Tech news for the week of October 21st, 2024
Topics in this week’s Tech Newsletter
Enterprise Impacting
What’s New Updates
Training
Copilot and AI
Microsoft 365
Windows 365 and Azure Virtual Desktop
Microsoft Defender
Azure
Server
Identity Protection and Management
Information Protection and Management
Intune
Device Management
Scripting and Automation
Security Tools and Guides
Microsoft News
Security News
Industry Specific News
?
Enterprise Impacting
Enterprise Impacting: Azure Marketplace media images for Windows Server 2022 currently include .NET 6, but going forward will not include a .NET version with the image (.NET 8 and later are not included with the image). Therefore, if you previously relied on the Azure Marketplace image to include the .NET 6 runtime, going forward you will need to handle the .NET deployment yourself. On November 12th 2024, .NET 6 will reach end of support. However, based on customer feedback we have decided to provide customers with more time to handle the .NET 8 runtime deployment and upgrade to .NET 8. Microsoft will provide security updates for .NET 6 in the Azure Marketplace media images beyond the official end of support date, with an additional 6 months through May 13, 2025. Note this only applies to Azure marketplace media of Windows Server 2022. .NET 6 will be removed from all Azure marketplace Windows Server 2022 media on May 13th, 2025. If you are impacted, and have not migrated to .NET 8, you need to take action to complete the change before May 2025.
?
What’s New Updates
What's new in Microsoft Entra - September 2024 (1st party)
We’re excited to announce the general availability of Microsoft Entra Suite—one of the industry’s most comprehensive secure access solutions for the workforce. With 66% of digital attack paths involving insecure credentials1, Microsoft Entra Suite helps prevent security breaches by enabling secure access to cloud and on-premises apps with least privilege, inside and outside the corporate perimeter. It unifies network access, identity protection, governance, and verification to streamline onboarding, modernize remote access, and ensure secure access to apps and resources. Get started with a Microsoft Entra Suite trial. Last November, we launched the Secure Future Initiative (SFI) at Microsoft to combat the increasing scale of cyberattacks. Security now drives every decision we make, as detailed in the September 2024 SFI Progress Report. Today, we’re sharing new security improvements and innovations across Microsoft Entra from July to September 2024, organized by product to help you quickly find what’s relevant to your deployment.
We are excited to announce recent enhancements to the Viva Connections Resources section that allow operators to personalize the experience even further. Here are some of the updates we have made to the Resources. You will now be able to add custom images for resource links, preview the editing experience and import links from Global/Home site navigation, gain consistency across desktop and mobile, and more!
In development for Microsoft Intune (1st party)
To help in your readiness and planning, this article lists Intune UI updates and features that are in development but not yet released. If we anticipate that you'll need to take action before a change, we'll publish a complementary post in the Office message center. When a feature enters production, whether it's in preview or generally available, the feature description will move from this article to What's new. Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.
What's new in Windows 365 Enterprise (1st party)
Amongst the changes released on October 14th is the fact that core TCP-based RDP traffic for Cloud PC connections uses the *.wvd.microsoft.com wildcard fully qualified domain name (FQDN). The FQDN remains unchanged, but the underlying IP addresses associated with it will shortly be changed to a single subnet. This will simplify optimization of this traffic and reduce the need for future change management. Additionally, Windows 365 now supports multimedia redirection call redirection.
What's new in Microsoft Entra ID? (1st party)
Microsoft Entra ID (previously known as Azure Active Directory) receives improvements on an ongoing basis. Recently released a new Conditional Access template requiring device compliance is now available in Public Preview. This template restricts access to company resources exclusively to devices enrolled in mobile device management (MDM) and compliant with company policy. Requiring device compliance improves data security, reducing risk of data breaches, malware infections, and unauthorized access. This is a recommended best practice for users and devices targeted by compliance policy through MDM.
?
Training
Generative AI for Beginners (Version 3) - A Course (1st party) [FREE]
Learn the fundamentals of building Generative AI applications with our 21-lesson comprehensive course by Microsoft Cloud Advocates. Each lesson covers its own topic so start wherever you like! Lessons are labeled either "Learn" lessons explaining a Generative AI concept or "Build" lessons that explain a concept and code examples in both Python and TypeScript when possible. Each lesson also includes a "Keep Learning" section with additional learning tools.
?
Copilot and AI
AI Innovations for a New Era of Work and Home (1st party) [VIDEO]
OneDrive is your gateway to seamlessly managing files, photos, and memories across work, home, and everywhere in between. Trusted by 94% of Fortune 500 companies millions of small businesses, and countless individuals, OneDrive is transforming how the world collaborates, stores, and connects. At today’s OneDrive event, we unveiled a powerful lineup of new features designed to help you work smarter, stay organized, and relive life’s best moments – all through the magic of AI. Whether you’re an IT Pro managing enterprise-grade compliance or a parent organizing family memories, OneDrive has you covered. Let’s take a closer look at what’s new.
