Rust/WinRT Public Preview – Windows Developer Blog

We are excited to announce that the Rust/WinRT project finally has a permanent and public home on GitHub:
https://github.com/microsoft/winrt-rs
Rust/WinRT follows in the tradition established by C++/WinRT of building language projections for the Windows Runtime using standard languages and compilers, providing a natural and idiomatic way for Rust developers to call Windows APIs. Rust/WinRT lets you call any WinRT API past, present, and future using code generated on the fly directly from the metadata describing the API and right into your Rust package where you can call them as if they were just another Rust module.
The Windows Runtime is based on Component Object Model (COM) APIs under the hood and is designed to be accessed through language projections like C++/WinRT and Rust/WinRT. Those language projections take the metadata describing various APIs and provide natural bindings for the target programming language. As you can imagine, this allows developers to more easily build apps and components for Windows using their desired language. You can then use those Windows APIs to build desktop apps, store apps, or something more unique like a component, NT service, or device driver.
Microsoft has long depended on C++ as the backbone for so much of what we do, but it has some challenges particularly when it comes to security. Modern C++ certainly makes it easier to write safe and secure C++ if you follow certain careful conventions, but that is often hard to enforce on larger projects. Rust is an intriguing language. It closely resembles C++ in many ways, hitting all the right notes when it comes to compilation, runtime model, type system and deterministic finalization. While it has its own unique learning curve, it also has the potential to solve some of the most vexing issues that plague C++ projects, and is designed from the ground up with memory safety and safe concurrency as core principles. For more information on Rust and safe systems programming, check out the Microsoft Security Response Center.
Here below is a simple example of Rust calling a Windows API. The API itself does not matter, but it should give you a sense for how naturally Windows APIs may be called from Rust code. In the following example, we are using the XmlDocument class from the Windows.Data.Xml.Dom namespace to parse and inspect a simple XML document:

use windows::data::xml::dom::*;

let doc = XmlDocument::new()?;
doc.load_xml(“<html>hello world</html>”)?;

let root = doc.document_element()?;
assert!(root.node_name()? == “html”);
assert!(root.inner_text()? == “hello world”);

If you are familiar with Rust, you will notice this looks far more like Rust than it looks like C++ or C#. Notice the snake_case on module and method names and the ? operator for error propagation.
Here is another example using the Windows.ApplicationModel.DataTransfer namespace to copy some value onto the clipboard:

use windows::application_model::data_transfer::*;

let content = DataPackage::new()?;
content.set_text(“Rust/WinRT”)?;

Clipboard::set_content(content)?;
Clipboard::flush()?;

For a more complete example, I encourage you to have a look at Robert Mikhayelyan’s Minesweeper demo. Robert originally wrote a version of the classic game using C++/WinRT and was able to quickly port it over to using Rust/WinRT. https://github.com/robmikh/minesweeper-rs
This is a very early public preview, but we have decided to work in the open from here on out. So please give it a try and let us know what you think. We would love the feedback as we continue to develop Rust/WinRT and plan to eventually publish on crates.io. We also hope to provide more seamless interop with existing Win32 and COM APIs including support for the com-rs crate, which supports COM APIs today. https://github.com/microsoft/winrt-rs

Using multiple profiles at work and at home is now easier with Microsoft Edge – Microsoft Edge Blog

Our customers tell us that they like to keep their browsing data separate as they take on various roles in their lives. For people at home working from their own devices, this is particularly important.
Microsoft Edge’s “Profiles” feature is a great way to do this, whether you’re switching between work and personal browsing, juggling your job and freelancing business, or managing your tasks as an admin alongside other responsibilities.
In this post, we’ll share some improvements coming to browsing with multiple profiles in Microsoft Edge, and walk you through how to get started with this feature.
Setting up multiple profiles
To get started with multiple profiles, click the profile icon to the right of your address bar and click “Add a profile”. Then, on the consent screen that comes next, just click “Add”. Your profile is now added.
Each profile opens in a new window and gets its own desktop icon. You can pin each desktop icon independently to your Windows taskbar by right clicking on the Microsoft Edge icon.
If you’d like to roam your data across devices, you can sign into each profile with a Microsoft Account or a Work or School Account and choose to sync your data. Since browsing data is separated between profiles, each profile will sync independent of the other.

Switching between profiles
You can switch between profiles any time by clicking on the desktop icon or window associated with a profile. You can also switch using the profile flyout by clicking the profile icon or you can switch from the edge://settings/profiles page.

Getting to the right profile
We’ve heard that two things that users find challenging is getting links to open in the right profile and making sure that you don’t mistakenly open work content in your personal profile. Today, we’re excited to announce two features that we hope will make this easier:
Selecting a default profile (available in Microsoft Edge 81 and higher)
To ensure that links you open from another app open in the profile of your choice, you can now select a default profile in Microsoft Edge. To select a default profile to open external links, do the following:
Navigate to edge://settings
Select the “Multiple profile preferences” option (Note: This will only show if you have multiple profiles.)
Use the drop down menu to select which profile you’d like external links to open with.

Automatic profile switching (available in Microsoft Edge 83 and higher)
We’re also excited to announce a new feature to help you get to your work content more easily while using multiple profiles. We call it Automatic Profile Switching. If you’re a multiple profiles user, you can check it out by trying to navigate to a work site (a site authenticated with your work or school account) while in your personal profile.
When we detect this, we will prompt you to switch to your work profile to access that site without having to authenticate to it. When you choose the work profile you want to switch to, the website will simply open in your work profile.
We hope that this will help you keep your work and personal data separate and help you get to your work content more seamlessly. In case this doesn’t work for your flows, you can choose “Don’t ask me again,” and it will get out of your way.

