Tim Tetrick

Hello Microsoft Partners!

Did you know that 1 out of every 3 SMB customers have not adopted cloud services?¹  And that 71% of SMBs feel vulnerable to a cyberattack?²  Yet 94% of small businesses report security benefits since moving to the cloud³ while Forrester Consulting estimated SMBs can save $16K a year on IT with the cloud.⁴

Learn how to expand your practice, address customers’ needs and increase your revenue potential by attending these upcoming Leading Edge webinars.

The Microsoft 365 Business opportunity within Modern Workplace

Created specifically to give businesses with up to 300 employees an affordable, integrated solution that brings together the best-in-class productivity of Office 365 with advanced security and device management capabilities. Differentiate your offerings, expand your practice, increase customer lifetime value, and reach new customers with Microsoft 365 Business. Join us to learn your potential!

• Date: Wednesday, August 22, 2018
• Time: 10:00 AM PT

Register today >

Discover your Azure Cloud opportunity

The cloud is transforming businesses every day. You can quickly deploy and manage customer applications, provide easy data backup services, and offer peace of mind with disaster recovery solutions in the cloud with Microsoft Azure. This is especially appealing for SMBs who can now take advantage of services that were previously cost-prohibitive. Attend the following session to learn about cloud migration, infrastructure services, your partner opportunity and Microsoft Azure offers available to you today.

• Date: Wednesday, August 29, 2018
• Time: 10:00 AM PT

Register today >

Discover your cloud opportunity with Microsoft Office 365

Now is the time to get started and become a cloud ambassador of an amazing product. Attend this session to learn about your partner opportunity plus your ability to offer new services that will enhance your customer’s email solution and your portfolio with Microsoft Office 365.

• Date: Wednesday, September 12, 2018
• Time: 10:00 AM PT

Register today >

1. Bredin, an SMB market research and content marketing agency.
2. Microsoft Survey
3. Microsoft, “Cloud Security, Privacy and Reliability Trends Study,” June 2013.
4. “The Total Economic Impact Of Microsoft Office 365,” a commissioned study conducted by Forrester Consulting on behalf of Microsoft, November 2016.

We have updated the Speculative Execution Side-Channel Vulnerabilities Configuration Baseline.  The updated baseline now includes support for verifying the protections for CVE-2018-3620 (L1 Terminal Fault) in addition to the previously supported CVE-2017-5715, CVE-2017-5754 and CVE-2018-3639.

Download the updated baseline

This Compliance Settings configuration baseline is used to confirm whether a system has enabled the mitigations needed to protect against the speculative-execution side-channel vulnerabilities as described in the Microsoft Security Advisories ADV180002, ADV180012 and ADV180018. It is based on the functionality in the PowerShell module Get_SpeculationControlSettings. It requires at least PowerShell 3.0.

Read more about mitigating speculative execution side-channel vulnerabilities for Configuration Manager environments

Dear All,

Welcome to the TechNet Wiki Tuesday – TNWiki Article Spotlight.

In today's blog post we are going to talk about the article Understanding Server-Side Blazor  by Ankit Sharma

Blazor is an experimental .NET web framework using C#/Razor and HTML that runs in the browser with WebAssembly. If you are a C# developer and love to create your web application with C# code then Blazor is for you. Fact is that without using any scripts we can purely use C# code to develop our web application using Blazor. Check here to know more about Blazor https://blazor.net/ , https://learn-blazor.com/getting-started/what-is-blazor/

Today for our TNWiki Article Spotlight we have picked Ankit Sharma  article which explains about  Understanding Server-Side Blazor  .

The reason behind why I like this article is as this article explain in detail about What is server-side Blazor and also explains about advantage and disadvantage about Server Side Blazor  with sample code, Ankit Sharma explained about server-side Blazor and explained in more detail about

• What is Server-Side Blazor?
• Prerequisites
• Creating a server-side Blazor application
• Advantages of server-side Blazor
• Disadvantages of server-side Blazor

I hope you all enjoy reading this  article Understanding Server-Side Blazor  by Ankit Sharma

See you all soon in another blog post.

Thank you all.

Yours,
Syed Shanu
MSDN Profile | MVP Profile | Facebook | Twitter |
TechNet Wiki the community where we all join hands to share Microsoft-related information.

こんにちは。Microsoft Intune サポート チームです。

iOS のアプリ保護ポリシーで保護されたアプリから Teams アプリへファイルを投稿した際に、Teams アプリ側でファイルが開けなくなる問題について、ユーザーへの注意喚起のためブログ記事を公開します。

Intune SDK がインテグレートされたアプリ保護ポリシーを適用することで、企業領域に保存されたデータを暗号化された安全な状態で閲覧することができます。

OneDrive・Teams・Word・Excel・PowerPoint といった Office 365 アプリはこの機能に対応していますが、現在 Teams アプリへデータを受け渡すとファイルが正しく閲覧できない状態になる問題があります。

具体的には、アプリ保護ポリシーで保護された OneDrive 等のアプリから、[別のアプリで開く]  [別のアプリで送信する]  機能を使ってファイルを Teams アプリに投稿すると、「この<ファイル名>は破損しています」と表示されて Teams アプリ側でそのファイルを開くことができません。

現行バージョンの Teams for iOS アプリのエクステンションに関する問題と考えられますので、Teams アプリ側で修正が行われるまでこの問題に注意しつつ運用を行ってください。

日本マイクロソフト株式会社 (本社: 東京都港区) は、カモフラージュ デザインを採用した『Xbox ワイヤレス コントローラー (アームド フォーセス II)』を 2018 年 9 月 6 日 (木) より 6,980 円 (税抜参考価格)^*1 で全国のゲーム販売店にて数量限定で発売します。

『Xbox ワイヤレス コントローラー (アームド フォーセス II)』は、本体に特徴的なカモフラージュ デザインを施し、、グリップ部分には滑りにくく操作しやすいテクスチャー加工を採用しています。また、Windows 10 搭載 PC やタブレットとワイヤレス接続が可能な Bluetooth を搭載しています。^*2

ゲームの臨場感を表現するリアル トリガー^*3、高い操作性を実現したスティックと方向パッドを操作しやすい位置に配置。お持ちのヘッドセット^*4 などを直接接続できる 3.5mm ステレオ ヘッドセット ジャックを搭載したワイヤレス コントローラーです。

製品基本情報

^*1 お客様の購入価格は、販売店により決定されますので、販売店にお問い合わせ下さい。
^*2 Windows 10 搭載デバイスとの Bluetooth 接続には Windows 10 Anniversary Update の適用が必要です。また、コントローラー本体のファームウェアをアップデートする必要な場合があります。Windows 10 で Xbox ワイヤレス コントローラーを更新する方法については 「Windows 10 で Xbox One コントローラーを更新する方法」 を参照してください。Windows 7、8.1、または 10 で Bluetooth を使わずに使用する場合は、USB ケーブル (別売) が必要です。
^*3 リアル トリガーは対応したゲームのみ有効です。
^*4 ヘッドセットの互換性に関する詳細は 「互換性のあるヘッドセットを接続する | Xbox One」 をご参照ください

Hello All,

We all know how important it is to report on our Tenants and the resources within those tenants, there are now several different ways to report all are based around the O365 Reporting service.  My suggestion is to give them a try

Built into O365 we have various reports like the Usage Reports, Security Reports, and Compliance Center reports

As well we now have a tool (Find it here) that creates over 500 reports with Dashboards broken down like this:

Supported Services:

• Azure Active Directory (30 reports)
• Exchange Online (81 reports)
• SharePoint Online (35 reports)
• OneDrive for Business  (11 reports)
• Skype for Business (22 reports)
• Yammer (20 reports)
• Microsoft Teams (16 reports)
• General Office 365 Reports (9 reports)

This tool also provides 200+ Auditing reports on Office 365.