Code AI apps on Azure - Python, Prompty & Visual Studio (1st party) [VIDEO]
Build your own custom applications with Azure AI right from your code. With Azure AI, leverage over 1,700 models, seamlessly integrating them into your coding environment to create tailored app experiences. Utilize features like Retrieval Augmented Generation and vector search to enrich responses with contextual information, as well as prebuilt Azure AI services to incorporate cognitive skills such as language, vision, and safety detection. Dan Taylor, Principal Product Architect for Microsoft Azure AI, also shares how to streamline your development process with tools for orchestration and monitoring. Use templates to simplify resource deployment and run evaluations against large datasets to optimize performance. With Application Insights, gain visibility into your app's metrics, enabling data-driven decisions for continuous improvement.
People have always looked for patterns to explain the universe and to predict the future. “Red sky at night, sailor’s delight. Red sky in morning, sailor’s warning” is an adage predicting the weather. AI is very good at seeing patterns and making predictions. Now, Microsoft researchers are working to apply “foundation models” – large-scale models that take advantage of recent AI advances – to scientific disciplines. These models are trained on a wide variety of data and can excel at many tasks, in contrast to more specialized models. They have the potential to generate answers in a fraction of the time traditionally required and help solve more sophisticated problems. Some of the wildly different scientific disciplines that are promising for advancement through AI include materials science, climate science and healthcare and life sciences. Experts say foundation models tailored to these disciplines will speed up the process of scientific discovery, allowing them to more quickly create practical things like medications, new materials or more accurate weather forecasts but also to better understand atoms, the human body or the Earth. Currently, many of these models are still under development at Microsoft Research, and the first, a weather model called Aurora, is already available.
Microsoft Edge begins testing Copilot Vision (3rd party)
Microsoft Edge Canary has been updated with an interesting feature called Copilot Vision, but it's still in testing. The current implementation of Copilot in Microsoft Edge is quite helpful as it allows you to quickly send content to the Copilot sidebar. However, it still has certain limitations. For example, it's not good at understanding what you're doing on a webpage or what you're looking at inside the browser.
?
Microsoft 365
Create and share Copilot agents in SharePoint in a few clicks (1st party) [VIDEO]
It's time to go behind the scenes to learn more about Copilot agents in SharePoint, powered by your content. What could be better? Copilot agents are built in Copilot Studio via our new, built-in lightweight agent builder experience in SharePoint. CJ and Karuana will discuss the broader vision of Copilot agents and show you how to put this new capability to work within your SharePoint site.
Introduction to Resource Links in Microsoft Viva Connections (1st party) [VIDEO]
Viva Connections Resources section allows dashboard operators to create a list of relevant company or team wide resources for end users. Resources can be customized to have a custom icon or image. They can be also targeted using audience targeting, providing a personalized experience targeted to specific roles or organizations. In this video, we'll focus on covering the new features within the Resources section directly from Microsoft. Leslie Thomas worked as one of the Product Managers for these features which are rolling out to all customers during autumn 2024.
SharePoint Roadmap Pitstop: September 2024 (1st party)
If you’re into the whole fiscal thing, know that the SharePoint and partner teams are kicking off FY25-Q2 with feature enhancements, AI milestones, and roadmap announcements. That’s what is called, “Being tech-fiscally responsible.” September 2024 brought a few nice updates and some key disclosures—SharePoint: Brand center, Copilot in OneDrive (GA), Copilot in SharePoint: Text web part, Microsoft 365 Copilot: Wave 2 news, Bing Generative Search news, Microsoft Delve retirement, Microsoft AI Tour Live updates, completion of the Microsoft Loop Learning Series, and more. Details and screenshots below, including our audible companion: The Intrazone Roadmap Pitstop: Month 2024 podcast episode – all to help answer, "What's rolling out now for SharePoint and related technologies into Microsoft 365?"
Millions of hours saved, 50% faster app development, and 206% ROI achieved with Microsoft Power Apps Premium (1st party)
Every month, 25 million users benefit from the solutions built with Microsoft Power Apps, a leading platform to build modern, intelligent, and high-performance applications. To help customers better understand the overall business value of Power Apps Premium, Microsoft commissioned an independent study by Forrester Consulting, titled the Total Economic Impact of Power Apps. Forrester interviewed 13 representatives of organizations that have invested in Power Apps Premium as well as other components of the Power Platform and aggregated their experiences into a composite organization with 30,000 employees, $10 billion in annual revenue, 200 professional developers, and 1,800 citizen developers. They modeled gradual adoption of Power Apps Premium, beginning with 22% licensed employees in the first year and expanding to 66% by the third year.
SharePoint Tips: Setting Up Your HR Hub Site (3rd party) [VIDEO]
Learn about the HR hub communication site template versus the PNP HR Hub solution that is installed via PowerShell. The Human Resources site template is a communication site that’s designed to be a central hub where employees in your organization can access key information regarding their benefits, career, compensation, and organization policies. Welcome and onboard new employees, post announcements, showcase upcoming events and holidays, highlight your organization’s mission and programs, and introduce your staff. Provide quick and easy access to benefits, compensation, and other sites.