We are excited to release this improvement for your multiple profile scenarios—give it a try and let us know how you like it! If you run into any issues or have any feedback on using multiple profiles, use the in-app feedback button (or Alt-Shift-I) and we’ll use it to make the experience better for you.
Thank you for helping us build Microsoft Edge be the best browser for you.
– Avi Vaid, Program Manager, Microsoft Edge

R.I.P. Office 365, Long Live Microsoft 365

Microsoft just made sweeping changes to the Office 365 ecosystem, both for personal subscriptions (Office 365 Personal and Home) and Office 365 for Business, sunsetting the Office 365 brand and replacing it with Microsoft 365. This was put in place as of April 21, 2020.

This article will look at what these changes mean, explore the differences between Office 365, Microsoft 365 and Office 2019 and the subscription model underlying these offerings as well as make some predictions for the enterprise services that are still under the Office 365 name.

Office 365 Home and Personal

Let’s start with the home and family subscriptions. Over 500 million people use the free, web-based versions of Word, Excel etc. along with Skype and OneDrive to collaborate and connect. Then there are 38 million people who have subscribed to Office 365 Home or Office 365 Personal. Both provide the desktop Office suite (Word, Excel etc.) for Windows and Mac, along with matching applications for iOS and Android and 1 TB of OneDrive space. These two plans are changing name to Microsoft 365 Personal ($6.99 per month) and Microsoft 365 Family ($9.99 per month) respectively. Personal is for a single user whereas Family works with up to six people (and yes, they each get 1 TB of OneDrive storage for a maximum of 6TB). Otherwise, they’re identical and provide advanced spelling, grammar and style assistance in Microsoft Editor (see below), AI-powered suggestions for design in PowerPoint, coaching when you rehearse a PowerPoint presentation and the new Money in Excel (see below). Each user also gets 50 GB of email storage in Outlook, the ability to add a custom email domain and 60 minutes worth of Skype calls to mobiles and landlines.

Office 365 Microsoft 365 Plan Choices

Picking a plan for home use is easy

Microsoft Editor is Microsoft’s answer to Grammarly and is available in Word on the web, and the desktop Word version, along with Outlook.com as well as an Edge or Chrome extension. It supports more than 20 languages and uses AI to help you with the spelling, grammar, and style of your writing. The basic version is available to anyone, but the advanced features are unlocked with a Personal or Family subscription. These include suggestions for how to write something more clearly (just highlight your original sentence), plagiarism checking and the ability to easily insert citations and suggestions for improving conciseness and inclusiveness.

Settings for the Microsoft Editor browser extension

Settings for the Microsoft Editor browser extension

Money in Excel connects Excel to your bank and credit card accounts so you can import balances and transactions automatically and provides personalized insights on your spending habits. Money isn’t available yet and will be US only in the first phase when it rolls out over the next couple of months.

Outlook on the web will let you add personal calendars, not only marrying your work and home life but also providing clarity for others seeking to find appointment times with you – of course, they won’t see what’s penned in your calendars, only when you’re not available. Play My Emails is coming to Android (already available on iOS), letting Cortana read your emails to you while you’re on the go. The Teams mobile app is being beefed up for use in your personal life as well. Finally, Microsoft Family Safety is coming to Android and iOS devices, helping parents protect their children when they explore and play games on their devices.

You’ll have noticed that nearly all of these new features and services are on the horizon but not here yet. If you’re already an Office 365 Home or Personal subscriber your subscription just changed its name to Microsoft 365 Family or Personal but nothing else changed and until these new goodies are available – nothing has changed, including the price of your subscription. Note that none of these changes applies to the perpetual licenses Office 2019 which is Word, Excel etc. that you can purchase (not subscribe to) and that Office 2019 doesn’t provide any cloud-powered, AI-based features, nor gets the monthly feature updates that its Office 365 based cousin enjoys.

Microsoft 365 Business Basic, Apps, Standard and Premium

Of more interest to readers of Altaro’s blogs are probably the changes to the Office 365 SMB plans (that top out at 300 users). As a quick summary, (for a more in-depth look at Office & Microsoft 365, here’s a free eBook from Altaro) Microsoft 365 Business Basic (formerly known as Office 365 Business Essentials at $5 per user per month) gives each user an Exchange mailbox, Teams and SharePoint access, the web browser versions of Word, Excel etc. and 1TB of OneDrive storage.

Microsoft 365 Apps for Business (old name Office 365 Business, $8.25 per user per month) provides the desktop version of Office for Windows, Mac, Android, and iOS devices and 1TB of OneDrive storage.

Microsoft 365 Business Standard (prior name Office 365 Business Premium which is a name change that won’t confuse anyone weighs in at $12.50 per user per month) gives you both the desktop and web versions of Office.

Finally, Microsoft 365 Business Premium (formerly known as Microsoft 365 Business, again not confusing at all, at $20 per user per month) gives you everything in Standard, plus Office 365 Advanced Threat Protection, Intune based Mobile Device Management (MDM) features, Online Archiving in Exchange and much more.

Microsoft 365 Management Portal

Microsoft 365 Management Portal

In a separate announcement, Microsoft is bringing the full power of AAD Premium P1 for free to Microsoft 365 Business Premium. This will give SMBs cost-effective access to Cloud App Discovery which provides insight and protection for users in the modern world of cloud services, including discovering which applications your staff are using. It’ll also bring Application Proxy to be able to publish on-premises applications to remote workers easily and securely, dynamic groups make it easier to make sure staff are in the right groups for their role, and password-less authentication using Windows Hello for Business, FIDO 2 security keys and Microsoft’s free authenticator app.

Note that none of the Enterprise flavors of Office 365, E1, E3 and E5, F1 for first-line workers, the A1, A3 and A5 for education, nor the G1, G3 and G5 varieties for government organizations are changing at this time. My prediction is that this will change and before long, all of these will be moved to the unifying Microsoft brand.