For SharePoint some of the reports look like this:

Site Collection Reports

• All Site Collections
• SharePoint Audit Configurations
• Site Collection Sharing Configurations
• Site Collection Upgrade Information

SharePoint Site Reports

• All Sites Report
• Sites without Recycle Bin
• Site Sharing configurations
• Sites with Custom Permissions

I highly encourage you to check out all of these resources.

Pax

Another Hard to Find case.

This time I was involved in a root cause analysis on a customer site after a brute force attack vs some ADFS endpoints.

Let me give you an overview of the infrastructure.

ENVIRONMENT DESCRIPTION

The customer environment is very huge and complex, but I have simplified it in the following picture:

Has you can see we have two forests one is a logon forest (where the users are) and one is a resource forest, where we have the ADFS Servers that are running.

In this table you can find the server version of the environments

PROBLEM DESCRIPTION

The Customer unfortunately was recently exposed to a brute force attack, and even if they had configured the ADFS Extranet Lockout, multiple accounts was locked outs, (more important the BIG BOSS account IS LOCKED OUT!!!).

The Customer want to understand why this happens even if the Extranet Lockout is enabled.

TROUBLESHOOTING

To reproduce this problem, we have involved the security team of the Customer (a big thanks to them!) for generating a brute force attack against the ADFS Servers. (don't ask: which tools have you used? I can't tell you)

• Before starting the simulation of the brute force attack we have verified the Lockout configuration in the environment:

• On the ADFS Configuration:
  

• On the Active Directory:
  

• Then we have enabled the Audit logs for the ADFS Servers:

  ====================================================================================

  https://blogs.technet.microsoft.com/bulentozkir/2016/05/11/ho-can-you-enable-auditing-for-ad-fs/

  ====================================================================================

   

• By using a third-party tool, to simulate a brute force attack, we reproduced the problem, and one of the tests accounts was locked out due to many failed login attempts, and from the logs we were able to view the exact cause (please, read the logs from the bottom to the top):

   

1. The row indicated by the blue rectangle, indicating the event 516 on the ADFS server, show that the User01 is blocked by the soft Lockout on the ADFS Server.

    

2. The row indicated by the green rectangle, indicating the event 512 on the ADFS server, show an authentication for the User01 was permitted after the end of the ExtranetObservationWindow.

    

3. The rows indicated by the yellow rectangles, we can see the events 411 on the ADFS Servers, and the events 4771 on the DCs of the Fabrikam Forests, all these events, show us that in the same second 12:04:55, we have received 6 authentication requests for the User01 that have caused the account Lockout.

    

4. The last row indicated by the red rectangle, indicating the event 516 on the ADFS Server, show that the account User01 was locked out.
   

NOTE: has you can see in the yellow part, we have exactly 6 events 411 for the ADFS Servers, but we have 8 events 4771 on the DCs, and the question is………. WHY?

To understand why, you need to read "How the Domain Controllers Verify the Passwords":
==================================================================================================

==================================================================================================

In short: the authentication from the Contoso ADFS forest to the Fabrikam logon forest, sometime are directly done by the PDC, but sometime other DCs in the Fabrikam forest authenticate the User01, in this case the DC forward the Authentication to the PDC , because it is a badpwd logon attempt, this cause 1 more 4771 event.

Trick: count the number of 411 events on the ADFS infrastructure, for a specific user, if you want to verify that you received more authentication attempt than the "Account lockout threshold".

CONCLUSION

So, we have verified that, during a brute force attack, if you have a low difference between the "ExtranetLockoutThreshold" and the "Account lockout threshold" on the Domain Controllers, you can have some accounts that will go in Locked-out.

This is due to the time necessary from the DCs in the FABRIKAM forest to send back the info (badpwdcount) to the ADFS Servers in the CONTOSO forest, usually in milliseconds, but in those milliseconds, we can receive other authentication requests that will lock the accounts.

MITIGATION:

To mitigate this behavior, you can increase the "Account lockout threshold" on the DCs to a more bigger value.
For your enterprise a good value is 50, but it is also better to increase the "Account lockout duration" to 15 min or more.

Official reference:

Account lockout threshold
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-threshold

Account lockout duration
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-duration

FINAL SOLUTION:

If you want to say "BYE BYE" to the brute force attacks, you can implement Azure MFA (Multi Factor Authentication).
If your ADFS Farm is 2012R2 you can easily migrate to 2016 and then implement the MFA.

Official reference:

Moving from a Windows Server 2012 R2 AD FS farm to a Windows Server 2016 AD FS farm
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server

Configure AD FS 2016 and Azure MFA
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa

Today's tip...

End of support is rapidly approaching for the 2008 releases of Windows and SQL Server:

• Extended Support for SQL Server 2008 and 2008 R2 will end on July 9, 2019.
• Extended Support for Windows Server 2008 and 2008 R2 will end on January 14, 2020.

End of support means the end of regular security updates. With cyberattacks becoming more sophisticated and frequent, running apps and data on unsupported versions can create significant security and compliance risks. The 2008 family of products was great for its time, but we highly recommend upgrading to the most current versions for better performance, efficiency, and regular security updates

We are pleased to share new options and tools to help you manage this transition to carry your organization through the next decade.

Migrate to Azure, get free Extended Security Updates

We are pleased to announce that Extended Security Updates will be available for free in Azure for 2008 and 2008 R2 versions of SQL Server and Windows Server to help secure your workloads for three more years after the end of support deadline.

Upgrade on-premises environments and stay protected

For apps and data that you want to keep running on-premises, we recommend that you upgrade to the latest version of SQL Server and Windows Server to get the strongest security and latest innovation. SQL Server 2017 and Windows Server 2016 are the new standard for performance and efficiency, and both include built-in security features to help you harden your platform.

Today's tip...

Did you watch any of the informative sessions at the recent Windows Server Virtual Summit? Well, all of that content is now available for download as an ‘event-in-box’! Download the complete package here.