?
Windows 365 and Azure Virtual Desktop
October 24th - On this episode of Windows in the Cloud, we have an exciting interview with Senior Director of Windows Marketing, Melissa Grant. Gain unique insights on the evolution of Windows moving to the cloud. Get a peek at what to expect at Microsoft Ignite 2024. Don’t miss an engaging and informative discussion that might change the way you think about the future of Windows in the cloud and AI. Part of Windows in the Cloud, our leadership spotlights feature product, engineering, and marketing leaders at Microsoft, offering unique insights and perspectives on current trends and future innovations in the wide world of Windows. Each episode delves into the minds of these influential thought leaders, exploring their journeys, challenges, and thoughts on where the industry has been and where it’s headed next.
November 20th - Join our Windows Cloud product leaders for an exciting, demo-heavy episode where we will showcase the latest Windows 365 and Azure Virtual Desktop capabilities announced at Microsoft Ignite 2024. You’ll walk away with the insight you need to keep your organization moving forward with the right Windows in the Cloud solution for your workforce.
?
Microsoft Defender
Defender for Cloud not only transcends traditional security silos and extends its end-to-end security across multicloud and hybrid infrastructure, it delivers advanced security posture management and threat remediation capabilities as well. In order to prove the solution’s business benefits, Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact (TEI) study. The study aims to provide business leaders and decision-makers with a solid framework with which they can evaluate the benefits and potential financial impact of Defender for Cloud on their organizations. Through the course of the study, participating interviewees reported experiencing a wide variety of benefits related to Defender for Cloud, including reduced operational risk, a compressed, more secure development lifecycle, and reduced time to investigate and remediate threats faster.
Microsoft Sentinel comes with Content Hub, which you can use out-of-the-box to get content value and start on Microsoft Sentinel quickly. Solutions in Microsoft Sentinel Content Hub provide a consolidated way to acquire Microsoft Sentinel content, like data connectors, playbooks, workbooks, analytics rules, hunting, and automation in your workspace with a single deployment step. Updating workbooks in Microsoft Sentinel can be tedious, especially if many Content Hub solutions are installed, including workbooks. This can be particularly challenging for managed security service providers (MSSPs) who serve multiple tenants from different customers and have many workbooks to maintain and update. Updating these workbooks every week or month can be time-consuming and boring, right? In this article, we will show you how to update Microsoft Sentinel Workbooks at scale automatically using PowerShell and REST API.
Microsoft Defender now automatically detects and notifies users with a Microsoft 365 Personal or Family subscription when they're connected to unsecured Wi-Fi networks. The Defender privacy protection feature (also known as Defender VPN) protects your privacy and security when connected to public Wi-Fi or an untrusted network, where your data and identity could be exposed or stolen. To do that, it encrypts and routes your internet traffic through Microsoft's servers and hides your internet address (IP address) using a VPN (Virtual Private Network).
Microsoft Defender Vulnerability Management (MDVM) has come a long way and has become an indispensable part of Microsoft Defender for Endpoint (MDE) and the whole Microsoft Defender XDR ecosystem, that deserves your attention and daily operationalization. The capacity of MDVM can be identified in the following: continuous asset discovery and monitoring, risk-based intelligent prioritization, and remediation and tracking.
?
Azure
Running tightly coupled HPC/AI workloads with InfiniBand using NVIDIA Network Operator on AKS (1st party)
As of today, more and more we see AKS gaining share as an orchestration solution for HPC/AI workloads. The drivers behind this trend are multiple: the progressive move toward containerization of the HPC/AI software stacks, the ease of management and the universal nature of Kubernetes APIs. The focus of this blog post is to provide a guide for getting an AKS cluster InfiniBand enabled, with the possibility of having HCAs or IPoIB available inside Kubernetes Pods as cluster resources. Several methodologies and articles have provided insights on the topic, as well as the official documentation of NVIDIA Network Operator. The purpose of this article is organizing and harmonizing the different experiences while proposing a deployment model which is closer to the most maintained and standard way of enabling InfiniBand cluster: using NVIDIA Network Operator. Of course, this is only the first step for having an AKS cluster HPC/AI ready.
ExpressRoute Metro is now generally available! (1st party)
We are excited to announce general availability of ExpressRoute Metro, a new private connectivity architecture designed to enhance network resiliency for our customers. ExpressRoute Metro provides a highly resilient circuit that enables diverse connections to two separate edge sites within a city, ensuring increased redundancy and reliability. With Metro Provider and Metro Direct, customers can benefit from enhanced redundancy across the circuit and port infrastructure, while also gaining an additional layer of resiliency at the edge site level. This solution is engineered to maintain robust connectivity in case of site-wide disruptions, ensuring uninterrupted service and business continuity.