Philosophically there are a few things going on here. As a consultant who both sells and supports Office / Microsoft 365 to businesses, as well as a trainer who teaches people about the services, there’s always been a pretty clear line between the two. Office 365 gives you the Office applications, email and document storage. If you wanted mobile device management (Intune), advanced security features (Azure Active Directory, AAD), Windows 10 Enterprise and Information Protection you went for Microsoft 365. These features are all available under the moniker Enterprise Mobility + Security (EMS) so essentially Microsoft 365 was Office 365 + EMS.

Adding Microsoft 365 Licenses

Adding Microsoft 365 licenses

This line is now being blurred for the small business plans which can make it even more difficult to make sure that small and medium businesses pick the right plans for their needs. Remember though that you can mix and match the different flavors in business, just because some users need Microsoft 365 Business Premium doesn’t mean that other roles in your business can’t work well with just Microsoft 365 Business Basic.

And this isn’t a surprise move, even Office 365 administrators have been using the Microsoft 365 management portal for quite some time, here’s a screenshot of the old, retired Office 365 portal.

Office 365 Admin Center

Office 365 Admin Center

More broadly though I think the brand changes are signalling that Office 365 is “growing up” and using the same name across the home user stack as well as the SMB stack (with the Enterprise SKUs to follow) provides a more homogenous offering.

Just as with the name changes to the personal plans there’s nothing for IT administrators to do at this stage, the plans will seamlessly change names but all functionality remains the same (including the lack of long term backup, something that Altaro has a remedy for).


Go to Original Article
Author: Paul Schnackenburg

Clumio backup adds Microsoft 365 protection

Clumio backup is adding software-as-a-service application support, starting with protection for Microsoft 365.

The Clumio backup-as-a-service product’s first level of 365 support is Microsoft Exchange Online emails, with more to follow.

Microsoft’s 365 service protection responsibility is limited to the infrastructure level. In fact, Microsoft even lays out what’s needed for protection, said Chadd Kenney, vice president and chief technologist at Clumio.

“At the end of the day, it’s the customers’ responsibility for backing up that data,” Kenney said.

Cloud-based data such as Microsoft 365 emails face risks including data loss — for example, accidental and malicious deletions — and ransomware attacks. Security features in the Clumio backup include immutability and an “air gap,” Kenney said.

“SaaS is one of the most vulnerable areas,” he said, because users often don’t pay attention to what is protected.

For many organizations, 365 backup is still an afterthought, according to Archana Venkatraman, associate research director at IDC.

“Many consider Microsoft’s infrastructure-level security and retention capabilities are enough,” Venkatraman wrote in an email. “But backing up 365 is important for granular recovery, and meeting retention obligations for specific industries such as financial services, healthcare and the public sector.”

In addition, more enterprises are considering data protection to enable remote working in the current market conditions, as there are many extra endpoints vulnerable to malware and ransomware attacks, Venkatraman said.

“Customers are looking for faster restores in case of ransomware attacks,” she wrote.

Clumio backup for Microsoft 365 — formerly Office 365 — offers recovery options from a single email to a full mailbox. Users can easily browse through particular folders and go back to a specific point in time, Kenney said.

The product has been in early access for about three weeks and officially launches May 6.

Screenshot of Clumio's backup for Microsoft 365
Clumio backup for Microsoft 365 follows the new vendor’s protection of VMware and AWS workloads.

Law firm chooses Clumio for VMware, 365 backup

Clumio, founded in 2017 and based in Santa Clara, Calif., launched its first services last year. It also offers backup for VMware Cloud on AWS, VMware vSphere and AWS native services. Customer demand led Clumio to choose Microsoft 365 for its next platform support.

“Email in particular was the biggest focus,” Kenney said.

CSK Legal, a law firm based in Miami with about a dozen locations in Florida, has used Clumio backup for VMware for about a year and just started using Clumio for 365.

SaaS is one of the most vulnerable areas.
Chadd KenneyVice president and chief technologist, Clumio

The firm is in the middle of a migration to fully using 365 for email. CIO Jason Thomas said he expects Clumio to ultimately protect 20 TB of email.

Thomas said the Clumio backup for 365 is straightforward, fast and similar to the product he’s been using for VMware protection. It even uses the same interface.

CSK Legal backs up about 100 VMware VMs with Clumio, and also has Rubrik for on-premises backups.

Thomas said he didn’t have any hang-ups with using a product so new to the market. He was familiar with Clumio CEO and co-founder Poojan Kumar, and said he was confident in Kumar’s knowledge and ability to launch companies. Kumar was also CEO and co-founder of PernixData, which Nutanix acquired in 2016.

Thomas also knew Clumio salespeople because they previously sold him other products, which have worked well. In addition, Thomas said he likes Clumio’s pricing model, the lack of ingress and egress charges, how much he can back up, the indexing and search capabilities, and the ability to restore.

“We’re a full VMware shop, so they support everything we need,” he said. “I have yet to see a solution that’s as slick as theirs.”

CSK Legal has a second data center for its disaster recovery site, but Thomas said in the future the firm could use the cloud and Clumio for DR.

Clumio’s competition and plans

Clumio enters a crowded market of backup for 365. Backup vendors that offer 365 support include Acronis, Arcserve, Carbonite, CloudAlly, Commvault, Druva and Veeam.

Kenney said Clumio backup stands out because it’s one platform that was born in the cloud, rather than some traditional vendors that started with an on-premises platform and later built another for cloud-based backup.

Enterprises need to evaluate ease of use, flexibility, scalability and integration features when investing in Microsoft 365 backup, according to IDC’s Venkatraman.

