More Profitable Cloud Practice With EMS: On Demand Webinar

2. Get engineering technically trained:

• February 9-11: Enterprise Mobility Suite Red Carpet: This training focuses on Enterprise Mobility proof of concept (POC), technical deep dive on Hybrid Identity with Azure AD Premium, Service Setup and Scenarios ◦Information Protection with Azure RMS Service Setup and scenarios, Unified Device Management with Windows Intune Service Setup and Scenarios and an overview of the Enterprise Mobility PoC.
• February 16: Enterprise Mobility Suite Internal Use Rights Workshop: Take this remote workshop to learn about your internal usage licenses benefit for Microsoft’s Enterprise Mobility Suite, comprising identity, mobile management and information protection. Understand what your MPN benefits give you today; how to best enable Enterprise Mobility Suite for your business and watch some interactive real-world scenarios that will quickly make your IUR benefit invaluable to your business.

3. Start Using EMS Internally with Internal Use Rights (MAPS members get 5 EMS license as part of IUR benefits)

4. Leverage the EMS demos https://www.microsoftofficedemos.com for customer conversations.  Using this in conjunction with the Enterprise Mobility Getting Started Guideallows for a 90 day demo environment of Office 365 with EMS.

Today’s (Cloud) Tip…

You can now get read-only boot diagnostics for your v2 virtual machines without needing to engage support. 

For Linux Virtual Machines, you can easily view the output of your console log from the Portal:

However, for both Windows and Linux Virtual Machines, Azure also enables you to see a screenshot of the VM from the hypervisor:

For all the details, and to learn how to set up the diagnostics check out the announcement on the Azure Blog.

Teaching our students to search safely has never been more important Find resources to help your students become proficient at searching safely from Bing.

Microsoft official and Community tech events coming your way this February and beyond.
Which event are you going to? Let us know via @TechNetUK.  

Upcoming Events

	17th February, 08:30-17:00, London: What’s new in Windows Server 2016 - Gain a deeper understanding of the main technical pillars around what is and how to build a Software-Defined Datacenter solution that is based on the Microsoft Cloud Platform.	Register here
	18th February, 08:30-17:00, London: What’s new in Windows 10 Enterprise - Experience the most innovative and reliable Windows yet! Windows 10 brings increased stability and predictability to your organization, while minimizing risk. Attend this free one-day technical training event to explore new servicing, security, and management features that enable corporate data access across devices and platforms while allowing you to maintain control over those devices.	Register here
	24th February, 08:30-17:00, Birmingham: What’s new in Windows Server 2016 – Gain a deeper understanding of the main technical pillars around what is and how to build a Software-Defined Datacenter solution that is based on the Microsoft Cloud Platform.	Register here
	25th February, 08:30-17:00, Birmingham: What’s new in Windows Server 2016 - Can't make the Wednesday event? Never fear because we will be doing it all over again in Birmingham on the Thursday!	Register here
	29th February-1st March, ExCel London: Cloud Roadshow - Join us for a free two-day technical training event for IT Pros that provides best practices and insight directly from the experts who build and run the cloud services across Office 365, Microsoft Azure, Windows 10 and more.	Register here
	9th March, 08:30-17:00, Cambridge: What’s new in Windows Server 2016 – Gain a deeper understanding of the main technical pillars around what is and how to build a Software-Defined Datacenter solution that is based on the Microsoft Cloud Platform.	Register here
	10th March, 08:30-17:00, Cambridge: What’s new in Windows Server 2016 - Can't make the Wednesday event? Never fear because we will be doing it all over again in Cambridge on the Thursday!	Register here
	11th-12th March, Exeter: SQL Saturday- SQL Saturday is a training event for SQL Server professionals and those wanting to learn about SQL Server. Approximately 30 training sessions, over 4 tracks, covering all areas of working with SQL Server. Speakers will include MVPs and international presenters.	Register here

 

 

Be sure to keep up to date on TechNet social for more regular event updates. Why not tweet us and let us know which event you’re going to!

Talking about cloud services to IT Professionals can seem like explaining Christmas to turkeys, but the knowledge and attitude we have learned actually put us in a great position as these services are more widely adopted. In this article I want to focus on the world of the Internet of Things (IoT).

IoT reminds me of my days in a small systems group at the Ministry of Defence (actually at Horse Guards).  The Colonel had told my manager that not only would we be looking after all of the servers, desktops, and those new fangled laptops, we’d also be responsible for the phone system. Furthermore, we weren’t going to be getting anymore staff and we’d also be learning ISDN as that was part of the plan. The colonel had a sword and so we couldn’t really argue, but if we roll that forward to today, any IT guy is going to be managing mobile phones, as well as unified communications. It’s important because the next thing we might be looking after, if we aren’t already, is the building, the vehicle fleet and even the staff.

Why IoT Matters?

Simply because it matters to the businesses we work for, and we are best placed to integrate these solutions with existing infrastructure:

Retail

The business want to know about where stock is, where customers are spending most of their time in store and possibly even want the same monitoring for staff (ethics aside). Sensors can do all of this automatically, as well as monitor the environment. 

Manufacturing

IoT is already well established in manufacturing; robots are controlled and monitored, as are modern milking machines. At the tip of the spear, F1 teams have used 3D printers, autoclaves for baking Carbon fibre components and sensors to attain accurate and reliable data from the cars trackside.

Public Sector

We might want to monitor what the police are doing to ensure their safety and safe convictions based on their actions and movements (again I’ll leave the ethics to you). Patient monitoring, especially for chronic illnesses like dementia and diabetes, would result in better outcomes and better analysis of these major drains on the NHS. 

Maintaining safety and quality

The reason we need to get involved in IoT as IT Professionals is safety and quality. The ‘thing’ might well be a high powered intelligent device like a car with over 200 computers and actuators in it and cost thousands to make, or it might be a 50p temperature sensor attached to a freezer. Some of these ‘things’ are in a fixed location and some move (and move a lot). So how do you manage all of these to ensure that personal data from wearables is properly protected, cars can’t be unlocked remotely without the right authorisation and data quality is maintained?

There isn’t a right answer to any of this anymore than there is with laptop or mobile security. Added to this, the sheer number of assets that an enterprise will have connected will far exceed what we have to manage today, so how do we begin?

Breaking the problem down

The answer? Break the problem down, use standards where they exist and be proactive – so not like my boss waiting for the Colonel to come to us and tell us what to do.

Breaking the problem down, many sensors and devices aren’t directly connected to the internet.  If you’ve seen the Connected Cows demo at Build or Future Decoded, then the cow wasn’t actually connected, it was a gateway at the farm that was. That could be a server, with cached data (as connectivity is not always good) that can be managed. If it’s wearable then it’s probably paired to a mobile phone, like my Band is as I write this. In that case, we know how to manage that too.

That leaves things like cars and older devices which might not originally be internet aware, but are being adapted to be.  If these are on the end of a good connection then connecting them to a cloud service rather than directly to the corporate LAN might be a better way to go as the cloud service will trap the data. This is already protected by the provider and all we have to do is go and get the data or interface with the device via that service.

Manufacturing

Manufacturing has well defined standards for protecting and detecting problems in connected systems, e.g. the aviation and nuclear power industries, and these can be applied to smarter building in our organisations (e.g. door entry systems).

Cloud Services

Even if you aren’t a fan of Azure you’ll need something like the Azure and Windows services to make your own successful IoT solution reliable and secure. At one end the Windows IoT suite has built in master data management and data on devices is protected via a trusted platform module (TPM). On the Azure end, there are IoT Hubs and Stream Analytics to make reliable analysis and decisions on well connected solutions.

A new hotfix is available that enables Windows Server Update Services (WSUS) on a Windows Server 2012 or Windows Server 2012 R2 to sync and distribute feature upgrades for Windows 10. Note that this hotfix is not required to enable WSUS to sync and distribute servicing updates for Windows 10. This hotfix also addresses an issue where Windows 10 computers are displayed as Windows Vista. For complete details and a download link, please see the following:

3095113 - Update to enable WSUS support for Windows 10 feature upgrades (https://support.microsoft.com/en-us/kb/3095113)

For more information about Windows 10 servicing and how feature upgrades and servicing updates differ, please see the following TechNet topic:

Introduction to Windows 10 servicing

J.C. Hornbeck | Solution Asset PM | Microsoft

Our Blogs

• Configuration Manager: http://blogs.technet.com/configurationmgr/
• Data Protection Manager: http://blogs.technet.com/dpm/
• Orchestrator: http://blogs.technet.com/b/orchestrator/
• Operations Manager: http://blogs.technet.com/momteam/
• Operations Management Suite: https://blogs.technet.microsoft.com/omsblog/
• Service Manager: http://blogs.technet.com/b/servicemanager
• Virtual Machine Manager: http://blogs.technet.com/scvmm
• Microsoft Intune: https://blogs.technet.microsoft.com/intunesupport/
• WSUS: http://blogs.technet.com/sus/
• AD and Azure RMS: http://blogs.technet.com/b/rms/
• Application Virtualization: http://blogs.technet.com/appv/
• MED-V: http://blogs.technet.com/medv/
• Application Proxy: http://blogs.technet.com/b/applicationproxyblog/
• Forefront Endpoint Protection: http://blogs.technet.com/b/clientsecurity/
• Forefront Identity Manager: http://blogs.msdn.com/b/ms-identity-support/
• Forefront TMG: http://blogs.technet.com/b/isablog/
• Forefront UAG: http://blogs.technet.com/b/edgeaccessblog/

ConfigMgr 2012 R2