Power Automate hosted robotic process automation (RPA) capability provides a simple way for automation center of excellence (CoE) to set up and scale based on RPA workloads. Using Microsoft hosted infrastructure running in Azure, hosted RPA empowers you to manage your RPA workload effectively with two solutions: individual hosted machines enable developers to build, test automation and business users to run automation and hosted machine groups automatically scale workloads to optimize unattended automation in production, delivering improved business process continuity and governance at scale.
Tutorial: Create and manage budgets (1st party)
Budgets in Cost Management help you plan for and drive organizational accountability. They help you proactively inform others about their spending to manage costs and monitor how spending progresses over time. You can configure alerts based on your actual cost or forecasted cost to ensure that your spending is within your organizational spending limit. Notifications are triggered when the budget thresholds are exceeded. Resources aren't affected, and your consumption isn't stopped. You can use budgets to compare and track spending as you analyze costs. Cost and usage data is typically available within 8-24 hours and budgets are evaluated against these costs every 24 hours. Be sure to get familiar with Cost and usage data updates specifics. When a budget threshold is met, email notifications are normally sent within an hour of the evaluation.
Use cost alerts to monitor usage and spending (1st party)
This article helps you understand and use Cost Management alerts to monitor your Azure usage and spending. Cost alerts are automatically generated based when Azure resources are consumed. Alerts show all active cost management and billing alerts together in one place. When your consumption reaches a given threshold, alerts are generated by Cost Management. There are three main types of cost alerts: budget alerts, credit alerts, and department spending quota alerts. You can also create a cost anomaly alert to automatically get notified when an anomaly is detected.
In the Bicep Language, just like in the arm template, variables and parameters have a data type: string, int, array, object, Boolean, secure string, and secure object. Each datatype has its properties you can use in your bicep files. But did you know that you can build your datatype? Creating your own or user-defined datatype has some advantages: better control over parameters and user input, limiting the number of parameters and variables for the same resources, and better-readable code. Let's dive deep into user-defined data types.
?
Server
Hi everyone!? Jerry Devore here to continue the Active Directory Hardening series by addressing SMB signing.? Many of my Microsoft colleagues have already written some great content on SMB signing so I was not going to cover it.? However, it is just too critical a security control to skip and a series on Active Directory hardening would not be complete without it.? As usual, my goal is to help clear up any confusion so you can enable this setting if you have not already. Why does SMB signing matter? The two most recognized benefits of SMB signing are ensuring message integrity and preventing an NTLM relay attack.? Exploiting both of those typically involves an adversary-in-the-Middle (AiTM).? Before we move on let’s clarify how attackers can place themselves between a victim and a resource.
Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. Functional levels also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. Level changes happen when you use later versions of your domain controller operating system, the domain, or your forest functional level. This article describes how to raise Active Directory domain and forest functional levels. We recommend you upgrade Active Directory Domain Service servers to the latest release. To enable the latest domain features, all domain controllers in the domain must run the version of Windows Server that matches or is newer than the desired functional level. If they don't meet this requirement, the administrator can't raise the domain functional level.
Microsoft Deprecates Legacy VPN Protocols (3rd party)
领英推荐
It’s long overdue, but Microsoft has finally announced the formal deprecation of the Point-to-Point Tunnel Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP) in Windows Server Routing and Remote Access (RRAS) Servers. Both protocols have long since been replaced with more secure alternatives such as the Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEV2). However, many organizations have RRAS servers configured using these legacy protocols to support ad-hoc, on-demand access for non-managed users and devices.
Limiting Domain Controller Attack Surface: Why less services, less software, less agents = less exposure (3rd party)
Each organization’s needs and risk appetite will be different, but it is important to highlight that having less “stuff” on Domain Controllers (DCs) can lower the security risk to these critical systems by minimizing their attack surface. At Trimarc, we have assessed hundreds upon hundreds of AD forests over the years while performing our Active Directory Security Assessment. Too often we discover questionable software running on DCs or the reluctance to acknowledge that the patch management team is effectively Tier 0 with their elevated rights through the patching agent. This article is intended to be a guide to making the best-informed decisions through awareness of the potential issues and ensuring companies are asking the right questions.
?
Identity Protection and Management
This article provides information that you need to synchronize your user passwords from an on-premises Active Directory instance to a cloud-based Microsoft Entra instance. The Active Directory domain service stores passwords in the form of a hash value representation, of the actual user password. A hash value is a result of a one-way mathematical function (the hashing algorithm). There's no method to revert the result of a one-way function to the plain text version of a password. To synchronize your password, Microsoft Entra Connect Sync extracts your password hash from the on-premises Active Directory instance. Extra security processing is applied to the password hash before it's synchronized to the Microsoft Entra authentication service. Passwords are synchronized on a per-user basis and in chronological order.
How to migrate MFA and SSPR policy settings to the Authentication methods policy for Microsoft Entra ID (1st party)
You can migrate Microsoft Entra ID legacy policy settings that separately control multifactor authentication (MFA) and self-service password reset (SSPR) to unified management with the Authentication methods policy. You can use the authentication methods migration guide (preview) in the Microsoft Entra admin center to automate the migration. The guide provides a wizard to help audit your current policy settings for MFA and SSPR. Then it consolidates those settings in the Authentication methods policy, where they can be managed together more easily. You can also migrate policy settings manually on your own schedule. The migration process is fully reversible. You can continue to use tenant-wide MFA and SSPR policies while you configure authentication methods more precisely for users and groups in the Authentication methods policy.
This article describes known limitations for working with Conditional Access app control in Microsoft Defender for Cloud Apps. To learn more about security limitations, contact our support team.
Kusto has introduced a new feature that allows users to access information about the country of a user and their tenant region or country as provided by Microsoft Entra ID through the current_principal_details() function. This addition provides enhanced granularity and control in data security and accessibility. For the function to provide this information, it is essential to understand the authentication (AuthN) and authorization (AuthZ) flow for a query in Kusto.
Microsoft recommends that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys, or smart cards. As Credential Guard evolves and enhances its security features, newer versions of Windows running Credential Guard might affect previously functional scenarios. For instance, Credential Guard could restrict the use of certain credentials or components to thwart malware exploiting vulnerabilities. It's advisable to thoroughly test operational scenarios within an organization before updating devices that utilize Credential Guard.
Microsoft Entra ID: Emergency Access Accounts (3rd party) [VIDEO]
With Microsoft’s mandatory MFA set to begin roll out in October, many organizations are focusing on end user impact and may lose sight on changes in store for other user identities, namely break-glass accounts. These emergency accounts were likely setup years ago in your tenant and have gone unchanged and untested. When it comes time to use these accounts, will you be praising your past-self or standing on shards of glass wondering where to turn next?
One of my latest projects has been to develop a tier model based on known attack paths to categorize Entra roles and Microsoft Graph application permissions. The project led me to researching specific application permissions potentially classified as Tier-0, but with no public resource documenting their abuse. In my mind (or at least in the tier model I am developing), “Tier-0” contains application permissions with at least one scenario where they can be abused to escalate to Global Admin. During my research, I have discovered a large number of Tier-0 permissions related to Privileged Identity Management (PIM), which I thought should be better known by the public.
?
Information Protection and Management
IT Governance Controls for Your Copilot agents (1st party)
In today’s rapidly evolving digital landscape, organizations are constantly seeking innovative ways to enhance productivity and streamline operations. Microsoft 365 Copilot is at the forefront of this transformation, offering a suite of governance capabilities that empower organizations to harness the full potential of generative AI. With Microsoft 365 Copilot, makers can develop powerful agents directly within Teams. These agents can be tailored to meet specific organizational needs, providing seamless integration and enhanced functionality. But the innovation doesn’t stop there. Now, through Microsoft Copilot Studio now included in Microsoft 365 Copilot, makers can extend the capabilities of these agents, creating robust solutions that drive efficiency and effectiveness.
Data Factory data pipelines in Microsoft Fabric has rich support for building complex workflows and orchestration or data activities. With the latest feature announcements,?we’ve?taken things a step further based on our community’s feedback. We’ve been working hard to make the very popular data pipeline activity known as “Invoke Pipeline” better and more powerful. Based on customer feedback, we continue to iterate on the possibilities and have now added the exciting ability to call pipelines from Azure Data Factory (ADF) or Synapse Analytics pipelines as a public preview!
Announcement: Microsoft Purview Data Loss Prevention policies have been extended to Fabric lakehouses (1st party)
Extending Microsoft Purview’s Data Loss Prevention (DLP) policies into Fabric lakehouses is now in public preview! This follows the success of DLP for Power BI and the GA of Microsoft Fabric last year. DLP policies help you automatically detect sensitive information as it is uploaded into lakehouses in your Fabric tenant and take risk remediation actions, to help you with governmental or industry regulations, such as the European Union’s General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA).
Update to Direct Lake documentation (1st party)
Power BI is standardizing on open-data formats by adopting Delta Lake and Parquet to help you avoid vendor lock-in and reduce data duplication. This minimizes data silos and fragmentation, offering a single source of truth across the enterprise. Direct Lake accelerates time to data-driven decisions by unlocking incredible performance directly against OneLake, without the need to manage costly, time-consuming data refreshes for large volumes of data in OneLake. We recently made a significant update to the Direct Lake documentation, which goes into detail on topics.
Earlier this year, Microsoft finally retired the Search-Mailbox cmdlet and removed the ability to remove large numbers of messages from mailboxes. The replacement, compliance search actions, can only remove 10 items per mailbox. Microsoft is now revamping Purview eDiscovery, and as part of that effort, they promise to increase the limit to 100 items per mailbox. The increased purge item limit hasn’t reached my tenant yet, but the change now happening around eDiscovery makes it appropriate to consider the current state of compliance search actions and what might happen when Microsoft transitions to the new eDiscovery over the coming months.
?
Intune
Recast Software Unveils Right Click Tools for Intune and Copilot Capabilities in Partnership with Microsoft (3rd party)
We are excited to announce the launch of Right Click Tools for Intune, as well as the Recast Copilot for Security Plugin. These innovations will make endpoint management more seamless and efficient for IT teams, supporting the modern workplace vision and advancing Unified Endpoint Management. Recast Software’s commitment to being a premier partner in the Microsoft ecosystem ensures that IT administrators have the tools they need to maintain secure, compliant, and efficient environments, whether managing devices on-premises or in the cloud.
Ready For Attestation: A True Underdog Story (3rd party)
Some time ago “someone” reached out to me asking me the question about what was required to get the EK Certificate working. He asked me that question because some of his Lenovo L480s were failing on TPM Attestation when using Autopilot Pre-provisioning. Those devices were throwing 0x81039001 errors at him! I decided to help out as much as possible, with only Twitter PMs. Please note that I didn’t have a TeamViewer session or something else, so it was sometimes hard to get to the bottom of the issue. Luckily, I already wrote a huge amount of articles about TPM attestation stuff so I guess this is going to be a piece of cake?
?
Device Management
Passkeys on Windows just got easier! As part of Microsoft’s vision for a passwordless future we are working to make passkeys on Windows simple and intuitive. Passkeys are safer and easier to use than passwords, which are vulnerable to phishing and data breaches. That is why, in support of a passwordless future, we partnered in the FIDO alliance with other platforms in supporting passkeys. As part of our cross-industry commitment, we launched new native support for cross-device authentication and an updated experience to help users along the journey from website to platform. Continuing that journey at Authenticate 2024 we are introducing the following, which will be available in our Windows Insider channels in the coming months: a plug-in model for third-party passkey providers, enhanced native UX for passkeys, and a Microsoft synced passkey provider.
As Microsoft continues to innovate across the Windows ecosystem, the latest updates bring powerful AI-driven experiences and enhanced security features to Copilot+ PCs, including Surface Pro (11th Edition) for Business and Surface Laptop (7th Edition) for Business. In this post, we’ll highlight key announcements that are now available or coming soon, offering IT pros the tools they need to stay ahead of the curve.
Today, Microsoft announced the general availability of Windows 11 version 24H2, also known as the Windows 11 2024 Update. This is the release that Copilot+ PCs have been running since the summer, and it's now beginning to roll out to the rest of the Windows 11 user base. The Windows 11 2024 Update is a major Windows platform release that includes a number of under-the-hood performance and security improvements in addition to new surface-level features and quality-of-life updates. Such improvements include a new emulation layer for x86 apps on Arm PCs, better gaming performance on certain GPUs and CPUs, and more. The 2024 Update also includes a newly redesigned context menu in File Explorer that places the most common actions in labeled boxes along the top of the menu. This update also introduces the ability to create 7zip and TAR archive files directly from within File Explorer without needing to download a third-party app.
This week is a follow up to this post of a few months ago about getting started with Personal Data Encryption (PDE). That post was really focused on the early introduction of PDE and the functionality that it brings to the table, while this post will basically add-on to that functionality and knowledge. PDE is still a pretty unknown feature that is now actually growing in useful functionalities and could become a very welcome addition to the available data protection capabilities on Windows. With the latest version of Windows 11, version 24H2, PDE now also contains the ability to protect personal data in known Windows folders. Those known Windows folders are Documents, Desktop, and Pictures. That provides organizations with more protection capabilities for personal data, as PDE can be used alongside BitLocker. Main addition is that where the decryption key of BitLocker is released during the boot of the device, the decryption key of PDE is released during the sign-in of the user by using Windows Hello for Business. This post is focused on creating more awareness and showing the new really straight forward configuration options.
This blog will focus on a new Windows 11 insider build feature, Local Administrator Protection, announced in the latest Windows Insider Canary build (27718). This feature is designed to eliminate always-on admin rights. Instead, it uses a hidden elevation mechanism to provide just-in-time privileges when needed, keeping admin rights in the shadows until required. “I am the Shadow Admin, always present but never seen.”
Windows 11 24H2 Group Policy: 81 new settings for SMB, updates, printing, Defender, and more (3rd party)
Microsoft traditionally documents the Group Policy settings that are new compared to the previous Windows release in two Excel spreadsheets. One of these sheets is the Group Policy Settings Reference Spreadsheet, which is now available for Windows 11 24H2. The second sheet ships with the Security Compliance Toolkit, which only lists the changes compared to the previous version. In contrast, the Reference Spreadsheet contains all settings, which can be filtered by Windows version to display the latest policies.
?
Scripting and Automation
The Cloud licensing APIs, part of the Microsoft Cloud Licensing platform, help to improve licensing management and eligibility by breaking down licenses assigned to users by various subscriptions into smaller, more manageable pools called allotments. For example, you may need to determine if a user is eligible to use a specific feature of Microsoft 365. However, this is difficult as they may have many different licenses assigned, and you do not know which license holds this particular feature. For this, you can use the cloud licensing APIs to query the eligible features for a user to determine whether they are eligible or not. In this article, I will show you how to use the cloud licensing APIs with Microsoft Graph PowerShell to report user license usage rights in Microsoft 365.