Event Summary

Recently, we held our first ever Windows Server Summit. The event was a great opportunity to engage the Windows Server community, provide HOURS of updates since the last Microsoft Ignite conference and get them excited for our upcoming Microsoft Ignite conference in September.

We had top subject matter experts delivering a comprehensive agenda detailing what’s new in Windows Server and where we’re going in Windows Server 2019 with regard to:

• Hybrid Cloud. Perfect for our valued customers who want to consume Azure resources in Azure AND on-premises.
• Hyper-Converged Infrastructure. HCI is the fastest growing segment for on-premises. FULL STOP. After a couple of years where our valued customers paused their on-premises purchases to determine their long term strategy, they have solidified their strategy: HYBRID CLOUD. The average selling price per server is up, our partners are reporting strong solutions sales with hyper-converged infrastructure. In fact, the industry is reporting 76% YoY growth for HCI.
  • According to IDC's latest Worldwide Quarterly Converged Systems Tracker, sales went up 19.6 per cent year-on-year to $3.2bn during the calendar first quarter of 2018.
  • However, certified reference architectures (CRA) - Cisco and NetApp's FlexPod and Dell EMC's VxBlock - crossed the quarter's finishing line with sales of $1.4bn as the hyperconverged gear jumped by more than 76 per cent.
• Security. This is top of mind for customers. We specifically created a security pillar in Windows Server 2016 and our customers have responded by prioritizing new server deployments on Windows Server 2016 because of our comprehensive new innovation in defense-in-depth.
• Application Platform. Digital transformation is happening everywhere and key to this is modernizing existing apps and building new apps to embrace intelligent edge scenarios and integrated with machine learning, AI and more.

（この記事は2018年8月8日にMicrosoft Partner Network blogに掲載された記事Explore Microsoft Inspire 2018 sessions on demandの翻訳です。最新情報についてはリンク元のページをご参照ください。）

Microsoft Inspire 2018 のセッションをオンデマンドで配信

ラスベガスで開催された今年の Microsoft Inspire (英語) は、パートナーの皆様にご協力いただき、大盛況のうちに幕を閉じました。学習、人脈作り、そして何よりインスピレーションを得るための絶好の機会にご参加いただいた皆様に感謝を申し上げます。ご来場になれなかったパートナー様や、参加予定のセッションを見逃してしまったパートナー様も、ご心配はいりません。セッションや基調講演 (英語) は、場所や時間を選ばずにご視聴いただけます。

Microsoft Inspire で高評価を獲得したセッションのご紹介

ここで、参加者の皆様から高い評価を受けたセッションをいくつかご紹介します。こちらのセッションは、オンデマンドでご視聴いただけます。

1. Microsoft Azure のセキュリティと管理によるお客様の信頼の獲得とサービス収益の拡大

Azure Management 担当ディレクターの Jeremy Winter と Azure Security and Management マーケティング責任者の Scott Woodgate が、Microsoft Azure のセキュリティ、バックアップ、災害復旧、監視、ガバナンスなどの幅広い組み込みツールを使用して、お客様のセキュリティと管理を維持する方法について説明します。こちらのページ (英語) でセッションをご視聴いただき、Azure に組み込まれているセキュリティおよび管理の機能、ロードマップ、価値提案をご覧ください。

2. 開発者の支持と企業の信頼を集める Azure の DevOps

ビジネス プログラム マネージャーの Leon Jones と主任グループ プログラム マネージャーの Martin Woodward が、DevOps の取り組みにおける開発者の現状のニーズに対応する新たな方法や、高品質のアプリの移行、構築、リリース、セキュリティに関してパートナー様のソート リーダーシップを拡大する方法について紹介します。こちらのリンク (英語) のプレゼンテーションで、Azure の DevOps ソリューションのオプションとビジネス チャンス、そして現場担当者がお客様と共にこのシナリオにアプローチしていく方法をご覧ください。

3. 営業担当者向けの高度なセールス トーク手法

営業担当者がセールス トークの強化によって生産性と効率を向上させ、高度なツールや手法を駆使してすぐに成果を挙げる方法について、Impact Advantage の創設パートナーである Joe Thomas 氏が紹介します。セッションは、こちらのリンク (英語) からご視聴いただけます。

4. ベスト プラクティスに基づく AI ソリューションの構築や製品への AI サービスの追加

Neural Impact, Inc. の最高エンゲージメント責任者を務める Mark Stuyt 氏と、マイクロソフト パートナー様の戦略および事業開発を推進するワールドワイド リードの Melissa Mulholland が、優れた AI ソリューションを構築する方法や、自社のソリューションに AI サービスを追加する方法について説明します。プレゼンテーションはこちらのリンク (英語) からご覧ください。

5. 感情知能 (Emotional Intelligence) の活用

TalentSmart, Inc. のトレーニング担当ディレクターを務める Kendrick Wong 博士が、感情知能 (Emotional Intelligence) によって従業員の成功を予測する方法や、改善が必要なフレームワークを特定して感情知能を応用する方法について紹介します。セッションは、こちらのリンク (英語) からご視聴いただけます。

6. クラウドによる ID 保護の活用

プリンシパル プログラム マネージャーの Mark Morowczynski が、パートナー様の Microsoft 365 サービスの基盤となる機械学習ベースのセキュリティ機能を使用して、お客様が高度な脅威を抑制できるように支援する方法について紹介します。セッションは、こちらのリンク (英語) からご視聴いただけます。

7. 医療業界のセキュリティとコンプライアンス: 変化し続ける情勢に適応するには

医療サービスの利用者や、医療サービスを提供する組織にとって、患者のプライバシーとセキュリティは最大の懸念事項です。ワールドワイド ヘルス最高情報セキュリティ責任者の Hector Rodriguez とワールドワイド ヘルス担当ディレクターの John Doyle がお届けするセッション (英語) では、マイクロソフトの取り組みとサイバーセキュリティに関する豊富な経験が重要な差別化要因となることを説明しています。

8. 会話型 AI: ボットで成功を収める方法

このセッション (英語) では、AI マーケティングおよび戦略担当ディレクターの Jaime Pereña が、優れたボットを構築するためのリソース、サンプル、ベスト プラクティスについて、デモやお客様のユース ケースを取り上げながら解説します。

9. 次世代 Security Operations Center の設計

エンタープライズ サイバーセキュリティ グループのシニア ディレクターを務める Johnnie Konstantas が、マイクロソフトのセキュリティ機能によって Security Operations Center を強化し、お客様のセキュリティ保護とベンダーやコストの削減を実現する方法について紹介します。マイクロソフトのサイバーセキュリティ テクノロジやサービスを利用して、パートナー様がリスクを最小限に抑え、脅威を迅速に検出して対応する方法をご覧ください。セッションは、こちらのリンク (英語) からご視聴いただけます。

来年の開催に向けて

Microsoft Inspire 2018 は、18,000 人以上のパートナー様にご参加いただき、史上最大規模のパートナー様向けイベントとなりました。来年も、発見と学習の機会に溢れたこのイベントで皆様とお会いできることを楽しみにしております。今なら Microsoft Inspire 2019 への参加登録 (英語) が 1,995 ドルです。ぜひお早めにお申し込みください。

I would like to Thank you Marco Carampanta for writing this article.