“A backup-as-a-service offering that is cloud-native and API-driven is complementary to an organization’s cloud migration and transformation journey,” Venkatraman wrote. 

With so many companies working remotely because of the coronavirus pandemic, Clumio is especially helpful now because there’s no need to go into a data center to install it, Kenney said. Customers can sign up with an email and password. The vendor claims it takes minutes to set up.

“It’s about as simple as setting up a LinkedIn account,” Kenney said.

Clumio backup for Microsoft 365 is priced per user, per month. The vendor said it will provide details when the product becomes generally available.

Clumio will add Microsoft 365 calendar backups in the next couple of months through a regular product update. It plans to add support for OneDrive in the third quarter and for SharePoint in the fourth quarter. Kenney said Clumio also plans backup for Microsoft Teams.

Salesforce, ServiceNow and Slack are among the other SaaS platforms on Clumio’s radar.

Clumio has 134 employees and closed a $135 million Series C funding round in November.

Go to Original Article
Author:

Consider Office 365 MFA to thwart attacks

With governments worldwide issuing stay-at-home orders, many organizations have looked to cloud collaboration platforms, such as Office 365 to keep employees working. With new technology comes new risks that threaten those companies that have no control over devices being used to connect remotely.

Due to the COVID-19 pandemic, the number of remote workers increased sharply, leading to a consequent rise in phishing attempts. Companies that just require one factor — a password — to verify its users can leave themselves vulnerable to an outside attack. To address this security gap, administrators are implementing multifactor authentication (MFA) to strengthen the protections around Office 365 to verify users that sign in to use these cloud services.

Office 365 MFA requires modern authentication

Office 365 MFA provides an additional security layer to ensure the person using a login is legitimate, not a hacker using stolen credentials. This feature is available in Office 365 Business Premium and Enterprise plans to verify login attempts to Exchange Online and other Office 365 services.

To start, the administrator must enable modern authentication for their tenant. This can lead to issues for organizations still using legacy versions of Microsoft Outlook, such as Outlook 2010. To avoid difficulties, clients would need to upgrade to the 2013 version or newer.

To configure Office 365 MFA, the administrator must be a member of at least one of these roles: global administrator, SharePoint administrator, Exchange administrator, conditional access administrator, security administrator, help desk administrator, password administrator, billing administrator, user administrator or authentication administrator.

Next, the administrator must go to the Office 365 admin portal (admin.microsoft.com), then navigate to Settings > Settings and select the Services tab and choose Modern authentication. Once selected, a pop-up window appears as shown in Figure 1 and the Enable Modern authentication checkbox can be selected.

Office 365 modern authentication
Figure 1. To use multifactor authentication on Office 365, the administrator needs to turn on modern authentication on the collaboration platform.

Administrators can also run the following PowerShell command to enable modern authentication after connecting to Exchange Online PowerShell:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Setting up Office 365 for end users

Next, the administrator can start Office 365 MFA for their end users in their tenant by browsing to the following URL and signing in with their credentials. (This URL is shown in the User panel in the General tab when making editors to a user account in the portal.)
https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365

To apply Office 365 MFA to a user, the administrator selects the user and chooses the enable MFA option. The administrator can notify the end user and share a link that assists them with choosing their preferred MFA option, which includes:

  • Receiving a call to confirm the individual
  • Receiving a notification through the mobile app
  • Receiving a code via text or SMS
  • Using the Microsoft Authenticator app

Administrators can also enable Office 365 MFA for multiple users at once. The MFA portal provides an option to download a sample CSV file the administrator can use as a template to populate with the list of users that require MFA, and, once completed, it can be uploaded and processed.

PowerShell can also be used to enable MFA for one or multiple users.

For individual users, use the following PowerShell script:

Import-Module MSOnline
Connect-MsolService
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements $sta
For multiple users:
$users = "[email protected]","[email protected]","[email protected]"
foreach ($user in $users)
{
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
}

Using third-party MFA offerings

Administrators also have the option to use a vendor’s MFA technology from companies such as Okta, RSA and Symantec to integrate with Office 365. Why consider a third-party MFA product? Microsoft’s cloud platform is not impervious to outages; downtime in Azure, which supplies the Office 365 MFA functionality, can block administrators and users alike when they try to access the collaboration platform.

Another way to increase security while using Office 365 is to use hardware-based tokens for MFA needs.  Deepnet Security and Token2 sell programmable tokens that display a six-digit authentication code. These options are fully compatible with Office 365 and offer an alternative to using a smartphone or an app for MFA.

While an improvement over one-factor authentication, MFA will not guarantee protection from credential leaks. Administrators should consider implementing other security features on the Office 365 platform, such as security reports, access controls and reviewing logs that detail administrative access to the system.

Go to Original Article
Author:

Getting a handle on certificate management in Windows shops

Certificate management is one thing that IT pros often forget until an application fails or resources are unavailable because a certificate was not renewed before its expiration date.

Certificates are typically used to identify a webpage as a known site to create an encrypted HTTPS session. Most static webpages don’t use them. With known secure pages, the certificate handling is often done behind the scenes.

Certificates also manage authentication and communication between systems across an organization’s network; a lapsed certificate in your data center can have serious consequences, such as preventing users from logging into Microsoft Exchange to access email and calendars.

As an administrator, the process to check certificates in Windows is easily done by running certmgr.msc at the command prompt to open the Certificates Microsoft Management Console (MMC) snap-in tool.

On the surface, it doesn’t look too difficult to manage certificates, but problems with them have caused some of the largest applications in the world to go offline.

Certificates MMC snap-in tool
The Certificates MMC snap-in tool displays the installed certificates on the current Windows machine.