Over the last few years, OneDrive for Business has evolved from personal storage for files created by Microsoft 365 users to become the default location for apps from Stream to Teams to Whiteboard to store files. More documents, spreadsheets, presentations, PDFs, and other types of files are being stored in OneDrive for Business accounts. The advantage gained through the approach is that users have a single file repository, but Microsoft’s enthusiasm to exploit OneDrive for Business also creates some issues for tenants to manage. Much to the chagrin of some organizations, Microsoft 365 apps encourage the creation of valuable information in OneDrive for Business. For instance, co-authoring allows users to collaborate in Office documents. An even more extreme example is the almost instant collaboration enabled through Loop components on Teams chats and Outlook messages. Documents and Loop components remain in OneDrive instead of being safely stored in a shared location, like a SharePoint site. Cue problems that emerge when someone leaves the organization, and their OneDrive account disappears.
?
Security Tools and Guides
New services and features are released daily in Azure and cloud service providers platforms, developers are rapidly publishing new cloud applications built on these services, and attackers are constantly seeking new ways to exploit misconfigured resources. The cloud moves fast, developers move fast, and attackers also move fast. How do you keep up and make sure that your cloud deployments are secure? How are security practices for cloud systems different from on-premises systems and different between cloud service providers? How do you monitor your workload for consistency across multiple cloud platforms? Microsoft has found that using security benchmarks can help you quickly secure cloud deployments. A comprehensive security best practice framework from cloud service providers can give you a starting point for selecting specific security configuration settings in your cloud environment, across multiple service providers and allow you to monitor these configurations using a single pane of glass.
What it really takes to prioritize security (1st party) [VIDEO]
Technology has become so much more powerful and there's so much to learn about it. So, find out what it takes to adapt and gain insights from Jordan Benzing, a Microsoft Security MVP. In this interview, he’ll discuss the “demand to do more with less” culture, how the insurance industry drives the security posture of organizations, data privacy laws, the security benefits and concerns to adopting Windows 11, and more.
Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualization (3rd party)
As defensive security products improve, attackers must refine their craft. Gone are the days of executing malicious binaries from disk, especially ones well known to antivirus and Endpoint Detection and Reponse (EDR) vendors. Now, attackers focus on in-memory payload execution for both native and managed applications to evade defensive products. Meanwhile, defensive technologies are becoming increasingly sophisticated, which is forcing attackers to further adapt. In times of such an arms race, how does an attacker stay ahead? And how can malware be future-proofed to evade the sophisticated EDR systems that currently exist and are actively being developed? This blog post reviews the evolution of one of Fox-IT’s evasive tools, designed to aid in payload delivery during Red Teaming engagements. We will touch on the tool’s history and its future potential in the face of offensive and defensive progress.
Navigating Risk Management: How Red Teaming Can Prepare Your Team for Actual Cyber Attacks (3rd party)
In cybersecurity, you need to know the unique characteristics of the risks and vulnerabilities to protect your data and business operations. The basic concept used for effective risk mitigation is "Red Teaming," which simulates cyberattacks to test the system's ability to resist threats and gather valuable information to improve your defensive strategy. Red teaming is a simulation-based activity that provides a hands-on approach to testing an organization's security. It simulates real-world attacks to find vulnerabilities and weaknesses in existing security controls. The main goal of red teaming is to test an organization's readiness against actual threats, providing valuable insights and expertise to the internal security team. By simulating what real attackers do, red teaming pushes an organization's security to the limits, finding areas of improvement to strengthen the overall defense. This involves running various attack scenarios to find gaps and weaknesses in the IT defenses, resulting in a stronger security posture.
Creating Audit Logs for Security Professionals (3rd party)
There’s a bunch of information across many compliance and best practice frameworks that talk about the benefits of collecting & retaining security audit logs. However, what about the actual content of what qualifies a “good” audit log for writing detections or completing security investigations? Let’s talk about what it should look like!
This past spring, Tenable reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) released five best practices documents (found here) that focus on cloud computing cybersecurity. This release was an effort to encourage stronger security measures for organizations with a computing presence in cloud-first, multi-cloud or hybrid environments. These cybersecurity information sheets (CSIs) include numerous specific measures to reduce risk overall, covering some of the most important attack vectors facing cloud computing services. Each of the CSIs focus on a specific cloud service (or suite of services), first identifying the threat and then the MITRE ATT&CK tactics/techniques used by threat actors. They continue by providing detailed guidance on ways to help with reducing the risk of threat actors finding an opening. The best practices align with recommendations that other organizations touch on, such as the Center for Internet Security (CIS) cloud foundations benchmarks.
?
Microsoft News
Drasi: Microsoft’s newest open-source project simplifies change detection and reaction in complex systems (1st party)
Drasi is a new data processing system that simplifies detecting critical events within complex infrastructures and taking immediate action tuned to business objectives. Developers and software architects can leverage its capabilities across event-driven scenarios, whether working on Internet of Things (IoT) integrations, enhancing security protocols, or managing sophisticated applications. The Microsoft Azure Incubations team is excited to announce that Drasi is now available as an open-source project. To learn more and get started with Drasi, visit drasi.io and the project’s GitHub repositories.
Welcome to the New Era of Microsoft OneDrive: AI, Productivity, and Memories at Your Fingertips (1st party)
OneDrive is your gateway to seamlessly managing files, photos, and memories across work, home, and everywhere in between. Trusted by 94% of Fortune 500 companies millions of small businesses, and countless individuals, OneDrive is transforming how the world collaborates, stores, and connects. At today’s OneDrive event, we unveiled a powerful lineup of new features designed to help you work smarter, stay organized, and relive life’s best moments – all through the magic of AI. Whether you’re an IT Pro managing enterprise-grade compliance or a parent organizing family memories, OneDrive has you covered.
Microsoft has observed campaigns misusing legitimate file hosting services increasingly use defense evasion tactics involving files with restricted access and view-only restrictions. While these campaigns are generic and opportunistic in nature, they involve sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants. These campaigns are intended to compromise identities and devices, and most commonly lead to business email compromise (BEC) attacks to propagate campaigns, among other impacts such as financial fraud, data exfiltration, and lateral movement to endpoints.
?
Security News
Insurance companies must stop issuing policies that incentivize making extortion payments in ransomware attacks, a senior White House official said on Friday. The call for the practice to end, which was made without any indication the White House was formally proposing to ban the practice, follows the fourth annual International Counter Ransomware Initiative (CRI) summit in the United States this week, where the 68 members of the CRI discussed tackling the problem. Writing an opinion piece in the Financial Times newspaper, Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technologies, warned that ransomware was “wreaking havoc around the world.”
American Water, the largest publicly traded U.S. water and wastewater utility company, was forced to shut down some of its systems after a Thursday cyberattack. In a filing with the U.S. Securities and Exchange Commission (SEC), American Water said it has already hired third-party cybersecurity experts to help contain and assess the incident's impact. It also reported the breach to law enforcement and is now coordinating their efforts in a joint and ongoing investigation. "The Company has taken and will continue to take steps to protect its systems and data, including disconnecting or deactivating certain of its systems," the 8-K regulatory filing reads.
Wayne County, Michigan is dealing with a cyberattack that has shut down all government websites and limited the operations of several offices. Home to Detroit, the county is the largest in the state with more than 1.75 million residents. County spokesperson Doda Lulgjuraj told Recorded Future News that the investigation into the cyber incident is ongoing. “Impacted services have been transitioned to backup processes to maintain operations. Barring any unforeseen issues, we expect the county website to be fully operational by the start of business on Friday,” he said. “This will restore access to online property tax payments and property records.”
Several end-to-end encrypted (E2EE) cloud storage platforms are vulnerable to a set of security issues that could expose user data to malicious actors. Cryptographic analysis from ETH Zurich researchers Jonas Hofmann and Kien Tuong Turong revealed issues with Sync, pCloud, Icedrive, Seafile, and Tresorit services, collectively used by more than 22 million people. The analysis was based on the threat model of an attacker controlling a malicious server that can read, modify, and inject data at will, which is realistic for nation-state actors and sophisticated hackers.
American IT software company Ivanti has released security updates to fix three new Cloud Services Appliance (CSA) zero-days tagged as actively exploited in attacks. As Ivanti revealed on Tuesday, attackers are chaining the three security flaws with another CSA zero-day patched in September. Successful exploitation of these vulnerabilities can let remote attackers run SQL statements via SQL injection, execute arbitrary code via command injection, and bypass security restrictions by abusing a path traversal weakness on vulnerable CSA gateways (used to provide enterprise users secure access to internal network resources).
Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks (3rd party)
Microsoft is warning of cyber-attack campaigns that abuse legitimate file hosting services such as SharePoint, OneDrive, and Dropbox that are widely used in enterprise environments as a defense evasion tactic. The end goal of the campaigns are broad and varied, allowing threat actors to compromise identities and devices and conduct business email compromise (BEC) attacks, which ultimately result in financial fraud, data exfiltration, and lateral movement to other endpoints. The weaponization of legitimate internet services (LIS) is an increasingly popular risk vector adopted by adversaries to blend in with legitimate network traffic in a manner such that it often bypasses traditional security defenses and complicates attribution efforts.
?
Industry Specific News
Healthcare - Authentication and authorization for Azure Health Data Services (1st party)
Azure Health Data Services is a collection of secured managed services using Microsoft Entra ID, a global identity provider that supports OAuth 2.0. For Azure Health Data Services to access Azure resources, such as storage accounts and event hubs, you need to enable the system managed identity and grant proper permissions to the managed identity. For more information, see Azure managed identities. The client applications are registered in the Microsoft Entra ID and can be used to access the Azure Health Data Services. User data access controls are done in the applications or services that implement business logic.