Restore Deleted teams and channels from Microsoft Teams.

In this article we will explain the steps needed to make use of the recent feature that allows us to recover deleted teams and channels from Microsoft Teams.

Sometimes while we are managing our teams and channels around, accidentally we can remove an important team/channel, which can cause quite a negative impact, requiring us to take quick action to mitigate it in the most timely manner.

Restoring a deleted channel:

This process is immediate, meaning there will be no replication time needed so the channel will be available to all members as soon as it is restored.

Step 1.

Manage the team where the deleted channel belonged

Step 2.            

Access the channels listing, and the channel will show under the “Deleted” list

Step 3.

Click the “Restore” option on the right-hand side of the screen

Step 4.

Finally confirm the restoration via the promp:

Restoring a deleted Team:

It’s important to understand that when you manage a Team under Microsoft Teams, you are directly affecting the Unified Office 365 Group, which originates from Exchange Online.

To this effect, when you delete a Team within the Microsoft Teams application, you are effectively deleting the entire Office 365 Group (as well outlined in the warning message).

This means that the restoration process will require replication between Office 365 services, which can take up to 24 hours to fulfill, however you can rest assured your messages, files, connectors, tabs, etc… will all be available.

Step 1.

First of all you will have to access your Office 365 Admin Portal, then the Exchange Admin Center

Step 2.

Access the Group listing, under the Recipients menu

Step 3.

Confirm that the recently deleted team shows on the list and select it

Step 4.

On the right-hand side menu, click the “Click here to restore” option

Step 5.

Confirm the restoration request

Step 6.

The group should appear as active immediately:

Step 7.

Go back to the Office 365 Admin Portal and under the menu Groups then Groups again, confirm that the group is effectively showing up.

Step 8.

Wait up to 24 hours for the replication to take place

Note, at the time of this writing, this restore procedure requires the ownership to be restored, so any new owners need to be removed, and the original owners (prior to deletion) must be restored.

In Office 365 cloud only groups can have their membership managed through the Office 365 portal or through the Azure Active Directory powershell commands.  As with on premises Active Directory multiple group types can be created and managed.  You can also create direct user membership in groups as well as nested group membership.  I recently had an interesting experience with a customer attempting to manage nested group membership.

There is a top level group in our example called TopLevelGroup.  The group contained two members – an individual user account and another nested group.

PS C:> Get-MsolGroupMember -GroupObjectId a988084b-8642-4406-b25d-8687b8c509e7

GroupMemberType EmailAddress               DisplayName
--------------- ------------               -----------
User            tmcmichael@domain.com      Timothy McMichael
Group                                      SubGroup0

The group membership is consistent in both powershell and the portal.

There is a sub group in our example called SubGroup0.  The groups contains a single member – an individual user account.

PS C:> Get-MsolGroupMember -GroupObjectId 8966d905-c966-4d2e-89ea-a151f1534252

GroupMemberType EmailAddress               DisplayName
--------------- ------------               -----------
User            tmcmichael@domain.com      Timothy McMichael

The group membership is consistent in both powershell and the portal.

Through the course of administration the individual user account was accidentally removed from the top level group. 

PS C:> Get-MsolGroupMember -GroupObjectId a988084b-8642-4406-b25d-8687b8c509e7

GroupMemberType EmailAddress DisplayName
--------------- ------------ -----------
Group                        SubGroup0

When the accidental deletion was discovered the administrator attempted to add the user back to the top level group.  To perform this operation the administrator selected the group within the portal – selected the edit members option – and the add members operation button.  This presented the administrator with the list of users to add to the group.  Using the search operation the user was located.  When the user was found it was noted that the user already had a checkbox next to them and the save button was greyed out.  The user could not be added through the portal interface.

You can also attempt to modify the groups that an individual is a member of through the individual user properties.  The user is located under active users and is selected for properties.  Under Group Membership select the edit option then the add memberships button.  This brings up the group search option.  When searching for the group the same behavior is noted.  The group already has the checkbox selected as if the user is a member. 

Why is this occurring?  The portal is actually displaying the group membership based on expanding all subgroup members.  In this case the individual user account continues to be a member of the subgroup.  Since it is a member of the subgroup the portal expands it as a member of the top level group.  If this is the case – how do I get the user to be a direct member of the top level group if that is the desire?  In order to perform this operation powershell must be utilized.  Here is an example…

Get the object ID of the individual user.

PS C:> get-msoluser -UserPrincipalName tmcmichael@domain.com | select-object objectID

ObjectId
--------
61425db0-7812-49dd-b6aa-1a732bdec569

Get the object ID of the top level group.

PS C:> Get-MsolGroup -SearchString TopLevelGroup | select-object objectID

ObjectId
--------
a988084b-8642-4406-b25d-8687b8c509e7

Add the user to the top level group.

PS C:> Add-MsolGroupMember -GroupObjectId a988084b-8642-4406-b25d-8687b8c509e7 -GroupMemberType User -GroupMemberObjectId 61425db0-7812-49dd-b6aa-1a732bdec569

Validate the group membership is correct.

PS C:> Get-MsolGroupMember -GroupObjectId a988084b-8642-4406-b25d-8687b8c509e7

GroupMemberType EmailAddress               DisplayName
--------------- ------------               -----------
User            tmcmichael@domain.com      Timothy McMichael
Group                                      SubGroup0

Using these steps the user can be restored back as a member to the top level group.

皆さん、ご無沙汰してます。

いろいろとお伝えしたいことがあるのですが、まずは私がエバンジェリストだった頃に寝食も忘れて情報発信してきた Windows Server について、あらためて活動を開始することになったので、ブログを書くことにしました。

エバンジェリストに戻るわけではないので、いろいろと制約もありますが、Windows Server 2008 のサポート終了もあり、Windows Server 2019の発売開始もあるなか、Windows Serverの今をきちんとお伝えしていきたいと思います。

ただ、「クラウドの時代」です。

エンジニアのエゴではなく、ビジネスに寄与するITについて話をする必要があります。

新機能も、あきらかに「クラウドの時代」や「ビジネスに寄与するIT」、そして「セキュリティ」を意識したものになっています。

それをご理解いただいたうえで、日本でWindows Serverを使っていただいているお客様やパートナー様と共に、新しいWindows Serverの時代を作れればと思っています。

ということで、(案内が遅くなってしまいましたが) まずは MSのインフラ系スペシャリストが集まってくれているコミュニティ SCUGJ と一緒に、 9月1日 土曜日 に

Windows Server Community Meetup

を実施します！

今のところ、このようなセッション構成になっていて、これから Windows Server 2019 を始めようと思っている方は必見です。

もちろん私も Windows Server 2019の全体像をお話しますし、私が信頼するメンバーがセッションを担当してくれます。

是非ともご参加ください。

それから、Windows Server 2016の採用を検討中で、Windows Server 2019 に興味がある企業の方、是非こっそり教えてください！

Windows Server ベースの Containerで DevOpsをやろうって思ってくれている企業の方がいたら 教えてください！

Windows Server版の Windows Defender ATP でサーバーセキュリティを一段階向上させようという方、教えてください。

Admin Center で運用管理をシンプル化＆効率化するといったお客様がいたら、現状とこれからについて是非聞かせてください。

ReFSの重複除去待ってました！という方、クラウドがCPUやネットワーク、ディスクの状況をアセスメントして教えてくれるシステムインサイトが欲しいという方、是非教えてください。

私も頑張りますので、いろいろとご協力よろしくお願いします。

高添

Something that I run across a lot in helping clients test connectivity issues in firewalled environments, is “is there a firewall blocking port 5723 traffic?”

In the past we would use tools like Telnet, or Portqry to test port connectivity, but often this is not installed and not easily available.  Luckily, we always have PowerShell!

Here is a quick and dirty PowerShell script you can run as a single line, to test name resolution and port availability.  Just change the $server value in quotes.

$server="scom2.opsmgr.net";$ip=([System.Net.Dns]::GetHostAddresses($server)).IPAddressToString;$tcp=New-Object net.sockets.tcpclient;$tcp.Connect($server,5723);$out=$tcp.Connected;write-host "`nPort 5723 test result for ($server) on IP ($ip) : ($out)"

Here it is as a script, if you want to see it all, but not on a single line:

$server="scom2.opsmgr.net";
$ip=([System.Net.Dns]::GetHostAddresses($server)).IPAddressToString;
$tcp=New-Object net.sockets.tcpclient;$tcp.Connect($server,5723);
$out=$tcp.Connected;
write-host "`nPort 5723 test result for ($server) on IP ($ip) : ($out)"

Hello everyone,

Back with another experience to share with you all.  This past week, a customer asked if it were possible to create policy to block certain applications from being able to be opened up on Windows 10 devices enrolled in Intune.  At the time of writing this blog, such functionality is not available natively within Intune.  As in, AppLocker is not an option for a Windows 10 profile type within the Intune portal.  However, anytime there is an ask regarding policy that is not native to Intune, we need look no further than searching our CSP library to see if we have the ability to configure policy via OMA-URI.  Sure enough, after a quick search, we see we have an AppLocker CSP.  So naturally, it's time to review the documentation on the AppLocker CSP.

https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp

We see from the documentation that our OMA-URI path for what we want to achieve looks like this:

./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Grouping/EXE/Policy

Notice the word Grouping is bolded above.  This is bolded because this is a grouping GUID that can literally be anything you want it to be.  For my example, I'm going to use BlockedApps01 as my grouping GUID.  So my OMA-URI path is going to look like this:

./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/BlockedApps01/EXE/Policy.  This will be important for later when we create our policy in Intune.

Also note in the documentation, we have EXE, MSI, Script, StoreApps, DLL, and CodeIntegrity.  Each of these represent the different AppLocker rules you can create as part of an AppLocker policy.  For *.exe files, you'd use EXE as part of your OMA-URI path.  For any *.appx or modern apps, you would use StoreApps as part of your OMA-URI path.  Finally, we have Policy.  This is where the actual XML value needs to be specified.  And that value will be a string value in the policy.  More on this later as we walk through creating the policy in Intune in a bit.

Creating the AppLocker Policy

Now it's time to take a look at creating the AppLocker policy on a test device so we can get our XML for the Policy string value as part of our policy.  Now, there are a couple different approaches to creating AppLocker policies.  You have whitelisting and blacklisting.  Whitelisting is blocking all apps except for the ones you explicitly allow in your AppLocker policy.  Blacklisting is allowing all apps and blocking only the apps you explicitly deny in your AppLocker policy.  As a result, whitelisting is the far more restrictive method.  However, depending on your requirements and how restrictive the policy, you may end up creating a lot more whitelisting rules than blacklisting rules.

This is a personal opinion of mine, but leveraging whitelisting implies than an administrator wants to lock down a device pretty good and only allow specific application activity.  So rather than annoy your users with pop-ups saying they can't access an application due to policy, why not use an Assigned Access profile?  I've worked with customers in the past where we did this via Intune and used Powershell scripts to push out an Assigned Access profile to achieve a similar result as whitelisting.  You can also achieve such leveraging the AssignedAccess CSP on Windows 10 1709 and later devices.  Kiosk mode, once it's out of preview would also be a solution, but I digress.  For this example, I'm going to be using the blacklisting approach and picking something simple like Notepad to block.  Are you ready?  Let's get started!

1. On a Windows 10 test device that has all the desired apps you wish to create an AppLocker policy for, open the local group policy editor.  You can do this by clicking Start and typing in "edit group policy" and hitting enter.  Once the Local Group Policy Editor opens up, navigate to Computer Configuration > Security Settings > Application Control Policies > AppLocker.  Within the AppLocker node, you'll see the different types of rules you can create.  Recall we briefly discussed this earlier looking at the AppLocker CSP OMA-URI path.
2. Since we are going to be using Notepad for our example, we are going to create a Executable Rule.  If you wanted to block the built-in Calendar modern app, you would create a Packaged app Rule.  Right-click on Executable Rules and select Create New Rule.
3. In the Create Executable Rules wizard, on the Before You Begin screen, click Next
4. On the Permissions screen, click the Deny radio button and click Next
5. On the Conditions screen, ensure the Publisher radio button is selected and click Next
6. On the Publisher screen, in the Reference file: field, click the Browse button.  File Explorer will open.  Browse to C:WindowsSystem32 and double-click on notepad.exe.  The details of the file will be filled in for you.  Click Next
7. On the Exceptions screen, click Create
8. You'll get a prompt to create default rules, click Yes.
9. In the left pane, click on the AppLocker node.  Back in the right-pane, click the Configure rule enforcement link
10. The AppLocker Properties window will appear.  Under Executable rules: check the Configured checkbox and select Enforce rules from the dropdown menu.  Click OK to close the window
11. In the left pane, right-click on the AppLocker node and select Export Policy
12. File Explorer will open.  Save the XML to a location on the test device and copy it to your primary machine

Working with the XML

So we've got our XML and earlier we mentioned we need the XML as it will be the Policy string value for our OMA-URI.  If only it were that easy.  What our docs don't tell you is if you were to copy and paste all of the XML file contents to the Policy string value for our OMA-URI and deploy it, it will fail.  What we have to do is copy only a subset of the XML and use that as our Policy string value.  Not sure why, but there is zero mention of this on the AppLocker CSP docs page.  It took some trial and error and discussing with some colleagues to understand why this was failing for me at first because I was following the docs.  Hence the reason for this blog, so you don't waste 8 hours wondering what the heck is going on.  Let's take a look at the XML and I'll explain what subset is required for the policy to work properly.

<AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
<FilePublisherRule Id="9b6e35e2-b3cf-4a58-a35c-13590f086a34" Name="NOTEPAD.EXE, version 10.0.0.0 and above, in MICROSOFT® WINDOWS® OPERATING SYSTEM, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="NOTEPAD.EXE">
<BinaryVersionRange LowSection="10.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type="Script" EnforcementMode="NotConfigured" />
</AppLockerPolicy>

Everything in the red text above represents what needs to be used for our Policy string value for our OMA-URI.  The trick here is to ensure you are only copying the RuleCollection tag that shows as "Enabled" (bolded at the top of the XML) down to the closing RuleCollection tag (bolded at the bottom of the XML) just before the "NotConfigured" RuleCollection tags.  Everything else should be omitted.

Ok, we've got what we need, now time to go to the Intune portal and let's create our policy.

Create and Deploy the AppLocker Policy in Intune Portal

1. Open up a browser and navigate to your Intune portal
2. In the Intune blade, click Device Configuration
3. In the Device Configuration blade, click Profiles
4. In the Device Configuration - Profiles blade, click the Create Profile button
5. On the Create Profile blade, in the Name field, name the profile accordingly.  In the Platform drop-down, choose Windows 10 and later.  In the Profile type drop-down, choose Custom
6. The Custom OMA-URI Settings blade will appear.  Click the Add button
7. On the Add Row blade, in the Name field, name the settings accordingly.
8. In the OMA-URI path, we will use what we mentioned earlier in the blog.  Copy and paste ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/BlockedApps01/EXE/Policy
9. In the Date type drop-down, choose String
10. In the Value text box, copy and paste the XML subset we discussed above (everything in the red text above)
11. Click OK to close the Add Row blade
12. Click OK to close the Custom OMA-URI Settings blade and click Create to create your policy
13. Once created, click the policy.  On the Policy blade, click Assignments
14. On the Assignments blade, in the Assigned to drop-down, select Selected Groups and then click Select groups to include
15. On the Azure AD Groups blade, choose the groups you want the policy to be applied to and click Select
16. On the Assignments blade, click Save

Alright, you've now deployed your AppLocker policy to your desired devices or users.  Now it's time to see if it worked.

Validating the Result

Ok, you've worked hard thus far.  Go grab a cup of joe and doughnut, you deserve it!  No seriously, this step is crucial to give the policy time to get to your device.  By the time you are done, your policy should be applied to your test device.  Of course, you can expedite this process by syncing the device with Intune.

1. On your test device, click Start and type in notepad
2. Click on notepad to open it
3. You get the wonderful screen that was the picture for this blog.  On legacy versions of Windows 10, such as 1607, you will not get a pop-up stating the application cannot be run.  Instead, nothing will happen.  If you were to then navigate to the actual file location and attempt to run the blocked application, then you will get a red X pop-up stating the application cannot run

Troubleshooting

If for some reason your AppLocker policy isn't working as expected, check the Device status for the policy in the Intune portal.

1. Open up a browser and navigate to your Intune portal
2. In the Intune blade, click Device Configuration
3. In the Device Configuration blade, click Profiles
4. Click your AppLocker Policy.  On the Policy blade, click Device status
5. On the Device status blade, review the results.  If you see an error, click the entry to drill down.  If the error comes back as Remediation Failed, you have a malformed XML string value.  Go back and review the XML value you copied into the policy.  Review the section above that discusses working with the XML file.  If you see success, but the specific applications are still running, review your AppLocker policy default rules to understand if you are allowing something in your policy that you shouldn't be.

Wrap Up

Alright, that's it!  I hope you got something from this blog.  A quick note on whitelisting as I don't want to leave that approach out entirely.  With a whitelist approach, the default rules that are mentioned earlier in this blog come into play.  For example, with a whitelist approach, you would only retain the Allow > Everyone > (Default Rule) All files located in the Windows folder rule.  This now means that the user will not be able to run any applications that does not reside within the Windows folder.  Yep, that's right, they won't be able to run Notepad because it resides in the System32 subfolder.  It also means that the majority of the modern apps will also be blocked; such as Paint3D and the XBOX  app.  Even the Microsoft Store app will be blocked.  Keep this in mind.  While a whitelist approach is more restrictive, it does mean you may end up creating a lot more rules than with a blacklist approach.  Again, in lieu of a whitelist, consider using an Assign Access profile.  I guess I have the topic for my next blog!

Until next time, happy AppLockering!

OK, so it's not precisely "nothing", but as a management summary it will do.

Currently we are in the preview phase of Windows Server 2019, which is almost ready for release. I had a look in our documentation for new functionality in Active Directory and I found ... nothing.

So I dug around a bit and started with the updates to the schema because new Active Directory features generally require a schema update. And yes, there is indeed an update. There is just one new file called sch87.ldf which adds just one new attribute called msDS-preferredDataLocation and raises the schema version to 88.

The new attribute is associated with users, groups and contacts. It is documented on MSDN which indeed says that it's a post-2016 update. What does it do? My best guess is that it is related to Azure Active Directory which also has this attribute. That's all I could find for now.

Another good question would be: are there new forest or domain functional levels? And the answer is, for the first time: no. The highest functional level offered by dcpromo and other GUI tooling is "Windows Server" (obviously a to-be-fixed label), and it corresponds to Windows Server 2016.

That's interesting. In all earlier versions of Active Directory you could use the Domain Functional to make sure you could not install DCs with earlier operating systems. Because there is no functional level for Windows Server 2019 you cannot enforce using Windows Server 2019 DCs only. At best you could enforce a mix of 2016 and 2019.

Other than that I am aware of some bug fixes and internal optimizations, but that's about it. I guess that the good news is that Active Directory backwards compatibility with Windows Server 2016 will be very good. Any application or device that works with Windows Server 2016 should have no problem with Windows Server 2019.

As usual, "working" and "supported" are very different concepts, so keep that in mind. In particular Exchange and Lync (sorry, Skype for Business) are famous for being very strict with supporting new Active Directory versions.

The mandatory caveat here is that Windows Server 2019 is not final yet, and that it would not be the first time if there would be a post-BETA but pre-RTM update to Active Directory. Don't bet on it, though. The fact that there is no new functional level says enough.

So, summarizing, what new stuff do we have for Active Directory 2019 compared to Active Directory 2016?

1. one new attribute with an as-yet unknown function.
2. no new functional levels, which is a first.
3. Backwards compatibility should be better than ever.

Almost nothing

Por: Beth Watson, directora de mercadotecnia para socios de educación en Microsoft.

Con el inicio del nuevo año escolar en el hemisferio occidental, pensamos que sería útil revisar algunas de las aplicaciones lanzadas de manera reciente en Microsoft Store for Education. Estas aplicaciones trabajan de manera fluida dentro del ecosistema de Microsoft Education para permitirnos impulsar a cada estudiante a que consiga más.

Mindsets Learning tiene un apasionado enfoque en preparar a los estudiantes para el éxito en la universidad, su carrera y más allá. Este enfoque es lo que los impulsa a diario. De manera reciente, lanzaron Mindsets Challenges, una librería digital basada en consultas, con lecciones del mundo real para matemáticas K12, ciencias y STEM. Todo el contenido de Mindsets Challenges está alineado para cumplir los estándares para matemáticas (CCSS) y ciencias (NGSS).

Los estudiantes colaboran, predicen, analizan y aplican sus habilidades matemáticas para resolver un reto del mundo real a través de pensamiento creativo y mentalidad de emprendedores. Los educadores pueden monitorear y dar mentoría a los estudiantes a través de datos en tiempo real y herramientas facilitadoras que brinda la aplicación, ahora disponible en Microsoft Store for Education.

Las lecciones de música no volverán a ser las mismas con Flute Master de Classplash, una compañía fundada por un educador con una pasión por crear contenido digital sustentable para la educación musical.

¡Con Flute Master, los estudiantes aprenderán cómo tocar la flauta dulce! ¡Es fácil y muy divertida! Pueden tocar una flauta real y el sonido será reconocido a través del micrófono. Flute Master presenta una historia inmersiva, adorables animaciones e incluye 30 pistar musicales originales que de manera gradual, enseñan cada nota en la flauta.

Además de aprender cómo tocar un instrumento real, mejorarán su música, afinarán habilidades motrices y progresarán en su lectura fuera del campo visual al utilizar la partitura para que acompañe a cada pista.

El camino de Shape Robotics comenzó en 2011 fuera de Copenhague, en la Universidad Técnica de Dinamarca.

Moisés Pacheco y David Johan Christensen, profesor asociado e investigador de robótica de manera respectiva, compartían la misma visión: desarrollar un sistema robótico que fuera muy sencillo de utilizar, incluso para los alumnos más jóvenes de una escuela. Esto resultó en el lanzamiento de Fable Robotics System, un robot modular que les permite construir robots avanzados personalizados en segundos.

Fable Blockly es la aplicación oficial de programación de Windows 10 que permite a Fable convertirse en un Fable caminante, un Fable social, un Fable en forma de víbora, e incluso un Fable industrial que puede realizar tareas como clasificar colores.

Muchos profesores enseñan con texto, pero 65% de los estudiantes aprenden a través de visuales. Squigl resuelve este problema.

Squigl es un software que utiliza IA para permitir a profesores y estudiantes transformar su texto en presentaciones visuales animadas en cuestión de minutos. Conforme un usuario ingresa texto en Squigl, y con unos cuantos clics, se produce un video animado.

Squigl permite a cualquier persona crear videos animados en minutos con facilidad. Un estudiante ingresa texto en Squigl o a través de Word, y con unos cuantos clics se produce un video animado. Squigl genera un paquete completo que incluye un MP4, un archivo de sonido, un documento PDF con formato especial, y los recursos digitales utilizados en el proyecto para su consumo en otros sistemas.

Vidigami es una plataforma de gestión de medios colaborativa, privada y segura, diseñada en exclusiva para las escuelas. Es una aplicación sólo para miembros, basada en la nube, disponible en web y en móvil que permite al personal, profesores, familias, y estudiantes, colaborar en auténticas memorias escolares.

Fotos y videos de cualquier cosa, desde eventos deportivos a viajes de campo a proyectos de clase y trabajo artístico puede ser capturado de manera sencilla, centralizado en un solo lugar, organizado de manera inteligente, y por último, compartido de manera privada con otros miembros de la comunidad, para que puedan ser archivados de manera sencilla y transformados en contenido increíble para motivación, educación y más.

Para conocer más acerca de estas soluciones y miles de otras aplicaciones que pueden apoyarlos, por favor visiten Microsoft Store for Education.

日本マイクロソフト株式会社 (本社: 東京都港区) は、Xbox One 用サバイバル シューティング ゲーム『PLAYERUNKNOWN’S BATTLEGROUNDS 製品版』を 2018 年 9 月 4 日 (火) より、パッケージ版参考価格 2,900 円 (税抜)、ダウンロード版参考価格 2,685 円 (税抜) で発売します。

『PLAYERUNKNOWN‘S BATTLEGROUNDS』は、ただ 1 人の生き残りになるまで戦う激しいサバイバル バトルにプレイヤーを放り込みます。1 人またはチーム戦で補給物資を奪い、武器を見つけて戦い、アドレナリン全開となるハプニング満載でスリリングなバトルを勝ち抜き、最後の生き残りを目指すシューティング ゲームです。

昨年から「ゲーム プレビュー版」として多くのプレイヤーにプレイされてきましたが、製品版となった本製品は、オリジナル マップの Erangel、砂漠をテーマにした Miramar の他に、新しく Sanhok を追加し、合計 3 つのマップを収録しています。さらにパッケージ版はゲーム内で利用できるコスチューム、アクセサリーなどのオリジナル ダウンロード コンテンツを同梱しています。

また、Xbox One X Enhanced に対応し、Xbox One X でプレイすれば、より高解像度の美しい画面でプレイすることができます。

主な特徴

戦場が待っている

プレイヤーは離島にパラシュートで降下。持ち物は衣類だけ。自分の頭脳だけを頼りに武器を探索、発見、奪取したり、車両を使用して補給物資を見つけたりしながら、激しい戦闘に備えろ。

1 人で戦うか、チームで戦うか

ソロ、デュオ、または 4 人グループのスクワッドで、敵プレイヤーを倒し、激しい戦闘を勝ち抜いてただ 1 人の生き残りとなることを目指せ。

勝利をつかめ！

マップ上のすべてのプレイヤーを倒し、ただ 1 人の生き残りとなり勝利をつかめ！
勝った！勝った！夕飯はドン勝だ！！ これは遊びではない。バトル ロワイヤルだ。

ゲーム プレビュー版のアップデートについて

すでに『PLAYERUNKNOWN‘S BATTLEGROUNDS (ゲーム プレビュー版)』をお持ちの方は、アップデートにより製品版に更新することができます。
また、今後追加される予定のマップや機能なども製品版と同様に追加され、製品版購入ユーザーとプレイすることができます。

製品基本情報

『PLAYERUNKNOWN’S BATTLEGROUNDS 製品版』

＊Microsoft、Kinect、Xbox、Xbox 360、Xbox Live、Xbox One、Xbox One、Xbox 関連ロゴは米国 Microsoft Corporation および / またはその関連会社の登録商標または商標です。
＊その他、記載されている会社名、製品名は、各社の登録商標または商標です。

関連情報

• 『PlayerUnknown’s Battlegrounds』に新たな砂漠マップ「Miramar」が登場
• 発売まであと 1 週間! Xbox One 用『PlayerUnknown’s Battlegrounds』最新情報
• Xbox One 用『PlayerUnknown’s Battlegrounds』を 2017 年 12 月 12 日 (火) に発売

日本マイクロソフト株式会社 (本社: 東京都港区) は、『Xbox One X』に『Forza Horizon 4』および『Forza Motorsport 7』のダウンロード版を同梱した『Xbox One X (Forza Horizon 4/Forza Motorsport 7 同梱版)』を 2018 年 10 月 2 日 (火) より 49,980 円 (税抜参考価格) ^※1 で全国の Xbox 製品取り扱い販売店で発売します。

また、『Xbox One S』に『Forza Horizon 4』のダウンロード版を同梱した『Xbox One S 1 TB (Forza Horizon 4 同梱版)』を同日 2018 年 10 月 2 日 (火) より 29,980 円 (税抜参考価格) ^※1 で全国の Xbox 製品取り扱い販売店で発売します。

『Forza Horizon 4』 は、450 種以上のクルマを集め、改造し、シングルまたはマルチプレイでイギリスの美しいオープンワールドを駆け抜けるレーシング ゲームです。プレイヤーは、四季の変化によりコースがダイナミックに変化するオープンワールドで行われる世界最高峰のモータースポーツ フェスティバルに参加し、レースやスタント、そして探索など、自分の道を開拓し、Horizon のスーパースターを目指します。

Xbox One X では、対応した TV に接続することにより、同梱の『Forza Horizon 4』および『Forza Motorsport 7』を美しい 4K HDR (ハイ ダイナミック レンジ) のより幅広い明暗表現と豊かな色域の映像でプレイすることができます。Xbox One S では同梱の『Forza Horizon 4』を HD HDR 映像でプレイすることができます。また、両製品ともに本体には 4K Ultra HD Blu-ray ディスク ドライブを内蔵し、対応した TV であればストリーミングで 4K 映像を視聴できるだけでなく、4K Ultra HD Blu-ray ディスクプレイヤーとしても楽しむことができます。

『Forza Horizon 4』および『Forza Motorsport 7』は、ともに Xbox Play Anywhere に対応しており、Xbox One と Windows 10 PC の両デバイスでゲームをダウンロードしてプレイできます。また、ゲームの進行とオンライン マルチプレイは、Xbox Live を通じて両機種間で楽しむことが可能です。

Xbox One X について
『Xbox One X』は、従来の据え置き型ゲーム機と比較して大幅に性能を向上させ、真の 4K ゲームを体験できるよう新たに開発された Xbox One ファミリーの上位機種です。大作ゲームをより美しい画面とよりスムーズな描画でプレイでき、ロード時間も短縮されるなどより没入感のある体験ができます。本体には 4K Ultra HD Blu-ray ディスク ドライブを内蔵し、ストリーミングで 4K 映像を楽しめるだけでなく、Ultra HD Blu-ray ディスク プレイヤーとしてもお使いいただけます。

Xbox One S について
『Xbox One S』は、従来の Xbox One から本体体積を約 40% 小型化し、AC アダプターを内蔵した新しい Xbox One です。本体には 4K Ultra HD Blu-ray ディスク ドライブを内蔵し、ストリーミングで 4K 映像を楽しめるだけでなく、Ultra HD Blu-ray ディスク プレイヤーとしてもお使いいただけます。

製品基本情報

『Xbox One X (Forza Horizon 4/Forza Motorsport 7 同梱版)』

製品基本情報

『Xbox One S 1 TB (Forza Horizon 4 同梱版)』

Today's tip...

Question of the Day

Q: My customer saw this article: , “Microsoft plans to add native support for Virtual Machines in Windows 10 and is confused. Windows already has native virtual machines with Hyper-V. What is this?

A: Short answer and detailed answer below.

Short answer

First, Windows 10 already includes native virtual machine support it’s called Hyper-V. You do not need to use any third party apps if you want to use virtual machines on your Windows device. In fact, Windows has had virtualization built-in Windows for six years starting with Windows 8.x and continuing in Windows 10. To get started creating virtual machines with Hyper-V in Windows 10 the docs are here.

We’re in the process of changing the way Hyper-V and its components are packaged and how those appear in the dialog to Turn Windows features on or off. For that reason, you’re seeing some of the items changing in the dialog to Turn Windows Features on or off and why there’s currently an item  that appears as “Virtual Machines.” This name isn’t final and it will likely change to avoid any further confusion. We’re in the process of documenting these changes so apologies for any confusion this may have caused in the meantime.

In short, Windows has offered native virtualization for years and will continue to do so. We’re just doing a little component reorganization.

--------------------------------------------------------------------------------------------------------

Detailed answer

First, Windows 10 already includes native virtual machine support it’s called Hyper-V. You do not need to use any third party apps if you want to use virtual machines on your Windows device. In fact, Windows has had virtualization built-in Windows for six years starting with Windows 8.x and continuing in Windows 10. To get started creating virtual machines with Hyper-V in Windows 10 the docs are here.

While we use Hyper-V as the name for the overarching technology for delivering virtual machines, Hyper-V consists of many components. For example, there’s the hypervisor platform, the virtualization I/O stack, and the management stack among other technologies. The point being that there are numerous components that make up Hyper-V. Here’s a screenshot that illustrates this fact:

Throughout Microsoft, Hyper-V is incredibly popular and is used in Azure, Azure Stack, Windows and Windows Server (among others) and its use is growing. Let me give you a few examples of how Hyper-V and Hyper-V technologies are used within Windows.

1. Virtual Machines. Within Windows, Hyper-V (as a whole) provide the ability to create and run virtual machines. It’s fast, flexible, secure and consistent with Windows Server and Azure.
2. Security. To greatly increase security, a small portion of Hyper-V (just the hypervisor) is used to provide virtualization based security which has helped completely mitigate some attack vectors such as pass-the-hash and pass-the-ticket. FYI, this scenario has nothing to do with virtual machines…
3. Container Isolation. Containers that use Hyper-V isolation get tremendous benefit because they mitigate concerns about using a shared kernel in regulated environments and provide the ability to run Windows and Linux containers on the same system among other benefits. To provide this benefit, some Hyper-V components are used to provide this isolation.

In some of these examples (like 2 & 3), these scenarios don’t need all the components that make up Hyper-V and thus we want to enable only the necessary components as appropriate. To do so, we’re in the process of changing the way Hyper-V and its components are packaged and how those appear in the dialog to Turn Windows features on or off. For that reason, you’re seeing some of the items changing in the dialog to Turn Windows Features on or off and why there’s currently an item  that appears as “Virtual Machines.” This name isn’t final and it will likely change to avoid any further confusion. We’re in the process of documenting these changes so apologies for any confusion this may have caused in the meantime.

In short, Windows has offered native virtualization for years and will continue to do so. We’re just doing a little component reorganization.