The most common use of certificates is to establish a secure communication tunnel with a website so both your login information and what you do is hidden from the rest of the internet. For example, when you load LinkedIn, the site uses a certificate to encrypt communication using Secure Sockets Layer between your machine the site.

As you start to look at the websites you visit, you are likely to find many that use login information have certificates to protect your privacy. These certificates are not permanent and they do expire. When I checked, the LinkedIn certificate is due to expire in September. An expired certificate will cause problems. Once you cannot establish a secure connection, a website can simply go dark until the certificate is renewed.

LinkedIn certificate
Like many sites on the internet, LinkedIn uses a certificate to secure the traffic between the site and its users.

While losing LinkedIn might not be drastic, what if it was the certificate to a cloud-based application you use? Or worse yet, what if it was your company’s application and now your customers can’t access their data? An expiring certificate is simple to overlook and problems with certificate management happen to even the largest of companies, including Microsoft. It costs next to nothing to renew these certificates, but once they pass their expiration date, the resulting chaos can cost money and cause embarrassment for the IT staff.

Certificates often remain out of sight, out of mind

One of the main challenges with certificates is they remain hidden in plain sight. They are not complex to deal with and often last several years.

Your IT admins are used to the hustle and critical need of many IT services that remain front of mind. Because certificates last for a long time — often, several years — their importance fades into the background; they fall off the daily list of tasks that must be completed.

It’s easy enough to check the status of your certificates in Windows, but there is no mechanism to alert you about an imminent expiration. For some sites, it’s possible to click past the warning you might see when a certificate has expired; we train our users to avoid these types of potential security risks, so why is it an option to proceed? This practice doesn’t work for other key functions, such as single sign-on; other more automated functions will simply stop working when the certificate expires.

Certificate management issues happen for several reasons

Renewal of certificates is not hard and can be done by even the most junior person on your team, except for one critical piece: You need a company credit card to charge the renewal to, and those are typically not given to junior admins. The stigma of needing to ask permission to use a corporate credit card or wanting to avoid the hassle of getting reimbursed can prevent IT staff from proceeding.

Oftentimes, this certificate task falls outside the realm of IT and into the accounting department. This also means they are the ones who would get the renewal notices, and they may not understand how critical they are until it’s too late.

If both the communication related to and the payment of the certificates is outside of the main IT department, then it’s up to IT to be proactive and stay on top of certificate management. You should not rely on an email or a spreadsheet to track these expiration dates. A group calendar appointment, even years out, still helps, even when turnover occurs. There are also several vendors that offer certificate management add-ons to popular monitoring tools, such as SolarWinds and Quest Software.

While you don’t want to reinvent or deploy large-scale solutions to address certificate management, it’s not something to ignore. They can be at the root of many wide-ranging issues. An expiring certificate is not usually on any type of disaster recovery or backup plan because they are so unique. Look to incorporate certificate monitoring into existing tool sets so your staff has ample time to get them renewed and deployed before your secure connections go offline along with your customers and reputation.

Checking a certificate isn’t hard and the renewal process isn’t difficult, but remembering to stay on top of certificate management continues to evade many IT shops. Another complication is the number of certificates to keep track of. You might have multiple sites, each with its own certificate that are all required to make one application work. It can be very easy to lose track of one, which can then cause a cascade of events that lead to application failure. While co-terming certificates to line up the expiration dates would make the most sense, sometimes that is not possible in every environment.

Go to Original Article
Author:

Remote access is just one of many COVID-19 IT challenges

The coronavirus pandemic caught quite a few organizations by surprise and the effects may linger long after the quarantine has ended.

IT workers scrambled to stand up technical service and hunt down enough laptops to give to workers, many of whom were working remotely for the first time. In addition to dealing with technical issues, administrators had to execute time-sensitive deployment projects while trying to explain the basics: connecting to a VPN, using multifactor authentication and muting the mic during a Zoom meeting.

Few organizations had the finances or the technical ability to quickly stand up a virtual desktop infrastructure environment to provide access to business applications that were only available to office users. As a temporary solution, some companies made do with their existing hardware and Windows Server licenses to spin up several Remote Desktop Session hosts and paid for the client access licenses to provide this remote access. Microsoft offered advice to help IT shops free up bandwidth for critical VPN systems for organizations that needed to accommodate a sudden influx of users.

Our advisory board members shared their thoughts about the ongoing coronavirus pandemic, how it affected their operations and what lessons they’ve learned during this transition period.

Tips to help IT weather this pandemic storm

Reda Chouffani: For many people working remotely for the first time, it might be overwhelming when they experience computer problems without an IT person nearby to assist. There are several keys to help IT leaders prepare their teams to expedite support and minimize some common pitfalls of working from home.

Reda ChouffaniReda Chouffani

Here are a few things IT can consider to ease this transition:

  • Get the right internet speed. While many households have access to broadband, connecting to video conferences or remoting into the office computer is not always guaranteed to go smoothly. Employees who work from home need to make sure they have a solid wireless device. The quality of working remotely will suffer with a relatively slow connection by disrupting the use of video conferencing or some other cloud service. One way to ease network traffic at home is to put limits on the internet during work hours, such as restricting streaming video services by other household members.
  • Invest in the right hardware. Because being physically by the computer to troubleshoot hardware issues for IT might be out of the question, those in IT circles quickly recognized it’s important to send employees home with reliable laptops and other equipment. This is even more critical today because a broken laptop may leave an employee out of work for several days while they await a replacement.
  • Train users on communication tools. Since many companies moved to a remote work setup, the use of real-time chat applications, intranets to post announcements, conferencing products like WebEx or Microsoft Teams and file-sharing services have increased in importance. Companies that had little use for these tools before the coronavirus pandemic have had to quickly readjust and invest in training so users have a fuller understanding of the tools they are now expected to use.
  • Other ways IT can help ease the transition. The silver lining of this pandemic is it is a great opportunity for IT workers to deliver meaningful tools and education during these challenging times. There are creative ways some IT departments have engaged with their users rather than through the typical troubleshooting exchanges. IT workers have been sending updates through newsletters and sharing daily tips and fun ways to use the new technology, such as jazzing up the Zoom or Microsoft Teams backgrounds or using Snapchat plugins on a video conference.
Adam FowlerAdam Fowler

Some shops had to scramble to set up security measures

Adam Fowler: Coronavirus changed a lot of priorities. Having the resources — both physical devices and support-wise to rapidly send everyone home — was the biggest struggle for many companies. Many people hadn’t worked from home beyond the occasional email from their phone, so staffers were thrown into the deep end to understand what they had and what they needed.

