Tech news for the week of June 17th, 2024
Topics in this week’s Tech Newsletter
What’s New Updates
Training
Copilot and AI
Microsoft 365
Windows 365 and Azure Virtual Desktop
Microsoft Defender and Sentinel
Azure
Server
Identity Protection and Management
Information Protection and Management
Intune
Windows Autopilot
Device Management
Scripting and Automation
Security Tools and Guides
Microsoft News
Security News
What’s New Updates
What’s new in Windows Autopatch: June 2024 (1st party)
Get ready for the latest and greatest additions to Windows Autopatch, including the public preview of alerts for policy conflicts! Read on for an inside scoop on how Windows feature update and reliability reports can help you stay on top of update compliance targets for your devices. The newest enhancement to update reports allows you to see which, if any, devices are flagged with conflicting policies. Policies are continuously monitored by Windows Autopatch. When a policy in your tenant is found to be missing, or a modification to a policy affects services, Windows Autopatch will raise alerts. Detailed recommendations about actions that can be taken to help ensure the healthy operation of the service are provided along with the alerts. Alerts will remain in view until they are (manually) resolved.
For this year’s Microsoft BUILD conference, we are thrilled to announce significant updates to WSL. This blog post will provide an overview of these enhancements and the recent developments in WSL.
Microsoft Defender XDR monthly news (1st party)
This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from May 2024.
Microsoft Build 2024: everything announced (3rd party)
Microsoft had a lot to say about Windows and AI — and a little to say about custom emoji — during the Build 2024 keynote. The company, like just about everyone else in the industry, is charging hard at cramming AI into every nook and cranny it can find. That means Copilot watching your screen to help you play Minecraft or giving you AI agent co-workers. The whole event was over two hours long, but you can catch the highlights below.
Training
Course AZ-900T00-A: Microsoft Azure Fundamentals (1st party) [FREE]
This course will provide foundational level knowledge on cloud concepts; core Azure services; and Azure management and governance features and tools. This course is suitable for IT personnel who are just beginning to work with Azure. This audience wants to learn about our offerings and get hands-on experience with the product. This course primarily uses the Azure portal and command line interface to create resources and does not require scripting skills. Students in this course will gain confidence to take other role-based courses and certifications, such as Azure Administrator. This course combines lecture, demonstrations, and hands-on labs. This course will also help prepare someone for the AZ-900 exam.
Course AZ-104T00-A: Microsoft Azure Administrator (1st party) [FREE]
This course teaches IT Professionals how to manage their Azure subscriptions, secure identities, administer the infrastructure, configure virtual networking, connect Azure and on-premises sites, manage network traffic, implement storage solutions, create and scale virtual machines, implement web apps and containers, back up and share data, and monitor your solution. This course is for Azure Administrators. The Azure Administrator implements, manages, and monitors identity, governance, storage, compute, and virtual networks in a cloud environment. The Azure Administrator will provision, size, monitor, and adjust resources as appropriate. Successful Azure Administrators start this role with experience in virtualization, networking, identity, and storage.
This course teaches Azure administrators how to plan, deliver, and manage virtual desktop experiences and remote apps, for any device, on Azure. Lessons include implementing and managing networking for Azure Virtual Desktop, configuring host pools and session hosts, creating session host images, implementing, and managing FSLogix, monitoring Azure Virtual Desktop performance and health, and automating Azure Virtual Desktop management tasks. Students will learn through a mix of demonstrations and hands-on lab experiences deploying virtual desktop experiences and apps on Azure Virtual Desktop and optimizing them to run in multi-session virtual environments. Candidates of this course must have solid Azure administration skills. This course assumes prior experience, including virtualization, networking, identity, storage, backup and restore, and disaster recovery. Students should have knowledge of on-premises virtual desktop infrastructure technologies as they relate to migrating to Azure Virtual Desktop. Students are expected to have used the tools common to the Azure environment, such as the Azure PowerShell and Cloud Shell.
Copilot and AI
Microsoft App Assure supports Copilot for Microsoft 365 customers moving to monthly updates (1st party)
At Microsoft, our mission to empower every person and every organization to achieve more is continually propelled by innovation. A prime example of that innovation is Copilot for Microsoft 365. Today I’m thrilled to share an important update that will help even more organizations take advantage of this groundbreaking AI tool. Copilot iterates fast and relies on the latest updates and integration throughout the Microsoft product suite, so devices need to be on a monthly update channel for Microsoft 365 Apps (Current Channel or Monthly Enterprise Channel). We recommend Monthly Enterprise Channel for predictable updates, reliability, and enterprise management. Every day we see more commercial customers moving to a monthly update channel to maximize the benefits of Copilot. The vast majority—over 75 percent—are currently running on the Monthly Update Channel or Current Channel. To support the transition, I’m excited to announce that we’re expanding App Assure’s app compatibility promise to include a specific commitment to Copilot customers adopting monthly updates.
When our teams face new challenges and are encouraged to try new things, they’re more likely to find new and creative solutions. It all depends on workplace culture. Over the years, we’ve helped thousands of organizations adopt new technology, and time after time we discover the same truth: culture is the engine of innovation. So, what happens when an industry built on tradition and precedent finds itself at the crossroads of new challenges and established ways of working? Recent surveys show 62% of legal professionals now report spending up to seven hours a week tracking and analyzing regulatory developments, and the overwhelming majority (73%) anticipate this surge in regulatory activity to continue. Like many companies, Microsoft is exploring how AI can help our legal teams more efficiently handle these new workloads at scale and deliver impact.
Copilot+ PCs and more messages during Microsoft Build (3rd party) [VIDEO]
In episode 334 of the 365 Message Center Show, the hosts discuss Microsoft Build announcements, focusing on the introduction of Copilot+ PCs, which bring Copilot’s capabilities to local machines. They explore the implications of having AI processing locally, such as improved security and functionality. The episode also covers new Teams meeting options for controlling lobby permissions and managing access to meeting transcripts and recordings. Additionally, they touch on the integration of Copilot features in classic Outlook for Windows, emphasizing the removal of barriers to adoption. The hosts conclude with a rapid-fire segment, highlighting updates like notification suppression for hidden channels and muted chats in Teams.
Microsoft 365
Decorate your background – How generative AI backgrounds work, and why you might want to use them (1st party)
Microsoft Teams has always been at the forefront of innovation, and the Decorate your background feature is no exception. Released in Teams Premium in January 2024, this feature uses generative AI to create an artificial version of the user’s real background but cleans it up or decorates it following a specific theme. Background replacement has become increasingly popular, as it allows users to project a mood or image into a Teams meeting, or simply to hide a messy room. Teams offers a variety of different background replacement themes, including standard and portrait blur, video backgrounds, frosted glass, which is great for displaying your company logo in your video calls , and a variety of specific images. Backgrounds in Microsoft Teams won the 2024 IF Design Award for Product Backgrounds and give Teams users joy, help them feel connected, and express who they are. The Decorate your background feature takes this a step further by creating a background that looks like the room the user is in, only cleaned up and therefore presentable. It offers different styles, like Clean up, Fancy, Greenhouse, Celebration, and Surprise me, with more in the works.
Successfully navigating a fast-paced workplace requires teams to collaborate closely and share the same information. Channels facilitate this by bringing people together for common functions, projects, or interests. Designed for enduring collaboration, channels maintain their structure and purpose, even as members change, ensuring organizational continuity, transparency, knowledge sharing, and the preservation of vital conversations and decisions. When setting up a channel, you can choose from three channel types, standard, private and shared, enabling you to bring in the right collaborators while controlling access to shared resources and avoiding oversharing, without needing to create multiple similar teams. We also expanded the limit of the number of channels in a team to 1000, so you can manage a large project in one team. However, channels' persistent nature and scalability can present usability challenges if not managed as priorities and projects shift. Disorganized, redundant, or outdated channels can hinder finding relevant conversations, detracting from their role in supporting effective communication and collaboration.
Windows 365 and Azure Virtual Desktop
App attach for Azure Virtual Desktop allows IT admins to dynamically attach applications from an application package to a user session in Azure Virtual Desktop. In December 2023, we announced a public preview for some exciting new app attach features. App attach is now generally available and here are some of the new capabilities. Applications can now be assigned to any host pool or session host. You can assign application packages to multiple host pools in your environment. Applications can now be assigned per user, both within a desktop session and remote app sessions. This means that in any host pool in any session, users can be assigned different application combinations. This should reduce the number of host pools and images you require. Application groups are no longer required to assign users to app attach apps, significantly simplifying assignment and reducing the number of application groups needed. Application assignment, removal, and upgrades can be performed without needing a maintenance window and without interrupting a user’s workflow. We’re excited about these new features and recommend that any new app attach object be created using the new flow.
What’s new and next for Windows in the cloud | Tackling Tech (1st party) [VIDEO]
In this episode of “Tackling Tech,” Harjit Dhaliwal from the Windows Commercial team at Microsoft introduces the new season and delves into the latest advancements in Windows cloud computing. The guest, Christiaan Brinkhoff, discusses Azure Virtual Desktop (AVD) and Windows 365, explaining their functionalities and benefits. The conversation highlights the simplicity of Windows 365 for modern administrators and the integration of Cloud PC with Intune. They also cover the innovative features of Windows 365 Boot and Switch, designed to enhance user experience by simplifying access to Cloud PCs. The episode touches on partnerships with VMware and LG, and the potential of Windows 365 Frontline for frontline workers. The discussion concludes with a look at future developments and an invitation for feedback from the tech community.
Today we are happy to announce the general availability of hibernation support in Azure Virtual Desktop. Explore additional capabilities that make it easier to save compute costs for your idle resources. In November 2023, we announced the public preview of hibernation support in Azure Virtual Desktop. Hibernating a session host virtual machine (VM) deallocates the machine while persisting the VM's in-memory state. When a VM hibernates, you don't pay for the compute cost associated with the VM. Instead you pay only for the storage and networking costs associated with the VM. When the session host virtual machine starts, the user will be able to quickly resume from where they left off.
Mac Platform SSO: Office, Edge, and Windows 365 Cloud PC (3rd party) [VIDEO]
This video features Steve Wier from getrubiks.com discussing the integration of Single Sign-On (SSO) for Mac users within a corporate environment, focusing on the seamless experience provided by Windows 365 Cloud PC. Steve begins with a light-hearted anecdote about hockey jerseys before diving into the technical aspects of Mac platform SSO. He demonstrates the SSO process by signing into various Microsoft applications like Office and Edge without needing to re-enter credentials, thanks to the SSO configuration. The video also touches on the challenges faced by Mac users following Apple’s shift from Intel to their own silicon chips, which affects the ability to run traditional Windows builds. Steve highlights the benefits of Windows 365 Cloud PC for Mac users, offering a full Windows experience through virtual machines. He concludes by emphasizing the importance of a streamlined experience for Mac users in a corporate setting, where consistency across devices is key.
Microsoft Defender and Sentinel
“Defenders think in lists, attackers think in graphs.”1 This remains a reality for the many organizations that operate across siloed security tools, fueling the demand on security operations (SOC) teams, as advanced cyberattacks continue to increase in frequency and speed. That’s where extended detection and response (XDR) solutions play a critical role in overcoming the silos and doing the work of correlating alerts across asset types to not only give defenders the ability to respond faster on their own, but even autonomously respond to some of the most sophisticated cyberattacks. Today, we are excited to announce that Microsoft has been named a leader in The Forrester Wave: Extended Detection and Response (XDR) platforms, Q2, 2024, with the highest scores in the strategy, current offering, and market presence categories. Microsoft Defender XDR was rated the highest possible in 15 out of 22 evaluation criteria, including Endpoint Native Detection, Surface Investigation, Threat Hunting, Analyst Experience, Vision, and Innovation.
Simplifying Servers Security in Microsoft Defender for Cloud (1st party) [VIDEO]
This Microsoft Defender for Cloud webinar provides an in-depth look at simplifying server security, focusing on the transition to a single-agent and agentless approach for enhanced protection. The presenters discuss the journey towards simplified security, the retirement of the MMA log analytics agent, and the tools available to facilitate this migration. They emphasize the integration of Microsoft Defender for Endpoint (MDE) and the agentless VM scanning platform, which offers multicloud and on-premises environment protection without performance impact. The session also covers the Defender for Servers plans, highlighting the capabilities of each plan and the benefits of the agentless approach. Additionally, the presenters provide resources and a workbook to assist users in tracking their transition progress, ensuring they can leverage the full range of security features offered by Microsoft Defender for Cloud.
In the fast-evolving landscape of cloud security, Microsoft Defender for Cloud (MDC) stands as a robust Cloud Native Application Protection Platform (CNAPP). One of its standout features is the premium Cloud Security Posture Management (CSPM) solution, known as Defender CSPM. Among the myriads of advanced capabilities offered by Defender CSPM, the "Governance Rule" feature is a game-changer. This empowers security teams to streamline and automate the assignment, management, and tracking of security recommendations. In this blog, we'll delve into best practices for leveraging Governance Rule to ensure effective, efficient, and timely remediation actions and explore practical use cases for maximizing its potential.
With ransomware campaigns continuing to grow, they remain top of mind for security leaders. Across these sophisticated cyberattacks, the use of remote desktop protocol (RDP) compromise has reached record levels, making it even more critical to provide analysts with full visibility into potentially malicious RDP session use. That’s why today we are excited to announce a new way to identify potentially compromised devices in your organization via the new ‘DesktopName’ field in Defender for Endpoint, which enables analysts to easily detect, investigate, and hunt for suspicious interactive process executed on so called ‘hidden desktops’.
Shift Left with Microsoft Defender for Cloud (1st party) [VIDEO]
This video features product managers Charles and Larry discussing the importance of integrating security early in the application development lifecycle. They highlight the challenges faced by enterprises, such as fragmented visibility, rogue applications, lack of insights, and silos between devops and security teams. The solution presented is Microsoft Defender for Cloud’s devop security, which is part of a comprehensive Cloud native application protection platform. It offers multi-pipeline devop security visibility, code to Cloud contextualization, and automated remediation processes. The video demonstrates how to create connectors, assess security states, and prioritize vulnerabilities. It also showcases the integration with GitHub Advanced security and the use of generative AI to automate remediation workflows, ultimately aiming to unify application security posture management into a single console.
Azure
We are announcing the public preview of Azure Load Balancer Administrative State (Admin State) to make managing your VMs in the backendpool of Azure Load Balancer simple and effective. With Admin State, you can override your Azure Load Balancer’s health probe behavior for each individual backend pool instance (usually VMs or VMSS instances) without making changes to your network security rules or closing ports on your VM. You can set the Admin State of the backend instance to be up or down, overriding the Load Balancer health probe. This setting will change how the Load Balancer directs new or existing connections to the backend instance. With Admin State, removing virtual machines from the backend pool for usual maintenance, patching, or simply applying fixes is easy and doesn’t require any additional overhead of closing ports or updating security rules.
In this quickstart, you create an Azure Lab Services lab plan in the Azure portal and grant permissions to a user to create labs. Azure Lab Services enables you to create labs with infrastructure managed by Azure. After you create a lab plan, you can create labs by using the Azure Lab Services website, Microsoft Teams, or Canvas. A lab plan is an Azure resource. A lab plan contains configuration and settings that apply to all the labs created from it. For example, lab plans specify the networking setup, the available virtual machine (VM) images, and VM sizes. After you complete this quickstart, you'll have a lab plan that you can use for other quickstarts and tutorials.
Search over Azure Blob Storage content (1st party)
Searching across the variety of content types stored in Azure Blob Storage can be a difficult problem to solve, but Azure AI Search provides deep integration at the content layer, extracting and inferring textual information, which can then be queried in a search index. In this article, review the basic workflow for extracting content and metadata from blobs and sending it to a search index in Azure AI Search. The resulting index can be queried using full text search. Optionally, you can send processed blob content to a knowledge store for non-search scenarios.
Azure Update - 24th May 2024 - BUILD Special (3rd party) [VIDEO]
This John Savill Azure Update is a BUILD special that dives into a plethora of new announcements and features. It covers updates across Azure’s services, including VMs with custom ARM chips, AI-optimized VM series, app configuration experimentation, AKS support, and Azure functions running on container apps. The video also touches on Azure’s machine learning enhancements, API management capabilities, and database improvements like Cosmos DB’s computed properties and cross-region DR for MongoDB. Additionally, it discusses networking updates, security integrations, and the expansion of Azure’s AI and machine learning services, providing a comprehensive overview of Azure’s latest advancements.
Azure Update - 31st May 2024 (3rd party) [VIDEO]
This Azure Update video provides a comprehensive overview of the latest enhancements and features in Azure services. John Saville discusses new capabilities such as hibernation for virtual machines, advanced container networking services, and improvements to Azure Kubernetes Service (AKS). The video also highlights updates to Azure storage, including large volume support and backup options, as well as developments in Azure networking like new regions for Azure Firewall and health event logs for Azure Load Balancer. Additionally, the video covers database advancements with graph semantics in Kusto and the expansion of Azure HD Insight on AKS to new regions. Lastly, it touches on Azure Site Recovery reporting, activity log alerts within the EU data boundary, and new functionalities in Chaos Studio and Azure Monitor.
Server
Microsoft continues to bring innovation and improvements to our Hyper-V platform. Live migration has been around for a while and is a key component to managing virtual machines (VMs). With Windows Server 2025 you will see improvements that make Hyper-V more reliable, increase scale, and improve performance. This article covers an improvement with Live Migration, and you can expect to see more articles soon to cover other innovations for Windows Server 2025.
Identity Protection and Management
At Microsoft Azure, we are unwavering in our commitment to providing robust and reliable networking solutions for our customers. In today’s dynamic digital landscape, seamless connectivity, uncompromising security, and optimal performance are non-negotiable. As cyber threats have grown more frequent and severe, the demand for security in the cloud has increased drastically. As a response to this, we are announcing a new SKU for Microsoft Azure Bastion—Azure Bastion Premium. This service, now in public preview, will provide advanced recording, monitoring, and auditing capabilities for customers handling highly sensitive workloads. In this blog post, we’ll explore what Azure Bastion Premium is, the benefits this SKU offers, and why it is a must-use for customers with highly regulated security policies.
Features like multifactor authentication (MFA) are a great way to secure your organization, but users often get frustrated with the extra security layer on top of having to remember their passwords. Passwordless authentication methods are more convenient because the password is removed and replaced with something you have or something you are or know. Each organization has different needs when it comes to authentication. Microsoft Azure and Azure Government offer the following five passwordless authentication options that integrate with Microsoft Entra ID: Windows Hello for Business, platform Credential for macOS, platform single sign-on (PSSO) for macOS with smart card authentication, Microsoft Authenticator, passkeys (FIDO2), and certificate-based authentication.
Microsoft Entra ID Tenant Starters Guide: Understanding Identity Management and Licensing (1st party)
Microsoft Entra ID Tenant is a cloud-based identity and access management service that helps you manage your organization's users, devices, applications, and resources. It is a powerful and flexible solution that enables you to securely connect your employees, customers, and partners to the digital resources they need, while protecting your organization from unauthorized access and identity threats. In this guide, you will learn the basics of Microsoft Entra ID Tenant, how to access and use it, how to manage licenses for different Microsoft products and services, and how to address some common challenges and scenarios related to identity management and licensing.
Recommended by LinkedIn
Information Protection and Management
Prioritize Security Incidents Based on Data Importance | Microsoft Defender with Microsoft Purview (1st party)
Prioritize incidents based on data significance, detect insider risks, and adapt protections in real-time with Microsoft Defender XDR and Microsoft Purview. Customize thresholds and risk indicators to detect anomalous behavior and prevent potential breaches with Adaptive Protection. Receive real-time DLP alerts triggered by policy matches, ensuring immediate action to safeguard sensitive data. Gain comprehensive visibility into threats and enforce policies across all devices and applications.
This article introduces the key considerations for planning subscriptions, licenses, and trials for Power BI and Fabric. One key aspect of managing Microsoft Fabric is to ensure that users have access to the capabilities that they need. To this end, you must purchase and manage subscriptions, licenses, and trials for your organization. Managing subscriptions, licenses, and trials is necessary to ensure that both content creators and content consumers can use Fabric and Power BI. Licensing is an important topic that can be complex, especially when your organization is implementing Fabric or Power BI for the first time. While this article describes key decisions and considerations about subscriptions, licenses, and trials, it also contains links to supplementary articles and resources for more detailed and practical information.
Is OneDrive for Business the New PST? (3rd party)
In a simpler world, we worried about the prospect of terminated employees removing information from companies in PST files generated by Outlook. PST files arrived with Outlook in 1997 as a solution for the limited mailbox storage available in Exchange Server at the time. Most users had 50 MB mailbox quotas. Even with the smaller average size of messages and lower message volumes, it was easy to fill a quota, which meant that you needed to free mailbox space to continue receiving new emails. The PST, or personal store table, allowed users to move messages from their online mailbox to local storage. Since then, people have used PSTs in many different ways from mailbox migrations to mailbox exports (something still supported today by Purview content searches). Useful as they could be, the insecurity and fragility of PSTs were their downsides, an aspect exposed all too often when attackers compromised servers and recovered PSTs full of sensitive information (like the 179 PSTs stolen in the great Sony heist of 2014).
Last week’s news that Microsoft has started to make a set of premium audit events available to customers with Purview Audit (standard) licenses was welcome. The idea is that customers can use significant audit events like MailItemsAccessed and Send in forensic investigations of user activity that are often necessary when account compromise is suspected. Previously, Purview audit only generated these events for accounts with Purview Audit (Premium) licenses. Along with the Exchange events, Microsoft is making an additional fifteen Teams audit events available to Purview Audit standard customers. Among the set are audit events to capture details of meetings and meeting participants. The MeetingDetail event captures information such as the start and end time for a meeting, the URL to join the meeting, and the modalities used in a meeting such as audio and video. The MeetingParticipant event captures details of user participation in a meeting including their join and leave times and is like the information recorded in the attendance report.
Intune
These are similar-looking terms that perform two different tasks and this quick nugget is to unpack what they do. This is the standard way for the device to check in with the Intune service to receive the policies and settings. When the device is enrolled with Intune for the 1st time, notifications will be sent to the device to receive the policies. After that, the device will be checked in with Intune periodically to receive the config profiles and policies. If a device doesn’t check in to get the policy or profile after the first notification, Intune makes three more attempts. If the device is offline or switched off, it will be attempted in the next cycle. The same applies to checks for noncompliance, including devices that move from a compliant to a noncompliant state. Intervals can be varied depending on the platform.
Intune Training – Drive Encryption (3rd party) [VIDEO]
In this episode of the “InTune Training” series, Steve and Adam delve into the critical topic of drive encryption for IT professionals. They discuss the importance of securing data at rest to prevent unauthorized access if a device is lost or a hard drive is removed. The video provides a step-by-step guide on how to implement disk encryption for both macOS and Windows devices using Microsoft InTune. They emphasize the necessity of encryption as a fundamental security control and provide insights into compliance policies, encryption methods, and key management. The hosts also address common issues and troubleshooting tips, such as the impact of removable media on encryption processes. The tutorial is designed to be straightforward, aiming to assist viewers in enhancing the security posture of their IT environments effectively.
This video provides a comprehensive demonstration of the Intune Apps for Patch My PC Cloud preview feature, guiding viewers through the registration process, company setup, and application deployment within Microsoft Intune. The presenter, Scott, an engineer at Patch My PC, showcases how to sign up, grant permissions, and navigate the portal to connect to Intune. He explains how to create an Enterprise application, start a trial, and access the application catalog, highlighting the ease of deploying applications like Notepad++ with customizable install scripts and assignment options.
The printing solution that a business uses is integral to its operations and can either positively or negatively affect productivity. It’s important to ensure that you can get the maximum benefits from your IT infrastructure. A key component of any printing solution requires proper printing setup. But it’s not always as easy as we’d like it to be, especially with so many different products and services available on the market. IT admins need to choose wisely so that businesses can implement tailor-made solutions to address the needs of their employees. Today, we’ll be going over how you can take advantage of Win32 for the installation of Printer Drivers and Printers, making light work of printing setup and execution.
How to evaluate Windows 11 Readiness with Intune (3rd party)
Before thinking about rolling out Windows 11, 2 reports are available to assess the readiness of the devices managed by Intune for Windows 11. Back in the early days of Windows 10, Desktop Analytics was there to help assess the readiness of the environment, but wasn’t extremely convenient. The built-in reports to assess Windows 11 Readiness in Intune make it a breeze compared to Desktop Analytics. In this post, we’ll detail how to configure Intune and use Windows 11 Readiness reports.
Windows Autopilot
Easily deploy and manage hundreds of Teams Rooms on Windows with Autopilot and Autologin (1st party)
Deployment of Teams Rooms on Windows is getting a serious upgrade. As announced at InfoComm this week, Autopilot and Autologin for Teams Rooms on Windows is now generally available. It enables you to deploy at scale and configure Teams Rooms with minimal onsite interaction, which can help save you time and resources. Whether you’re deploying dozens of new Teams Rooms on Windows or redeploying existing rooms, you can realize the many benefits of Autopilot and Autologin.
Autopilot for Teams Rooms Windows Step-by-Step Tutorial (3rd party) [VIDEO]
Get step-by-step instructions on how to use Autopilot and Autologin for Microsoft Teams Rooms on Windows. You can use Windows Autopilot and Autologin to deploy, provision, reset, redeploy, and recover Teams Rooms on Microsoft Teams Rooms on Windows consoles in your organization. Windows Autopilot with Autologin for Teams Rooms simplifies and accelerates the on-site deployment time for Teams Rooms consoles running Windows. The combination of these technologies removes the need for direct interaction with the Teams Rooms console during provisioning and deployment. Using Autopilot and Autologin, there isn't a need for someone to physically interact with the Teams Room console to deploy it. Instead, the Teams Rooms console completes the Windows and Teams app installation automatically out-of-box. Once installation is complete, it then signs in to the Teams Room app without the need for someone to have physical access to the device. The combinations of these features greatly simplify the Teams Rooms console lifecycle, from its initial deployment to its end of life.
Arguably the biggest change with Autopilot device preparation (APV2) is the technical flow and the emphasis on the user assignment. This is critical to understand as when we look at the trade-offs in the out-of-box experience (OOBE) compared to Autopilot V1 (APV1), they are not arbitrary; it all has to do with the flow. Basically, in APV1 you registered the PC to the Azure tenant prior to deployment, or even having the device in hand. This was done via collecting the device hardware hash. Once the PC booted up and connected to a network, it would automatically reach out to check in with Microsoft to see if it was registered in Autopilot. If it was, the end user at that point would immediately see a custom OOBE, hiding most of the screens we looked at in my previous post.
You’ve probably run into a scenario like this before and never understood why: You assign a new, seemingly harmless policy into a configuration profile in Intune, and now the device reboots at the end of the device ESP phase. And after the reboot, the user has to log in to continue the user ESP phase, since their credentials aren’t persisted through the reboot. But what causes that? The idea was somewhat reasonable: Certain policies need a reboot before they actually become effective, so to ensure that happens as soon as possible, that reboot should automatically be triggered. The logic for doing that is actually not part of Windows Autopilot, it’s part of the Windows MDM client, but the net effect is the same: when certain policy URIs are received by the device, it will reboot at the end of the device ESP.
Reading the Windows Autopilot tea leaves (3rd party)
If you missed it this past week, let me first point you to the source: Windows deployment with the next generation of Windows Autopilot. So what did this blog tell you? Certainly that there are changes being made to Windows Autopilot, but what are those changes and when will they be available? Some of that has been spelled out (to a degree at least), but a good portion has been left in a “what’s to come list.” So let’s go through the items starting with the more imminent and well-defined ones.
In this blog, I will show you how a specific Microsoft Intune policy could mess up your cloud-based Autopilot Device Preparation Application reporting even while the Autopilot Device Preparation enrollment seems successful. Before exploring the new Autopilot Device Preparation profile, let’s briefly return to the “old” Autopilot and the corresponding Enrollment Status Page. Configuring the blocking apps in the Enrollment Status Page (ESP) Settings would require the device to install those apps for a successful Autopilot Enrollment. This works pretty well in regular Autopilot, especially with the best-effort option that was added, but how does it work with the new Windows Autopilot device Preparation?
Device Management
Over the last year, we have worked on reimagining Windows PCs and yesterday, we introduced the world to a new category of Windows PCs called Copilot+ PCs. Copilot+ PCs are the fastest, most intelligent Windows PCs ever with AI infused at every layer, starting with the world’s most powerful PC Neural Processing Units (NPUs) capable of delivering 40+ TOPS of compute. The new class of PCs is up to 20 times more powerful1 and up to 100 times as efficient2 for running AI workloads compared to traditional PCs. This is a quantum leap in performance, made possible by a quantum leap in efficiency. The NPU is part of a new System on Chip (SoC) that enables the most powerful and efficient Windows PCs ever built, with outstanding performance, incredible all day battery life, and great app experiences. Copilot+ PCs will be available in June, starting with Qualcomm’s Snapdragon X Series processors. Later this year we will have more devices in this category from Intel and AMD.
Microsoft Teams has undergone significant updates, offering a faster, simpler, and more responsive experience. As an administrator, you’ll want to ensure seamless deployment of the new Microsoft Teams app across your organization. While users may have already received the “try the new Microsoft Teams” prompt, installing the latest version may be a better user experience, especially for new devices in the environment. In this blog post, we’ll detail how to package the New Microsoft Teams using SCCM and Intune for mass deployment.
Ready to try out Windows 11 24H2? (3rd party)
Even though the “full” or “final” release of Windows 11 24H2 won’t be available with all the expected functionality until the 4th quarter of this year, it is going to ship earlier on new ARM64 devices that will be available in mid-June. To prepare for that, Microsoft is already pushing the core Windows 11 24H2 bits (minus features to be added later) into the Insider Release Preview channel. If you’re like me and like to use virtual machines for testing, you can download the ISOs too.
Speeding Up Your OS Deployment (3rd party) [VIDEO]
In this informative video, Johan from the Deployment Research YouTube channel shares valuable insights on accelerating OS deployment for both MDT and Config Manager environments. He dives into practical tips, such as ensuring your deployment server has sufficient resources like CPU, disk, and network speed, and recommends having at least 8 GB of memory and four cores for optimal performance. Johan also introduces useful tools like iPerf for network speed testing and Diskspd for measuring disk performance, demonstrating their usage with clear examples. Whether you’re dealing with remote distribution points or local deployments, the video provides strategies for efficient OS deployment, including the use of thin images, WIM driver packages, and peer-to-peer technologies like BranchCache, to enhance speed without compromising network or server capacity.
Scripting and Automation
The goal of fusion development is to create an environment where Citizen Developers, Professional developers (aka code-first) and IT Professional can collaborate seamlessly. We want to create great experience for makers creating an app for the first time and for code-first developers that want to have the transparency of the source code for their Power Apps. We are proud to announce the public preview of a Code View in Power Apps Studio. Developers can now view and use the source code, in readable YAML + Power Fx format.
Automatically create Hyper-V virtual machines for Autopilot V2 testing (3rd party) [VIDEO]
This video features Steve Wner from getrubiks.com, who introduces an improved version of his automatic Hyper-V creation script for Autopilot V2 testing. He explains the enhancements made to streamline the virtual machine (VM) creation process and the addition of a feature to expedite Autopilot device preparation. The video walks viewers through the script modifications, demonstrating how to set up the script, create VMs with unique identifiers, and generate corporate identifiers for Autopilot testing. Steve emphasizes the script’s utility in creating Hyper-V VMs efficiently, which is particularly useful for IT professionals involved in frequent Autopilot testing.
Practical PowerShell: Branching (3rd party)
In my previous article in the Practical PowerShell series, I discussed looping as part of flow control. In this article, I cover another essential part of flow control: branching. Branching defines multiple paths for your code to follow, depending on conditions. Next to loop constructs, there are decision-making cmdlets to control branching in code. It is an essential construct and allows you to branch code based on conditions (if) that are met (then) and optionally are not met (else). This construct is easy to understand and use because it follows natural language. You also see it in other environments, such as home automation or PowerAutomate.
Remove-NonCorporateApps.ps1 (3rd party)
When you’re building your Windows 10 and Windows 11 images, you may find a desire to remove the non-Enterprise applications. This script, written by Microsoft MVP Gary Blok, will help you handle this process in a neat and repeatable fashion.
Not being a professional PowerShell guy like Michel de Rooij, I hack merrily away at PowerShell to get stuff done without being too concerned about the finer points of code. Once I learn how to do something, I tend to keep on using that technique, which is why many of the scripts that I write have similarities. I suspect that I’m not the only one whose PowerShell journey has been a succession of learning experiences without the benefit of formal training. In any case, what I do works, and I enjoy grappling with PowerShell very much. Which brings me neatly to an excellent article about optimizing Microsoft Graph PowerShell scripts by Nicola Suter. This is an article that anyone working with PowerShell in a large organization where it’s common to work with tens of thousands of objects like user accounts or mailboxes should read. What attracted my attention is the discussion about batching requests, or as Microsoft refers to the topic: Combine multiple HTTP requests using JSON batching, a title possibly not designed to attract the attention of people looking for a good read.
PowerShell tool-building is an essential part of learning to go from a copy/paste scripter to someone that can build real, reusable scripts. As an example of a tool-building methodology, let’s build a simple computer inventory report tool that will walk you through the process of building a simple yet effective tool using PowerShell. We'll start with reading data from a CSV file, then query computer details using CIM, and finally output the results into a structured format. Let’s get started!
Security Tools and Guides
ShrinkLocker: Turning BitLocker into ransomware (3rd party)
Attackers always find creative ways to bypass defensive features and accomplish their goals. This can be done with packers, crypters, and code obfuscation. However, one of the best ways of evading detection, as well as maximizing compatibility, is to use the operating system’s own features. In the context of ransomware threats, one notable example is leveraging exported functions present in the cryptography DLL ADVAPI32.dll, such as CryptAcquireContextA, CryptEncrypt, and CryptDecrypt. In this way, the adversaries can make sure that the malware can run and simulate normal behavior in various versions of the OS that support this DLL. Although this seems smart enough, another clever technique caught our attention in a recent incident response engagement: using the native BitLocker feature to encrypt entire volumes and stealing the decryption key. The original purpose of BitLocker is to address the risks of data theft or exposure from lost, stolen, or improperly decommissioned devices. Nonetheless, threat actors have found out that this mechanism can be repurposed for malicious ends to great effect. In that incident, the attackers were able to deploy and run an advanced VBS script that took advantage of BitLocker for unauthorized file encryption. We spotted this script and its modified versions in Mexico, Indonesia, and Jordan. In the sections below, we analyze in detail the malicious code obtained during our incident response effort and provide tips for mitigating this kind of threat.
In this three-part blog series, we will explore different approaches to achieving passive persistence in an Active Directory (AD) environment. Specifically, we'll examine whether it is possible to survive a remediation process that contains steps such as rotating passwords, resetting AD service accounts, revoking logon sessions and removing backdoors on AD components such as domain controllers. In this blog - the first in the series - we tackle the scenario of password rotation for compromised accounts, exploring how attackers can intercept and adapt to these changes. Subsequent blogs will delve into AD’s password replication processes, as well as generic replication processes between domain controllers. Our goal is to examine whether it’s possible to achieve “eternal persistence” – a state where an attacker remains embedded in the network without detection, regardless of the defensive measures taken. Ultimately, we aim to equip blue teamers and security professionals with the knowledge required to understand, detect, and defend against these sophisticated threats.
During an internal penetration test, Cortex EDR was installed in the domain controller. After obtaining Domain Admin privileges on the network, the EDR blocked all known attempts to extract the NTDS hashes. Consequently, I had to think of alternative methods to retrieve the hashes.
AD_Miner: Active Directory audit tool (3rd party)
ADMiner is an Active Directory audit tool that leverages cypher queries to crunch data from the BloodHound graph database (neo4j) and gives you a global overview of existing weaknesses through a web-based static report, including detailed listing, dynamic graphs, key indicators history, along with risk ratings.
Microsoft News
6 insights from Microsoft’s 2024 state of multicloud risk report to evolve your security strategy (1st party)
Multicloud computing has become the foundation for digital businesses, with 86% of organizations having already adopted a multicloud approach. However, for all its benefits around increased agility, flexibility, and choice, we also see unique challenges with multicloud—including the need to manage security, identity, and compliance across different cloud service providers (CSPs), ensure data portability, and optimize costs. Securing multicloud environments is a deeply nuanced task, and many organizations struggle to fully safeguard the many different ways cyberthreat actors can compromise their environment. In our latest report, “2024 State of Multicloud Security Risk,” we analyzed usage patterns across Microsoft Defender for Cloud, Microsoft Security Exposure Management, Microsoft Entra Permissions Management, and Microsoft Purview to identify the top multicloud security risks across Microsoft Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and beyond. This is the first time Microsoft has released a report sharing key insights across aspects of cloud security, including identity and data.
In the ever-evolving landscape of cyberthreats, staying ahead of malicious actors is a constant challenge. Microsoft Threat Intelligence has observed that gift cards are attractive targets for fraud and social engineering practices. Unlike credit or debit cards, there’s no customer name or bank account attached to them, which can lessen scrutiny of their potentially suspicious use in some cases and present cybercriminals with a different type of payment card surface to study and exploit. Microsoft has seen an uptick in activity from threat actor group Storm-0539, also known as Atlas Lion, around the United States holidays, including Memorial Day, Labor Day, Thanksgiving, Black Friday, and Christmas. In advance of Memorial Day 2024, Microsoft has observed a 30% increase in activity from Storm-0539 between March and May 2024. The latest edition of Cyber Signals dives deep into the world of gift card fraud, shedding light on Storm-0539 and its sophisticated cybercrime techniques and persistence, while providing guidance to retailers on how to stay ahead of these risks.
Exposed and vulnerable: Recent attacks highlight critical need to protect internet-exposed OT devices (1st party)
Since late 2023, Microsoft has observed an increase in reports of attacks focusing on internet-exposed, poorly secured operational technology (OT) devices. Internet-exposed OT equipment in water and wastewater systems (WWS) in the US were targeted in multiple attacks over the past months by different nation-backed actors, including attacks by IRGC-affiliated “CyberAv3ngers” in November 2023, as well as pro-Russian hacktivists in early 2024. These repeated attacks against OT devices emphasize the crucial need to improve the security posture of OT devices and prevent critical systems from becoming easy targets. OT systems, which control real-world critical processes, present a significant target for cyberattacks. These systems are prevalent across various industries, from building heating, ventilation, and air conditioning (HVAC) systems, to water supply and power plants, providing control over vital parameters such as speed and temperature in industrial processes. A cyberattack on an OT system could transfer control over these critical parameters to attackers and enable malicious alteration that could result in malfunctions or even complete system outages, either programmatically via the programmable logic controller (PLC) or using the graphical controls of the human machine interface (HMI).
There has been a lot of buzz around laptops and other portable Windows devices this week. Microsoft's Surface and Windows 11 AI stage show kicked off a gigantic list of exciting announcements before its Build event began, including a brand-new range of Copilot+ AI PCs powered by Qualcomm's revolutionary Snapdragon X Elite and X Plus ARM processors. While the experiences of running traditional x86-64 apps on ARM-powered Windows devices range from acceptable to exceptional, the appeal of Windows on Arm is about to become even stronger. Until now, Microsoft offered developers its ARM64EC application binary interface (ABI), allowing them to gradually replace sections of x64 (64-bit) binaries in their apps with ARM-native code to improve performance. As a "great PC reset" looms with all-new devices featuring powerful 45+ TOPS NPUs, Microsoft has unveiled a new emulator for ARM devices called Prism.
Microsoft is planning to launch its new Copilot Plus PCs next week without its controversial Recall feature that screenshots everything you do on these new laptops. The software maker is holding back Recall so it can test it with the Windows Insider program, after originally promising to ship Recall as an opt-in feature with additional security improvements. “We are adjusting the release model for Recall to leverage the expertise of the Windows Insider community to ensure the experience meets our high standards for quality and security,” says Microsoft in an updated blog post. “When Recall (preview) becomes available in the Windows Insider Program, we will publish a blog post with details on how to get the preview.”
Security News
The MITRE Corporation has revealed that the cyber attack targeting the not-for-profit company towards late December 2023 by exploiting zero-day flaws in Ivanti Connect Secure (ICS) involved the threat actor creating rogue virtual machines (VMs) within its VMware environment. "The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access," MITRE researchers Lex Crumpton and Charles Clancy said. "They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server's Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure." The motive behind such a move is to sidestep detection by obscuring their malicious activities from centralized management interfaces like vCenter and maintain persistent access while reducing the risk of being discovered.
Cybersecurity researchers have discovered that the malware known as BLOODALCHEMY used in attacks targeting government organizations in Southern and Southeastern Asia is in fact an updated version of Deed RAT, which is believed to be a successor to ShadowPad. "The origin of BLOODALCHEMY and Deed RAT is ShadowPad and given the history of ShadowPad being utilized in numerous APT campaigns, it is crucial to pay special attention to the usage trend of this malware," Japanese company ITOCHU Cyber & Intelligence said. BLOODALCHEMY was first documented by Elastic Security Labs in October 2023 in connection with a campaign mounted by an intrusion set it tracks as REF5961 targeting the Association of Southeast Asian Nations (ASEAN) countries.
Prescription management company Sav-Rx is warning over 2.8 million people in the United States that it suffered a data breach, stating that their personal data was stolen in a 2023 cyberattack. A&A Services, doing business as Sav-RX, is a pharmacy benefit management (PBM) company that provides prescription drug management services to employers, unions, and other organizations across the U.S. On Friday, the company notified the Maine Attorney General's office of a cybersecurity incident in October 2023 that exposed the data of 2,812,336 people.
A Morocco-based cybercriminal operation is breaching the systems of large retailers in order to fraudulently issue gift card codes to themselves, according to a new Microsoft report. Tagged as Atlas Lion or Storm-0539, the group has been spotlighted repeatedly by Microsoft over the last year for its sophisticated tactics in breaching retailers. “Rather than scam or phish everyday people directly for gift card-based payments, Storm-0539 infiltrates large retailers and fraudulently issues gift card codes to themselves, virtually printing their own money,” Microsoft’s Vasu Jakkal explained.
A new phishing campaign uses HTML attachments that abuse the Windows search protocol (search-ms URI) to push batch files hosted on remote servers that deliver malware. The Windows Search protocol is a Uniform Resource Identifier (URI) that enables applications to open Windows Explorer to perform searches using specific parameters. While most Windows searches will look at the local device's index, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window.
The U.S. Department of Justice (DoJ) on Wednesday said it dismantled what it described as "likely the world's largest botnet ever," which consisted of an army of 19 million infected devices that was leased to other threat actors to commit a wide array of offenses. The botnet, which has a global footprint spanning more than 190 countries, functioned as a residential proxy service known as 911 S5. A 35-year-old Chinese national, YunHe Wang, was arrested in Singapore on May 24, 2024, for creating and acting as the primary administrator of the illegal platform from 2014 to July 2022. Wang has been charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted on all counts, Wang faces a maximum penalty of 65 years in prison.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting the Linux kernel to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2024-1086 (CVSS score: 7.8), the high-severity issue relates to a use-after-free bug in the netfilter component that permits a local attacker to elevate privileges from a regular user to root and possibly execute arbitrary code. "Linux kernel contains a use-after-free vulnerability in the netfilter: nf_tables component that allows an attacker to achieve local privilege escalation," CISA said.
Microsoft has emphasized the need for securing internet-exposed operational technology (OT) devices following a spate of cyber attacks targeting such environments since late 2023. "These repeated attacks against OT devices emphasize the crucial need to improve the security posture of OT devices and prevent critical systems from becoming easy targets," the Microsoft Threat Intelligence team said. The company noted that a cyber attack on an OT system could allow malicious actors to tamper with critical parameters used in industrial processes, either programmatically via the programmable logic controller (PLC) or using the graphical controls of the human-machine interface (HMI), resulting in malfunctions and system outages.