A lot of effort went to the real basics: What sort of internet do I have, where can I plug in my laptop, how do I get this screen working? It’s much harder to talk someone through these issues over the phone when the end user is not familiar with the equipment or the technology.

It was a high-pressure changeover. Everyone needed to keep working, so having to deal with plugging in your own cables or understanding why the wireless connection isn’t working can be frustrating for an end user. Setting up a video conference and choosing which device to use for the speaker and microphone was enough to frustrate people who were already stressed by the great unknown of the coronavirus pandemic.

Security, of course, was another big focus. I expect a lot of companies got caught by their “we just won’t give people remote access” setup because it was cheaper and easier to manage. There’s a lot of setup work involved in configuring multifactor authentication and poking holes in firewalls in a short period of time. Microsoft’s Azure Active Directory and multifactor authentication/conditional access is in a pretty good state right now, including user onboarding, so the timing of availability for those services was one positive outcome.

If this pandemic had occurred five years ago, then the IT world would have been in a much worse place. We would have been able to set up remote access, but it would have been less secure. There were products available but at a much higher premium than they are now, along with limited vendor support.

Brian KirschBrian Kirsch

Lack of hardware hampered some efforts

Brian Kirsch: For quite some time, IT has been on a path to reduce hardware, add more cloud services and optimize wherever possible. This helped trim budgets and was a necessary evolution for IT, but then COVID-19 hit. Few of us could have predicted how crucial that hardware was until we needed it to provide services for remote workers.

At my school, we needed to put together a remote lab environment for IT students. We were able to forklift everything the 600 students needed in a few days instead of a yearlong rollout. It wasn’t perfect, but it does the job.

That seems to be the state of things in IT today: It’s not ideal, but it works. We finished the lab quickly because we had the necessary hardware. The project was on our agenda, but COVID-19 expedited the process. We heard anecdotal stories of other schools that struggled to set up similar environments, but they didn’t have enough physical servers, so the remote access system broke down when it could not support all the users.

This server shortage isn’t just something that hit higher education. Many IT shops that worked hard to reduce their data center footprint are now laboring to get those systems back so they can provide the services their users need. In addition to servers and other data center hardware, laptops and mobile technology are in short supply, causing prices to shoot through the roof. IT teams continue to struggle to get the technology they need to help employees that need a way to remotely access their organization’s resources.

It’s safe to say few disaster recovery plans had this kind of scope in mind when they were created. Both people and technology are advancing at speeds that were nonexistent before this pandemic, because a once-in-a-lifetime event was not on anyone’s radar.

I am seeing people who have never used remote technology not only just getting by, but flourishing as they fully embrace the tools and gain confidence by using them. The technology to support them won’t go away when this pandemic is over, so we might just see a reduction in the physical offices we once thought were so necessary to do our jobs.

Nathan O'BryanNathan O’Bryan

Will working from home be the new normal after COVID-19?

Nathan O’Bryan: It’s time for corporate America to embrace remote work on a large scale. While the recent social distancing order to help curb the spread of the COVID-19 virus is the most recent and probably most attention-grabbing reason, it’s not the only one. Organizations just starting down the road of supporting remote workers have many challenges to address. The place to start is to define what your employees working from home need, then determine how your organization can secure those resources.

Multiple studies have shown that people are more productive working from home. I know many mangers find that difficult to believe, but that’s the case if the remote worker has the proper setup. There are many other compelling reasons to let employees work from home, such as higher morale, less turnover and fewer sick days. Embracing a remote work arrangement can save businesses a significant amount in office expenses.

We have the IT infrastructure, laptops and phone systems to support a remote workforce for many jobs, but that’s just one piece of the puzzle. Organizations need to build the internal culture, security practices and teamwork norms to support remote work that complies with corporate standards and industry best practices. While this can be a significant undertaking, there is no doubt that it is a necessary one to survive in this time of social distancing.

Protecting your organization’s data is always a primary concern in these situations. Many security policies have been built around the assumption that users will access data from the organization’s physical location, which is not compatible with this new world of remote workers. The IT team will need to rethink how authorized users can access that data from remote locations.

Go to Original Article
Author:

PowerShell ForEach-Object cmdlet picks up speed

Since its move to an open source project in 2016, PowerShell’s development picked up significantly.

The PowerShell 7.0 release arrived in March with a slew of improvements and new features. One of the most intriguing updates occurred with the PowerShell ForEach-Object cmdlet, which gained a powerful new ability to perform loops in parallel.

Most system administrators have needed to execute some command or operation on multiple systems. Before the addition of the Parallel parameter, each iteration in a loop would run sequentially, or one after another. While this may work fine for loops with limited items, loops that require each step to take substantially more time is a perfect candidate for the Parallel parameter.

The PowerShell ForEach-Object Parallel parameter attempts to run multiple iterations of the loop at the same time, potentially saving on the overall runtime. With this newfound capability, there are several important caveats to understand before implementing the Parallel in any production scripts.

Understanding PowerShell ForEach-Object -Parallel

PowerShell supports several different methods of parallelism. In the case of ForEach-Object, runspaces provides this functionality. Runspaces are separate threads in the same process. These threads have less overhead compared to PowerShell jobs or PowerShell remoting.

A few factors will add to the amount of overhead used with the ForEach-Object Parallel parameter. You will need to import additional modules and reference outside variables with the $Using: syntax. In some situations, the Parallel parameter is not ideal due to the extra overhead it generates when in use, but there is a way to shift that burden away from the source machine.

One automation concern with this additional feature is flooding your infrastructure or servers with multiple operations at once.

One automation concern with this additional feature is flooding your infrastructure or servers with multiple operations at once. To control this behavior, the ThrottleLimit parameter restricts the number of concurrent threads. When one thread completes, any additional iterations will take that thread’s place, up to the defined limit.

The default ThrottleLimit is five threads, which generally keeps memory and CPU usage low. Without this setting, you can quickly overwhelm your local system or server by running too many threads in parallel.

Finally, one other useful ability of the Parallel parameter is it allows any parallel loops to run as PowerShell jobs. This functionality lets the PowerShell ForEach-Object command return a job object, which you can retrieve at a later time.

Performance between Windows PowerShell 5.1 and PowerShell 7

There have been many performance improvements since Windows PowerShell 5.1 and especially so with the latest release of PowerShell 7. Specifically, how have things improved with the development of the ForEach-Object command?

The code below runs a simple test to show the speed difference in the PowerShell ForEach-Object command between different versions of PowerShell. The first example shows results from Windows PowerShell 5.1:

$Collection = 1..10000

(Measure-Command {
$Collection | ForEach-Object {
$_
}
}).TotalMilliseconds
# Result: 35112.3222

In that version, the script takes more than 35 seconds to finish. In PowerShell 7, the difference is dramatic and takes slightly more than 1 second to complete:

$Collection = 1..100000

(Measure-Command {
$Collection | ForEach-Object {
$_
}
}).TotalMilliseconds
# Result: 1042.3588

How else can we demonstrate the power of the Parallel parameter? One common feature in PowerShell scripts used in production is to introduce a delay to allow some other action to complete first. The following script uses the Start-Sleep command to add this pause.

$Collection = 1..10

(Measure-Command {
$Collection | ForEach-Object {
Start-Sleep -Seconds 1
$_
}
}).TotalMilliseconds
# Result: 10096.1418

As expected, running sequentially, the script block takes almost 10 seconds. The following code demonstrates the same loop using the Parallel parameter.

$Collection = 1..10

(Measure-Command {
$Collection | ForEach-Object -Parallel {
Start-Sleep -Seconds 1
$_
}
}).TotalMilliseconds
# Result: 2357.487

This change shaved almost 8 seconds off the total runtime. Even with only five threads running at once, each iteration kicks off when the previous one completes for a significant reduction in execution time.

Putting the Parallel parameter in action

How can these enhancements and abilities translate to real-world system administration actions? There are countless scenarios that would benefit from running operations in parallel, but two that are very common are retrieving information from multiple computers and running commands against multiple computers.

Collecting data from multiple computers

One common administrative task is to gather information on many different systems at once. How is this done with the new PowerShell ForEach-Object -Parallel command? The following example retrieves the count of files in user profiles remotely across systems.

$Computers = @(
"Computer1"
"Computer2"
"Computer3"
"Computer4"
"Computer5"
)

(Measure-Command {
$User = $Env:USERNAME

$Computers | ForEach-Object -Parallel {
Invoke-Command -ComputerName $_ -ScriptBlock {
Write-Host ("{0}: {1}" -F $_, (Get-ChildItem -Path "C:Users$($Using:User)" -Recurse).Count)
}
}
}).TotalMilliseconds

Computer1: 31716
Computer2: 30055
Computer4: 28542
Computer3: 33556
Computer5: 26052
13572.8172

On PowerShell 7, the script completes in just over 13 seconds. The same script running on Windows PowerShell 5.1 without the Parallel parameter executes in just over 50 seconds.

Running commands against multiple computers

Oftentimes, an administrator will need a command or series of commands to run against several target systems as fast as possible. The following code uses the Parallel parameter and PowerShell remoting to make quick work of this transfer process.

$Computers = @(
"Computer1"
"Computer2"
"Computer3"
"Computer4"
"Computer5"
)

$RemoteFile = "\Server1SharedFilesDeployment.zip"

(Measure-Command {
$Computers | ForEach-Object -Parallel {
Invoke-Command -ComputerName $_ -ScriptBlock {
Copy-Item -Path $Using:RemoteFile -Destination "C:"
}
}
}).TotalMilliseconds

23572.8172

Shifting overhead with Invoke-Command

One useful feature in PowerShell when working with remote systems is to lower overhead by shifting computer-intensive commands to the target system. In the previous example, Invoke-Command runs the commands via the local PowerShell session on the remote systems. This is a helpful way to spread the overhead load and avoid potential bottlenecks in performance.

Go to Original Article
Author:

The differences between web roles and worker roles in Azure

Microsoft’s Azure Cloud Services is a PaaS where customers can deploy, manage and run scalable applications in…

the cloud without managing the servers themselves.

When working with the cloud platform, there are two Azure service roles on which an application can be installed: web roles or worker roles. The main difference between the two is how the VM is hosted:

  • A web role is a Microsoft server VM running Internet Information Services (IIS).
  • A worker role is a Microsoft server VM not running IIS.

Essentially, the web role has IIS installed, and workers run the application. To get a little more specific, web roles deploy and host applications through IIS. Therefore, they use programming languages supported by IIS, such as ASP, ASP.NET and PHP. An example of a web role is a simple application serving a website.

Worker roles run stand-alone applications that are not on IIS. These Windows Server executables perform tasks such as processing, running scripts or compressing images, as well as supporting background processes and service-level tasks that don’t use IIS.

It is important to note that an application can use web roles and worker roles simultaneously in the same Azure instance. A web role, for example, may collect end-user requests and then pass them to a worker role to process.

Choosing, scaling and managing roles in Azure

Deciding which role to use within an architecture depends on the application and how it is being used. For example, if the front-end application needs its own application server, then systems to support the web role in the worker role are needed. All application servers run in the same cloud instances, but they are used with different functions. Since Azure Cloud Services is a PaaS offering, you must select a mode in which to run it, and that decision should be based only on the application, not the OS being used.

While web roles and worker roles are selected during install, they can be adjusted or added during the process. You can scale up the platform if more resources are needed from a web or worker role — simply request more VMs, and Azure will create them. If the load decreases, VMs can be deprovisioned.

With Azure service roles, you’re not installing OSes; you’re installing applications. Take advantage of the staging environment during quality assurance to decide if the application is working as expected before deploying it into production.

The platform is managed by Azure. Your applications’ specific web and worker roles can be monitored through Azure Cloud Services and the Azure portal. Additional security and management software may also be required in certain deployments, so assess your organization’s management and security needs pre-adoption.

Next Steps

Benefits of using Azure Security Center for security assessments

Use Azure Security Center to conduct a security posture assessment

Azure Bastion brings convenience, security to VM management

Dig Deeper on Cloud Patch Management and Cloud Configuration Management

Go to Original Article
Author:

Avoid common pain points when migrating to Exchange Online

A migration from on-premises Exchange to Office 365 is more than just a matter of putting mailboxes into Microsoft’s cloud. There are several factors that can slow this type of project, and some issues won’t arise until you thought the project was done.

There are quite a few organizations still running an Exchange Server platform, but many of them are looking at migrating to Exchange Online and hand over some of the administrative burden to Microsoft. In my experience, I see four common problems for organizations that can be avoided. With a little preparation, you can avoid these stumbling blocks and make the experience a positive one for both IT and the end user.

Update on-premises software

Near the top of the list of common issues is not having the current versions of software running on premises.

Active Directory, on-premises Exchange, Outlook, Windows clients and servers all need to be up to date to give your organization the best possible migration experience. At one time, Microsoft’s organizational posture was more forgiving and would support older software, but today, the company wants all software that touches Exchange to be on the latest version. Some of the older Office suites will still work but only with basic functionality and end users will miss out on newer features, such as Focused Inbox.

That many enterprises struggle with keeping their software current isn’t a surprise, because it’s difficult to patch and deploy updates in a timely fashion. In some cases, organizations depend on third-party software that is rarely updated and may have compatibility issues with a frequent update schedule. There is no easy solution for these problems. But as IT pros, we need to sort through the updates and find a way to get all that software on the latest release.

Understand mail flow scenarios

The next area that hinders a lot of organizations migrating to Exchange Online is not understanding the different ways to set up mail flow into and out of Microsoft’s hosted email platform.

Only when you fully understand all the pieces in your organization’s transport stack can you set up a mail flow that meets your needs.

Microsoft designed Office 365 and Exchange Online to be very flexible with regards to the support of different mail flow scenarios. Email can go to on-premises Exchange first, then into Exchange Online. Mail can also go to Exchange Online first, then flow to the on-premises Exchange servers.

During a hybrid migration, the most common scenario is to leave the mail flow configuration to reach the on-premises Exchange Server first, then use hybrid configuration to forward email to mailboxes in the Microsoft cloud via the hybrid routing address. This hybrid routing address, which looks something like [email protected], is an attribute of the on-premises Active Directory account.

When you set up an Exchange hybrid deployment and move mailboxes properly, that address is automatically added to the user’s account. This mail flow arrangement tends to work very well, but if that address is not added to the users account, mail flow won’t work for that user.

Another popular option is to route email through Office 365 first, then to your on-premises mailboxes. This option puts Exchange Online Protection as the gatekeeper in front of all your organization’s mailboxes.

Ultimately, your decision comes down to what other services your organization has in that mail flow path. Some organizations use third-party antivirus products, some use a vendor’s encryption services, while others depend on a particular discovery application. Any of those third-party services may be cloud-based or installed on premises. Some of the services need to be placed before your end-user mailboxes in the transport flow, while others need to be at the end of the transport flow. There is no one-size fits-all configuration. Only when you fully understand all the pieces in your organization’s transport stack can you set up a mail flow that meets your needs.

Understand authentication

A move to the cloud means added complexity to your end-user authentication process. Microsoft provides a wide range of authentication options for Office 365 and Exchange Online, but that flexibility also means there are many choices to make during your migration.

Active Directory Federation Services, password hash sync and pass-through authentication are where the authentication options start, but any of those options can be deployed with multifactor authentication, conditional access and a whole load of Azure Information Protection options. Add in some encryption and the migration process gets complicated quickly.

All these choices and security add-ons help protect the business, but it’s a complex undertaking. It takes some effort not only to settle on a particular authentication but to implement it properly and do thorough testing to avoid an avalanche of help desk calls.

Understand accepted domains

Over time, many on-premises Exchange organizations tend to collect multiple accepted domains. Accepted domains are the part of the email address after the @ symbol.

I see many customers have issues when they move mailboxes to the cloud because they forgot to verify all the accepted domains used on those mailboxes. This problem is simple to avoid: Review the accepted domains in your on-premises Exchange organization and make sure they are verified in your Office 365 tenant before migrating the mailboxes.

Go to Original Article
Author: