I am pleased to have Chris Baldwin from Microsoft as a guest blogger this month. Chris is a Principal PM for Android on the Intune Engineering team. Chris has been working in Android space for the past couple years and leads delivery of Android Enterprise features.

NFC-based Android Enterprise device enrollment with Microsoft Intune – By Chris Baldwin, Principal PM, Microsoft Corporation

For corp-owned Android Enterprise devices (technically referred to as devices in "device owner" mode) there are a number of streamlined enrollment methods available. Depending on your Android version it's possible to enroll devices with a QR code, by manually entering a short enrollment string, through Google's Android zero-touch enrollment service (basically, Android's answer to Apple's Device Enrollment Program). It's also possible to use NFC to perform enrollment, which makes provisioning devices as easy as tapping them on a specially formatted NFC tag. This blog will explain how you can use a couple inexpensive and readily available tools to program your own NFC tags to use for Intune device enrollment.

Android Enterprise for BYOD and corp-owned devices

There are two core ways to manage Android Enterprise devices depending on whether the device belongs personally to the end user of the device (BYOD) or if the device is corp-liable, an asset owned by your organization. Those modes are:

• Work profile – in this mode of management the end user self-initiates enrollment with a device they own. The enrollment process creates a new, MDM-managed work profile on the device that sits alongside the user's personal profile. The work profile is managed by the IT admin and the personal profile is not. This provides both privacy assurances to end users because their personal profile remains unmanaged, and data protection assurances to the IT admin because the work content is containerized and manageable.

   

• Device owner – in this mode the device is fully managed (it is analogous to supervised mode on an iOS device). Device owner mode is unique in that there are two main deployment scenarios that can be configured when devices are in this mode: Dedicated devices, which are userless, heavily-locked down kiosk-style devices ideal for task worker usage, and Fully Managed devices which are associated with and user's AAD account and are intended for core productivity usage (calling, messaging, Outlook, Office apps, and so on). Enrollment of device owner devices is also unique in that the device must be fully factory reset to be enrolled.

As of the writing of this blog, Intune supports work profile mode and the Dedicated (kiosk) device owner deployment scenario. Fully Managed support is currently being built and we expect it to be in public preview by the end of 2018, with general production support available in Q2 of 2019.

Why use NFC?

There are a couple reasons why using NFC-based enrollment might be useful for your scenario. First, it's the only device owner enrollment mechanism that is supported on Android version 5.1. If you are using 6.0 and up there are additional options. Second, it's very easy to use. You can program your NFC enrollment tag with Wi-Fi connection information, so you don't need to perform any steps to enroll the device beyond tapping it. As a reminder, NFC enrollment is available on device owner devices only, and won't work for work profiles.

What you'll need

For NFC-based enrollment, you'll need two items:

1. Blank NFC tags. I used NTAG216 NFC tags, however you may use any tags that you'd like. One thing to remember is NFC cards come with varying amounts of capacity in bytes. You'll want to be sure that you buy ones with enough byte capacity to store all the NFC data necessary for enrollment. The amount of capacity you'll need varies depending on how many options you put into your NFC data, but at minimum you'll need 561 bytes. More will be required if you add Wi-Fi connection options. The NTAG216 tags I used have a usable capacity of 888 bytes.
2. Once you have the blank tags, you'll need something to imprint/write the correct data onto the tags. You may use any NFC tool that you choose as long as it's capable of writing NFC tags with an arbitrary mimetype. I demonstrate the process later in this post using the NFC Tools PRO app from the Play Store.

Steps to follow

Guidelines

• The NFC data that will be written to the NFC tags needs to be of a very specific format and will contain a lot of boilerplate data.
• There is a portion of the tag data that you can copy and paste directly from this post because it will be identical for every Intune enrollment.
• There is also part of the tag data that must be changed to match the enrollment token generated in your Intune tenant.
• Finally, there are optional NFC data parts that you can choose to use if you want to use the tag to automatically turn on Wi-Fi during the NFC provisioning process.

Step 1: Format your NFC data

Tag data that must be copy-pasted as-is

The following NFC data lines must be entered precisely as they appear here. These lines tell the device where to download the MDM agent from and ensure that it is installed properly:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://play.google.com/managed/downloadManagingApp?identifier=setup
android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM=I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg
android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME=com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver

Tag data you must change for your tenant

The line below must be copied precisely as it appears, except you must change the yellow highlighted text to match the enrollment token you want to use for the device enrollment. This should match the token text that is displayed in the Intune admin console. This is what will associate your NFC enrollment with your Intune tenant.

android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE=com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN=NMEFNXHOVYMEMSSLBRSR

Optional tags you can use for Wi-Fi connections

Optionally, you can use these lines to tell the device to automatically connect to a W-Fi network that it'll use to perform enrollment. For example, these are the lines I used to connect to an open authentication network in my office called "MSFTGUEST":

android.app.extra.PROVISIONING_WIFI_SSID="MSFTGUEST"
android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=NONE
android.app.extra.PROVISIONING_WIFI_PASSWORD=

Note: I have observed that the PROVISIONING_WIFI_PASSWORD line must be included even if there is no password required for the network. It seems like a quirk that shouldn't be necessary, however I have seen devices fail provisioning without it. The valid options for security type are NONE, WPA, and WEP.

Step 2: Configure the app with the tag data

As a reminder, I'm using the NFC Tools PRO app to demonstrate the enrollment process, however you may use your tool of choice for writing NFC data.

1. Under the Write tab, select Add a record
2. Scroll to the bottom and select Data: Add custom record
3. In the content-type field enter "application" in the first textbox and then "managedprovisioinng" in the second (without the quotes)
4. In the Data: field enter the big NFC data blob that you formatted in the step above. It should look close to this:

    

    

5. Tap OK

Step 3: Write your NFC data to the tags

1. Tap Write
2. Bump your device against your blank NFC tag

Step 4: Enroll devices!

Now that you have your properly formatted and programmed NFC tag from Step 3, the only thing left to do is to enroll devices. You can do this on any Android 5.1 or above device:

1. Factory reset the device (this is a necessary step for any device owner provisioning)
2. Once the device is reset and is on the initial welcome screen, bump the device against your NFC tag
3. Tap OK

From this point on, the device will enroll into Intune using the enrollment token your specified in your NFC data. You can use the same NFC tag again and again to quickly bulk provision a large number of devices. If needed, you may reprogram the tags with different enrollment tokens as well.

Conclusion

NFC is one of the lesser known enrollment techniques for Android Enterprise, however it can also be one of the most powerful because of how easy it is to kick off device enrollment once you get the tags properly programmed. I hope you found this useful!

こんにちは、 Azure Identity の平形です。

本ブログを参照されている方の中でも、今現在以下のような現象にお悩みの方がいらっしゃたりしませんでしょうか。

・ AD FS 環境でオンプレミスの AD アカウントが頻繁にロックアウトされてしまう

・ ロックアウトの原因が AD FS サーバーからの認証

アカウント ロックアウトの頻度が非常に高く、様々なアカウントで発生しているのであればパスワード スプレー攻撃によって引き起こされている可能性があります。

また、ロックアウトにつながるログオン失敗が AD FS 経由でされている場合には、インターネットから WAP (Web Application Proxy) に対してパスワード スプレー攻撃を試行していることが疑われます。

今回は AD FS 環境における外部からのパスワード スプレー攻撃に対処する Extranet Lockout 機能についての紹介と設定方法をお伝えします。

------------------------------------------------------

そもそもパスワード スプレー攻撃とは

------------------------------------------------------

パスワード スプレー攻撃とは、複数の異なるアカウントに対して多くの人が一般的に設定するようなパスワードでのログオンを試行する攻撃手法です。

詳細につきましては先日ブログを公開しておりますので参照ください。

Azure AD と AD FS のベスト プラクティス: パスワード スプレー攻撃の防御

https://blogs.technet.microsoft.com/jpazureid/2018/03/19/password-spray/

私たちが良く確認するパターンでは、 Office 365 を経由して AD FS に対してパスワード スプレー攻撃をしかけるものがあります。

このような経路での攻撃の特徴として、 IMAP や SMTP 等アクティブ認証を利用しますのでご利用環境の AD FS 上で記録される IP アドレスは Exchange Online で使用する IP アドレスレンジからの認証試行のように見えます。

------------------------------------------------------

Extranet Lockout とは

------------------------------------------------------

WAP 経由での認証は、認証要求は AD FS に転送され、その要求に含まれるユーザー名、パスワードを利用してオンプレミスの AD に対して Kerberos での認証を行います。このときにパスワードが異なると認証に失敗し、オンプレミス AD のアカウント ロックアウト カウンターがインクリメントされます。これが繰り返し試行されることで、アカウント ロックアウトが発生し、 WAP 経由ではない認証要求についてもブロックされるようになります。

Extranet Lockout では、社内のアカウント ロックアウトカウンターとは別にロックアウトの閾値を設けることで WAP 経由の外部からの認証要求のみをブロックし、オンプレミス AD のロックアウトを防ぐ機能です。WAP 経由でオンプレミス AD に対して Kerberos 認証を行う前に AD のパスワード間違え回数 (badpwdcount) 回数をチェックします。チェックの結果、 AD FS で設定した Extranet Lockout の閾値と同じか、それ以上の場合には AD FS は AD に対して認証要求を送ることなく認証を失敗させます。

その結果、 ロックアウトを WAP 経由で発生させることを防ぎます。

多くのお客様でもこちらの設定を案内し、効果があったことを確認しております。

------------------------------------------------------

Extranet Lockout 構成時に考慮すべき点

------------------------------------------------------

Extranet Lockout の動作概要は上記のとおりですが、実際に構成する際に考慮すべきポイントをお伝えします。

1. AD FS と PDC エミュレーターの役割を持つ DC 間の通信
2. オンプレミス AD のアカウント ロックアウトの閾値
3. AD FS の OS (Windows Server 2012 R2 以降必須)

1. AD FS と PDC エミュレーターの役割を持つ DC 間の通信

Extranet Lockout では WAP 経由の認証要求が発生した際に AD FS が PDC エミュレーターと通信を行い、ユーザー アカウントの badpwdcount の値をチェックします。

そのため、 AD FS と PDC エミュレーター間での通信が行えるよう構成する必要があります。 ※

2. オンプレミスのアカウント ロックアウトの閾値

Extranet Lockout で指定する閾値はオンプレミスのアカウント ロックアウトの値を基に検討する必要があります。

この閾値の設定を誤ると、Extranet Lockout が発生する前に AD 側のアカウント ロックアウトが発生し、意味がなくなってしまいます。

大まかには以下のように設定します。

Extranet Lockout の発生閾値 (ExtranetLockoutThreshold) ・・・ オンプレミスのアカウント ロックアウトの閾値未満とします。

Extranet Lockout の発生時間 (ExtranetObservationWindow) ・・・ オンプレミスのロックアウト カウンターのリセット時間より大きくします。

3. AD FS の OS (Windows Server 2012 R2 以降必須)

Extranet Lockout 機能は Windows Server 2012 R2 以上の AD FS にて利用可能です。

※ Windows Server 2016 からは ExtranetLockoutRequirePDC というオプションが増えました。

値を false とすることで、 PDC と通信が出来ない場合は別のドメイン コントローラーと通信を行ってロックアウトの判定を行うようになります。

- 参考情報

Configure AD FS Extranet Lockout Protection

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection

------------------------------------------------------

Extranet Lockout 設定方法

------------------------------------------------------

AD FS プライマリ サーバー上で PowerShell を起動し、下記コマンドを実行します。

Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold <回数> -ExtranetObservationWindow (new-timespan -Minutes <時間>)

コマンド実行後、即座に適用されます。

特に再起動は不要です。

// 設定例

オンプレミス側のアカウント ロックアウト回数が 10 回、アカウント ロックアウト リセット カウンターが 15 分の場合。

ExtranetLockoutThreshold はアカウント ロック回数の 10 回未満に、 ExtranetObservationWindow はリセット カウンターの 15 分より大きい値にします。

この場合は例えば以下のように設定します。

Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 5 -ExtranetObservationWindow (new-timespan -Minutes 16)

------------------------------------------------------

参考情報 : 認証失敗ログの見方

------------------------------------------------------

AD FS の監査ログを有効化することで、 AD FS への認証がどこからの要求であるかを判断可能です。

// AD FS 上で記録されるパスワード間違え時のセキュリティ イベント ログ

------------------------------------------------------

ログの名前:         Security

ソース:           Microsoft-Windows-Security-Auditing

日付:           2018/09/XX XX:XX:XX

イベント ID:       4625

タスクのカテゴリ:     ログオン

レベル:           情報

キーワード:         失敗の監査

ユーザー:         N/A

コンピューター:       ADFS01.contoso.com

アカウントがログオンに失敗しました。

サブジェクト:

セキュリティ ID:                CONTOSOgmsa-adfs01$

アカウント名:                gmsa-adfs01$

アカウント ドメイン:                CONTOSO

ログオン ID:                0x64D79

ログオン タイプ:                        3

ログオンを失敗したアカウント:

セキュリティ ID:                NULL SID

アカウント名:                user01@contoso.com

アカウント ドメイン:

エラー情報:

失敗の原因:                ユーザー名を認識できないか、またはパスワードが間違っています。

状態:                        0xC000006D

サブ ステータス:                0xC000006A

プロセス情報:

呼び出し側プロセス ID:        0x7a8

呼び出し側プロセス名:        C:WindowsADFSMicrosoft.IdentityServer.ServiceHost.exe

ネットワーク情報:

ワークステーション名:        AZ-ADFS01

ソース ネットワーク アドレス:        -

ソース ポート:                -

------------------------------------------------------

// AD FS 上で監査ログを有効化した状態でアクティブ認証を実施し、パスワード間違えが発生した時に記録されるイベント ログ

------------------------------------------------------

ログの名前:         Security

ソース:           AD FS Auditing

日付:           2018/09/XX XX:XX:XX

イベント ID:       411

タスクのカテゴリ:     (3)

レベル:           情報

キーワード:         クラシック,失敗の監査

ユーザー:         CONTOSOgmsa-adfs01$

コンピューター:       ADFS01.contoso.com

トークンの検証に失敗しました。詳細については内部例外を参照してください。

追加データ

Activity ID: 00000000-0000-0000-0000-000000000000

トークンの種類:

http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName

クライアント IP:

20.188.200.100,40.101.146.181 <<<<<<<<<<<<<< Exchange Online を経由すると、 Exchange Online の IP アドレスとアクセス元の IP アドレスの 2 つが記録されます。

エラー メッセージ:

user01@contoso.com

例外情報:

System.IdentityModel.Tokens.SecurityTokenValidationException: user01@contoso.com

場所 Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

------------------------------------------------------

上記内容が少しでもお客様の参考となりますと幸いです。
製品動作に関する正式な見解や回答については、お客様環境などを十分に把握したうえでサポート部門より提供させていただきますので、ぜひ弊社サポート サービスをご利用ください。

詳細について説明させていただければと思いまして、2018/10/23 (火) 19:00~ に募集職種についての説明会、MS でのキャリアについて相談会を品川オフィスで開催します。
興味のある方は下記 リンクより事前にお申し込みの上、ぜひご参加ください。

> Azure サポート エンジニア 説明会、相談会 申し込みフォーム

こちらも見たことない方はぜひ → Azureサポート エンジニアの魅力とやりがいとは？
https://japan.zdnet.com/extra/microsoft_support_201803/35116283/

Hello everyone, Jonathan Warnken here, and I am a Premier Field Engineer (PFE) for Microsoft. I primarily support Configuration Manager and I have been getting a lot of questions recently on how to collect custom information and include it in the device inventory within Configuration Manager. I wanted to share one way to accomplish this that demonstrates some of the great ways to extend the built-in features. For this post, I am going to show how to capture the information about local machine certificates. I do want to take a moment to thank MVP Sherry Kissinger for this post with the base powershell script used to collect the certificate information.

#Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.#

Now on to the good stuff. PowerShell makes it easy to get information about certificates. Using get-childitem and selecting one certificate we can see all the information available

While you can collect all of this information we are going to limit this down to just the Thumbprint, Subject, Issuer, NotBefore, NotAfter, and FriendlyName. We are also going to add a custom value of ExpiresinDays and ScriptLastRan. Next, we use a PowerShell script to collect the information and publish it to a custom wmi class.

https://github.com/mrbodean/AskPFE/blob/master/ConfigMgr%20Certificate%20Inventory/publish-CertInfo2WMI.ps1

Next create a configuration item that uses the script to publish the certificates in the local machine personal store, the local machine trusted publishers, and the local machine trusted root certificate stores to wmi that will allow the hardware inventory to collect the information.

1. Download https://github.com/mrbodean/AskPFE/raw/master/ConfigMgr%20Certificate%20Inventory/Inventory%20Machine%20Certificates.cab to c:tempExamples
2. Navigate to Assets and ComplianceOverviewCompliance SettingsConfiguration Baselines
3. Click on "Import Configuration Data" (You will find this as a button on the top toolbar or in the context menu when you right click on Configuration Baselines
   1. Select C:tempExamplesInventory Machine Certificates.cab
   2. Click Yes on the warning "The publisher of Inventory Machine Certificates.cab file could not be verified. Are you sure that you want to import this file?"
   3. Click next twice to progress through the wizard and once complete, click close.
4. You will now see a new sub folder named Custom under Configuration Items (Assets and ComplianceOverviewCompliance SettingsConfiguration ItemsCustom) and a configuration item named "Inventory Machine Certificates" in the Custom folder.
5. You will also see a Configuration baseline named "Inventory Machine Certificates"
   1. Deploy this baseline to a test collection

The documentation for using configuration items is available at:

https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/configuration-items-for-devices-managed-with-the-client

https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/create-configuration-baselines

https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/deploy-configuration-baselines

https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/monitor-compliance-settings

These steps will extend the Hardware Inventory to collect the certificate information that has been published in WMI. To extend the inventory you must use a MOF file, MOF files are a convenient way to change WMI settings and to transfer WMI objects between computers. For more info see https://technet.microsoft.com/en-us/library/cc180827.aspx

1. Download https://raw.githubusercontent.com/mrbodean/AskPFE/master/ConfigMgr%20Certificate%20Inventory/CertInfo.mof to c:tempExamples
2. Create a new Custom Device Client Setting (AdministrationOverviewClient Settings)
   1. Name the setting "Custom HW Inventory" and only enable Hardware Inventory
   2. Select Hardware Inventory on the left just under General
      1. Ensure Enable hardware inventory on clients is set to yes
      2. The default schedule is for 7 days, update the schedule if you would like to change it
      3. Click the "Set Classes …" button
         1. Click on the "Import …" button
            1. Select the c:tempExamplesCertInfo.mof
         2. Once back on the Hardware Inventory Classes dialog ensure the CertInfo (cm_CertInfo) class is enabled
         3. Click Ok
      4. Click Ok (again)
   3. Deploy the "Custom HW Inventory" Client Setting to a test collection.

Once the configuration item runs and publishes the data info WMI, the next time hardware inventory runs for systems in the test collection the certificate information will be available for reporting in Configuration Manager.

These steps will create console query that you can use to search for systems with a specific certificate thumbprint

1. Download https://raw.githubusercontent.com/mrbodean/AskPFE/master/ConfigMgr%20Certificate%20Inventory/Find_Cert_Query.MOF to c:tempExamples
2. Navigate to MonitoringOverviewQueries
3. Click on "Import Objects", this is available a button on the top toolbar and the context menu when you right click on Queries
   1. Click next to navigate through the wizard
   2. On the MOF File Name step, select c:tempExamplesFind_Cert_Query.MOF
4. Once the import completes, you will see a query named "Find Machines with a Certificate by thumbprint"

5. Once you have systems reporting the certificates as part of the inventory you can run this report
   1. When you run this report, it will prompt you for the thumbprint of a certificate to search for
   2. If any systems are found with the certificate the system name and the thumbprint will be returned by the query

This is a SQL query that can be used to view the certificate inventory data and can also be used as the basis for creating a custom report

Select sys.Name0 as 'Name', Location0 as 'Certificate Location', FriendlyName0 as 'Friendly Name', ExpiresinDays0 as 'Expires in Days', Issuer0 as Issuer, NotAfter0 as 'Not After', NotBefore0 as
'Not Before', Subject0 as Subject, Thumbprint0 as Thumbprint, ScriptLastRan0 as 'Script last Ran'

from v_GS_CM_CERTINFO

Inner Join v_R_System as sys ON v_GS_CM_CERTINFO.ResourceID = sys.ResourceID

Thank you for reading, and I hope this helps you out!

Background

In an Azure Windows VM you automatically get a temporary disk drive mapped to D: (on Linux it's mapped to /dev/sdb1). It is temporary because the storage is assigned from the local storage on the physical host. So if your VM is re-deployed (due to host updates, host failures, resizing, etc.), the VM is recreated on a new host and the VM will be assigned a new temporary drive on the new host. The data on the temporary drive is not migrated, but the OS disk is obviously preserved from the vhd in your storage account or managed-disk.

The problem

In this specific scenario, the customer had a 3rd party legacy application that reads and writes from two directories in the D: drive. The directories paths were hard-coded in the application and were a couple of gigabytes in size, so copying them to the temporary drive each time the VMs were deployed would be time and resource consuming.

Choosing a solution

After thorough testing of course, we decided to create two symbolic links from the D: drive to the real directories in the OS disk (where the directories were already present as part of the image). The symbolic-links creation would be accomplished with either the mklink command, or with the New-Item cmdlet in PowerShell 5.x.

Of course there are other methods overcoming this challenge, such as switching the drive letters with a data-disk and moving the PageFile to the other drive letter. But we decided that the symbolic-links approach would be faster and wouldn't require an additional data-disk, and with it, additional costs.

The implementation

Since the creation of the symbolic-links would need to happen every time the VM is created (and redeployed), we ended up adding a PowerShell DSC extension to the VM in the ARM template and since there were no built-in DSC Resources in the OS, nor in the DSC Resource Kit in the PowerShell gallery that configures symbolic-links, we wrote a (quick-and-dirty) PowerShell module and the resource to create them.

Creating the module structure and the psm1 and schema.mof files is pretty easy when you're using the cmdlets from the xDSCResourceDesigner module:

Install-Module -Name xDSCResourceDesigner

$ModuleName = 'myModule'
$ResourceName = 'SymbolicLink'
$ModuleFolder = "C:Program FilesWindowsPowerShellModules$ModuleName"

New-xDscResource -Name $ResourceName -Property @(
    New-xDscResourceProperty -Name Path -Type String -Attribute Key
    New-xDscResourceProperty -Name TargetPath -Type String -Attribute Write
) -Path $ModuleFolder

cd $ModuleFolder
New-ModuleManifest -Path ".$ModuleName.psd1"

The contents of the .psm1 resource file C:Program FilesWindowsPowerShellModulesmyModuleDSCResourcesSymbolicLinkSymbolicLink.psm1 should contain the three *-TargetResource functions (Get, Set and Test):

function Get-TargetResource {
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param (
        [parameter(Mandatory = $true)]
        [System.String]
        $Path
    )

    Write-Verbose "Getting SymbolicLink for $Path"

    $Root = Split-Path -Path $Path -Parent
    $LinkName = Split-Path -Path $Path -Leaf
    $TargetPath = $null

    $link = Get-Item -Path (Join-Path -Path $Root -ChildPath $LinkName) -ErrorAction SilentlyContinue
    if($link -and  $link.LinkType -eq 'SymbolicLink') { $TargetPath = $link.Target[0] }
    
    @{Path = $Path; TargetPath = $TargetPath}
}


function Set-TargetResource {
    [CmdletBinding()]
    param
    (
        [parameter(Mandatory = $true)]
        [System.String]
        $Path,

        [System.String]
        $TargetPath
    )

    Write-Verbose "Creating a SymbolicLink from $Path to $TargetPath"

    $Root = Split-Path -Path $Path -Parent
    $LinkName = Split-Path -Path $Path -Leaf
    Set-Location -Path $Root
    New-Item -ItemType SymbolicLink -Name $LinkName -Target $TargetPath | Out-Null
}


function Test-TargetResource {
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param (
        [parameter(Mandatory = $true)]
        [System.String]
        $Path,

        [System.String]
        $TargetPath
    )

    Write-Verbose "Testing SymbolicLink for $Path"

    $current = Get-TargetResource -Path $Path
    return (($current.Path -eq $Path) -and ($current.TargetPath -eq $TargetPath))
}

Export-ModuleMember -Function *-TargetResource

And in the configuration document, remember to import the DSC resources from the module:

configuration Main {

    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName myModule

    node localhost {

        SymbolicLink 'INPUT_DIR' {
            Path       = 'D:INPUT_DIR'
            TargetPath = 'C:PathTomyLegacyAppINPUT_DIR'
        }
        
        SymbolicLink 'OUTPUT_DIR' {
            Path       = 'D:OUTPUT_DIR'
            TargetPath = 'C:PathTomyLegacyAppOUTPUT_DIR'
        }
    }
}

Now, to create the zip file containing the configuration document and all required modules:

# Create the zip package
Publish-AzureRmVMDscConfiguration .myDSC.ps1 -OutputArchivePath .myDSC.zip

And upload it to the blob container (used in the ARM template):

# Variables
$storageAccountName = 'statweb'
$resourceGroupName = 'rg-statweb'

# Login to Azure
Login-AzureRmAccount

# Get the Storage Account authentication key
$keys = Get-AzureRmStorageAccountKey -ResourceGroupName $resourceGroupName -Name $storageAccountName

# Create a Storage Authentication Context
$context = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $keys.Item(0).value

# Upload the file to the blob container
Set-AzureStorageBlobContent -Context $context -Container dsc -File .myDSC.zip -Blob myDSC.zip

Conclusion

There are usually several methods to accomplish a single task, and you should take under consideration all aspects and constrains, because one can be more effective than another.

And if you don't already feel comfortable scripting with PowerShell, you should hurry and Start-Learning. There are a ton of excellent resources out there, but if you prefer a face-to-face in-class learning experience, and have a Premier contract, contact your Technical Account Manager (TAM) for more information on our PowerShell Workshop series.

HTH,
Martin.

Check out the list of 50+ remote, interactive technical webinars and 10+ one-on-one consultations, available to help you build your App Development technical capabilities. Through live, instructor-led webinars, you will receive interactive training with real-time Q&A capabilities – all at NO cost to Microsoft Partner Network members. If you are looking for one-on-one technical assistance focused on real-world scenarios, explore the list of technical consultations available using your MPN technical presales and deployment benefits.

Application Innovation: Technical webinars & consultations list (Oct, Nov & Dec)

Important: Be sure to check out all the webinars listed outside your time zone, as they may work for your morning or evening schedule.

For more information on the Application Innovation technical journey and the recommended path to consume these webinars and consultations, visit aka.ms/AzureAppInnovation or aka.ms/O365AppInnovation.

Check out the list of 50+ remote, interactive technical webinars and 10+ one-on-one consultations, available to help you build your Business Applications technical capabilities. Through live, instructor-led webinars, you will receive interactive training with real-time Q&A capabilities – all at NO cost to Microsoft Partner Network members. If you are looking for one-on-one technical assistance focused on real-world scenarios, explore the list of technical consultations available using your MPN technical presales and deployment benefits.

Business Applications: Technical webinar & consultation list (Oct, Nov & Dec)

Important: Be sure to check out all the webinars listed outside your time zone, as they may work for your morning or evening schedule.

For more information on the Business Applications technical journey and the recommended path to consume these webinars and consultations, visit aka.ms/BusinessApplicationsTechJourney

Check out the list of 100+ remote, interactive technical webinars and 15+ one-on-one consultations, available to help you build your Modern Workplace technical capabilities. Through live, instructor-led webinars, you will receive interactive training with real-time Q&A capabilities – all at NO cost to Microsoft Partner Network members. If you are looking for one-on-one technical assistance focused on real-world scenarios, explore the list of technical consultations available using your MPN technical presales and deployment benefits.

Modern Workplace: technical webinar & consultation list (Oct, Nov & Dec)

Important: Be sure to check out all the webinars listed outside your time zone, as they may work for your morning or evening schedule.

For more information on the these technical journey and the recommended path to consume these webinars and consultations, visit: aka.ms/SalesCustomerFieldServiceMarketingtechjourney, aka.ms/TeamworkTechJourney, aka.ms/SecurityTechJourney or aka.ms/ModernDesktopTechJourney

Moving on to part three of this series (Windows Server 2019 and Windows Admin Center being previously covered), this time the focus is on technologies included in Windows Server 2019 Datacenter edition, with Storage Spaces Direct being one of the key ones. Once again you will see that Windows Admin Center features heavily in the sessions, highlighting the importance of becoming familiar with what it can offer. One of the important things that needs to be said upfront about HCI solutions is that you should work with your preferred OEM and one of their Windows Server Software-Defined program certified solutions to ensure you get a solution that meets your requirements.

From Hyper-V to hyper-converged infrastructure with Windows Admin Center

Discover how Windows Admin Center (Formerly Project "Honolulu") makes it easier than ever to manage and monitor Hyper-V. It’s quick to deploy, there’s no additional license, and it’s built from years of feedback – this is YOUR new dashboard! Ready to go hyper-converged? New features like Storage Spaces Direct and Software-Defined Networking (SDN) are built right in, so you get an integrated, seamless experience ready for the future of the software-defined datacenter.

Jumpstart your hyper-converged infrastructure deployment with Windows Server

The time is now to adopt hyper-converged infrastructure and Storage Spaces Direct. Where to start? This session covers design considerations and best practices, how to choose and procure the best hardware, sizing and planning, deployment, and how to validate your cluster is ready for showtime. Get tips and tricks directly from the experts! Applies to Windows Server 2016 and Windows Server 2019.

Storage Spaces Direct + Windows Server 2019 + Windows Admin Center: Experience the power of performance history

Performance history is a new feature that gives Storage Spaces Direct administrators easy access to historical compute, memory, network, and storage measurements across host servers, drives, volumes, virtual machines, and more. In this session, see how you can access this Performance history data and how you can use Windows Admin Center to visualize it.

Be an IT hero with Storage Spaces Direct in Windows Server 2019

The virtualization wave of datacenter modernization, consolidation, and savings made you an IT hero. Now, the next big wave is here: Hyper-Converged Infrastructure, powered by software-defined storage! Storage Spaces Direct is purpose-built software-defined storage for Hyper-V. Save money, accelerate IO performance, and simplify your infrastructure, from the datacenter to the edge. This packed technical session covers everything that’s new for Storage Spaces Direct in Windows Server 2019.

What is the Windows Server Software Defined (WSSD) program and why does it matter?

The Window Server Software Defined (WSSD) program allows vendors to build and offer a tested end-to-end hyper-converged infrastructure solution. After implementing more than 100 Storage Spaces Direct projects, Carsten think this is more important than ever. Why? In this session, learn the reasons, and get help choosing the right solution for you!

Dave Kawula's notes from the field on Storage Spaces Direct

This session looks at the field notes from production deployments of Storage Spaces Direct over the past six months. Various scenarios are covered from two-node SMB to enterprise configurations and everything in between. We look at some lessons learned for hardware configurations, firmware updates, and core network configurations. We also review some upgrade paths to the latest release of Windows Server 2019 LTSC.  This session is action packed and you should definitely come ready to learn—delivered by Hyper Converged expert MVP Dave Kawula who has deployed Storage Spaces Direct all over the world.

Modernize your datacenter with Software-Defined Networking (SDN) in Windows Server

In Windows Server 2019, Software-Defined Networking (SDN) is faster, more powerful, and simpler to use than ever before with SDN Express for deployment and Windows Admin Center for day-to-day management. Use SDN to harden your network and avoid being the next victim of a malicious person or hacking group. Gain flexibility with virtual appliances from Microsoft and third parties and benefit from rich analysis and visibility into traffic that routes through your network. This packed, technical session shows you how to get started and covers everything new for SDN in Windows Server 2019.

Dear All,

Welcome to the TechNet Wiki Tuesday – TNWiki Article Spotlight.

Today in this blog post I would like to share you all a quite interesting article  ASP.NET Core: Expense Manager Using EF Core And Highcharts  by  Ankit Sharma

The main reason I selected this article for Spotlight is as this article explains in detail about using Expense Manager, EF Core and Highcharts for ASP.NET Core. Ankit Sharma has started his article by explaining about personal expense manager using ASP.NET Core 2.1 and Entity Framework Core code-first approach. This article also has been  explained with real time example and Chart using in ASP.NET Core.

In this article you can learn in detail about:

• Introduction
• Prerequisites
• Adding the Model to the Application
• Creating the database table using EF Core code first approach
• Adding the Data Access layer to our application
• Adding the Controller to the Application
• Adding Views to the Application
• Index View
• ExpenseForm View
• ExpenseReport View
• Configure route URL
• Execution Demo
• Conclusion
• Source Code

If you are looking forward to getting started with ASP.NET Core and Entity Framework Core code-first approach then this article is great feast for you read it from ASP.NET Core: Expense Manager Using EF Core And Highcharts  by  Ankit Sharma

PS : Todays Banner Image from this week banner from OusamaElho,this week special banner for TechNet Wiki Hallowen party.

See you all soon in another blog post.

Thank you all.

Yours,
Syed Shanu
MSDN Profile | MVP Profile | Facebook | Twitter |
TechNet Wiki the community where we all join hands to share Microsoft-related information.

Check out the list of 45+ remote, interactive technical webinars and 5+ one-on-one consultations, available to help you build your Data Platform & Analytics technical capabilities. Through live, instructor-led webinars, you will receive interactive training with real-time Q&A capabilities – all at NO cost to Microsoft Partner Network members. If you are looking for one-on-one technical assistance focused on real-world scenarios, explore the list of technical consultations available using your MPN technical presales and deployment benefits.

Data & AI: technical webinar & consultation list (Oct, Nov & Dec)

Important: Be sure to check out all the webinars listed outside your time zone, as they may work for your morning or evening schedule.

For more information on the Application Innovation technical journey and the recommended path to consume these webinars and consultations, visit aka.ms/DataAITechJourney.

Check out the list of 75+ remote, interactive technical webinars and 5 one-on-one consultations, available to help you build your Cloud Infrastructure & Management technical capabilities. Through live, instructor-led webinars, you will receive interactive training with real-time Q&A capabilities – all at NO cost to Microsoft Partner Network members. If you are looking for one-on-one technical assistance focused on real-world scenarios, explore the list of technical consultations available using your MPN technical presales and deployment benefits.

Cloud Infrastructure & Management: Technical webinars & consultations list (Oct, Nov & Dec)

Important: Be sure to check out all the webinars listed outside your time zone, as they may work for your morning or evening schedule.

For more information on the Cloud Infrastructure & Management technical journey and the recommended path to consume these webinars and consultations, visit aka.ms/AzureAppInnovation or aka.ms/O365AppInnovation.

日本マイクロソフト株式会社 (本社: 東京都港区) は、グレーを本体色に採用し、スティック軸部分などに鮮やかなライト ブルーをアクセントで配置した『Xbox ワイヤレス コントローラー (グレー / ブルー)』を 2018 年 11 月 1 日 (木) より 6,480 円 (税抜参考価格)^*1 で全国のゲーム販売店にて発売します。

『Xbox ワイヤレス コントローラー (グレー / ブルー)』は、特徴的な本体デザインに加え、グリップ部分には滑りにくく操作しやすいテクスチャー加工を施しています。また、Windows 10 搭載 PC やタブレットとワイヤレス接続が可能な Bluetooth を搭載しています。^*2

ゲームの臨場感を表現するリアル トリガー^*3、高い操作性を実現したスティックと方向パッドを操作しやすい位置に配置。お持ちのヘッドセット^*4 などを直接接続できる 3.5mm ステレオ ヘッドセット ジャックを搭載したワイヤレス コントローラーです

製品基本情報

^*1 お客様の購入価格は、販売店により決定されますので、販売店にお問い合わせ下さい。
^*2 Windows 10 搭載デバイスとの Bluetooth 接続には Windows 10 Anniversary Update の適用が必要です。また、コントローラー本体のファームウェアをアップデートする必要な場合があります。Windows 10 で Xbox ワイヤレス コントローラーを更新する方法については「Windows 10 で Xbox One コントローラーを更新する方法」を参照してください。Windows 7、8.1、または 10 で Bluetooth を使わずに使用する場合は、USB ケーブル (別売) が必要です。
^*3 リアル トリガーは対応したゲームのみ有効です。
^*4 ヘッドセットの互換性に関する詳細は「互換性のあるヘッドセットを接続する | Xbox One」をご参照ください。

こんにちは、垣内ゆりかです。

マイクロソフトでは、Transport Layer Security (TLS) 1.0, 1.1 の利用を廃止し、より安全なプロトコルである TLS 1.2 以降への移行を推奨しています。(参考: 過去ブログ　[IT 管理者向け] TLS 1.2 への移行を推奨しています)

2020 年 前半、Internet Explorer 11, Microsoft Edge にて、 TLS 1.0 および TLS 1.1 を既定で無効化する措置を行う予定です。

(現時点の予定であり、予定は今後変更になる可能性があります。最新の情報は Microsoft Edge blogを参照してください)

Windows XP/Windows Server 2003 で主に利用されてきた TLS 1.0 は登場から約 20 年経過しました。その間、多くの脅威が発生し、セキュリティ面でも多くの改良がおこなわれたより新しいバージョンの TLS が登場してきました。今年ついに、最新の TLS 1.3 の標準化が行われ、現在、Windows, Edge をはじめとしたマイクロソフト製品、サービスへの実装をすすめているところです。(なお、 TLS 1.3 が達成する安全性については、暗号理論の視点で解説している 株式会社レピダムの米澤氏の解説ブログに詳細がありますので、ご興味のあるかたはぜひご一読されることをお勧めします。）

また、現在は、Windows XP や Windows Server 2003 のサポート終了、そして、業界全体でも TLS 1.2 の実装と利用が進んでいることから、TLS 1.0 が必要となる接続環境も徐々に減少しています。

こうした状況から、マイクロソフトでは、TLS 1.0, TLS 1.1 の利用をとりやめ、TLS 1.2 以降を利用するよう促進を行っています。Office 365 サービスにおいては、無効化が予定 (2018年 10月31日廃止予定) されています。暗号プロトコルは「使ってさえいれば安全」ではありません。現在の脅威に対応できるバージョンのみを利用し、リスクを下げることが重要です。

また、古いアルゴリズムの利用を停止し、新たなアルゴリズムを有効化するにあたっては、組織の環境を精査し、検証するなど、時間を要する作業が必要になります。特に TLS 1.0 は長い間利用されてきたこともあり、無効化による影響の確認には時間を要することが想定されます。ぜひ、早めに移行計画を開始してください。

TLS 1.2 への移行において、必要となる確認作業については、過去ブログ　[IT 管理者向け] TLS 1.2 への移行を推奨しています を参考にしてください。

参考情報

Modernizing TLS connections in Microsoft Edge and Internet Explorer 11

過去ブログ

2018 年 10 月 Office 365 で TLS 1.0, 1.1 での接続無効化。 最終確認を！

[IT 管理者向け] TLS 1.2 への移行を推奨しています

This is an update for our customers who are hitting below exception while configuring Log Analytics workspace from SCOM console. This blog talks about workaround for this issue, please follow the mentioned steps.

Workaround:

-          Copy the Advisor dll (version 1.0.5) from this link to Console folder (C:Program FilesMicrosoft System CenterOperations ManagerConsole).

-          Try to configure your Log Analytics workspace connection and this time it will work.

-          Remove this Advisor dll from Console folder after Log Analytics configuration is done.

[Note]: If you will not delete Microsoft.IdentityModel.Clients.ActiveDirectory  from Console, then you will hit the above exception while adding subscription to Azure MP.

What is causing this exception?

This exception will only occur when you have Azure MP installed on your system.

The reason is both Azure MP and Advisor MP use different versions of Microsoft.IdentityModel.Clients.ActiveDirectory library.

When the intended version of this library isn’t found, Console throws FileNotFound exception

Hello All,

If your like my customers as you start using SPO for the first time, you maybe have migrated a few sites and your users have discovered that some sites are permissioned with Everyone except External or some other group that allows to may users.  And now you have to figure out how to disable this feature and save the day.

There are a few things you can do:

1. What might seem obvious but is not necessarily the easiest is to fix the permissions on Sites, Folders, and Documents so that you can continue to use the feature.
2. You can disable delve for your whole tenant by following the steps in this document while effective it disables the feature as well as all of Delve which might not be what you want to do.
3. You can disable the feature via API per user (See this article) and to help you try this GitHub project which will disable for 20 users at a time (See this GitHub project)

Pax

This week the Public Update (PU) for Project Server 2013 and 2016 were released for October 2018 . Client updates were released on Oct 2nd; server updates on Oct 7th. Typically the client updates release on the first Tuesday of the month and server on the second Tuesday release schedule.

There was a Project Server 2010 Cumulative update package released this month but it did not contain any Project updates - just the SharePoint ones. Mainstream support for Project and Project Server 2010 ended October 13, 2015 - see https://support.microsoft.com/en-us/lifecycle. An SP1 patched 2010 system (with no SP2) is no longer supported - see the Lifecycle site for more information - http://support.microsoft.com/lifecycle/search?sort=PN&alpha=project+2010&Filter=FilterNO

We are now delivering as Public Updates, although Server fixes are shipped just via the Download Center and not via Microsoft Update (Unless there is a security element or a fix deemed essential - this month both SharePoint Server 2016 and 2013 fixes have security fixes - so some may have come down via the update center). These are still all cumulative and include fixes released in all previous updates since the last baseline (Initial release for 2016 and SP1 for 2013).

A note about Click-to-Run (sometimes abbreviated C2R) versions of Project for Office 365. The updates for this version are not included in this blog. For some information about Click-to-Run versions, please see the following site for version numbers and some fix information: https://technet.microsoft.com/office/mt465751. We may have a future blog with additional information about Click-to-Run update channels and methods.

Also a note for users of the Project client connecting to Project Online - see https://blogs.technet.microsoft.com/projectsupport/2016/12/15/using-project-online-time-to-be-sure-you-upgrade-the-client-software/- you will have needed a '2016' level client to connect starting since the end of June 2017.

Feel free to open a support case if you have any questions around this or need assistance getting these patches deployed.

We should be back to 'normal' install times now - but leaving this comment here just in case...

The 2013 PU releases also have a real prerequisite of the appropriate Service Pack 1 (SP1), and links for SP1 are given below. SP1 is enforced in this release, so you will find out (as I did) if you really do have SP1 for all your installed components and language packs! This also means RTM is no longer supported! See http://blogs.technet.com/b/stefan_gossner/archive/2015/04/15/common-issue-april-2015-fixes-for-sharepoint-2013-cannot-be-installed-on-sharepoint-2013-sp1-slipstream-builds.aspx too which describes an issue you might see if you don't have the 'right' SP1. Slipstream would work with the original SP1 - but the updates require the re-released SP1. Since the May PU this shouldn't be an issue - but including here just in case.

Another important point to add here is that there was in early 2013 running the SharePoint Configuration Wizard on a server with Project Server 2013 installed -this is fixed by applying the April 2013 or later- so a good practice would be to load SP1, then the current PU and then run the configuration wizard (if you didn't already load the April 2013 through June 2014 CU).

Project and Project Server 2016

An overview of all the Office 2016 releases for September 2018 can be found here -

https://support.microsoft.com/en-us/help/4464656/october-2018-updates-for-microsoft-office - October 2018 updates for Microsoft Office

Project Server 2016

With the 2016 release, we just have a single patch (usually this single patch comes in two parts... a wssloc and sts2016 part - however this month we only have the sts2016 part) - as we have also the single msi for installation of SharePoint Server 2016 (Project Server still needs licensing separately though). Both parts need installing before the configuration wizard is executed. The sts2016 part of the patch also contains security fixes so is released via Microsoft Update, the Update catalog as well as the download center.

Description of the security update for SharePoint Server 2016: October 9, 2018- Includes Project fixes, like the roll-up patch in Project Server 2016.

https://support.microsoft.com/en-us/help/4461447/description-of-the-security-update-for-sharepoint-enterprise-server

There is a database schema update this month - it changes to 16.0.4756.1000. Remember, Project Server 2016 data is in the content database. The version number 16.0.4756.1000 can be used to control the connecting client to the October 2018 level. For reference - the RTM build number seen for the DB schema would be 16.0.4327.1000.

Project 2016 Client package:

None

Project and Project Server 2013

An overview of all the Office 2013 releases for October 2018 can be found here - https://support.microsoft.com/en-us/help/4464656/october-2018-updates-for-microsoft-office - October 2018 updates for Microsoft Office. This include multiple fixes, so Microsoft strongly recommends that you test this in a test environment based on your production environment before putting this fix live in production. You can read about the fixes included in the Project and Project Server July PUs from the following articles:

Project Server 2013 Server Rollup Package

October 9, 2018, cumulative update for Project Server 2013 (KB4461456)

https://support.microsoft.com/en-us/help/4461456/october-9-2018-cumulative-update-for-project-server-2013

This month, the cumulative package does not contain patches for Project Server 2013 but only for SharePoint 2013. If you also use SharePoint in your environment, we recommend to install this update.

Project Server 2013 Individual Project Package - (cumulative, but only the Project Server fixes):

None

Project 2013 Client Package:

None

Today's tip...

Introducing Sketch2Code, a web based solution that uses AI to transform a handwritten user interface design from a picture to a valid HTML markup code.

User interface design process involves a lot a creativity that starts on a whiteboard where designers share ideas. Once a design is drawn, it is usually captured within a photograph and manually translated into some working HTML wireframe to play within a web browser. This takes efforts and delays the design process. What if a design is refactored on the whiteboard and the browser reflects changes instantly? In that sense, by the end of the session there is a resulting prototype validated between the designer, developer, and customer.

Within Microsoft Cognitive Services we host Computer Vision Service. The model behind this service has been trained with millions of images and enables object detection for a wide range of types of objects. In this case, we need to build a custom model and train it with images of hand-drawn design elements like a textbox, button or combo box.

The Custom Vision Service gives us with the capability to train custom models and perform object detection for them. Once we can identify HTML objects we use the text recognition functionality present in the Computer Vision Service to extract hand-written text present in the design. By combining these two pieces of information, we can generate the HTML snippets of the different elements in the design. We then can infer the layout of the design from the position of the identified elements and generate the final HTML code accordingly.

I encourage everyone to read the full article HERE and check out the YouTube video HERE

References:

• Turn your whiteboard sketches to working code in seconds with Sketch2Code - https://azure.microsoft.com/en-us/blog/turn-your-whiteboard-sketches-to-working-code-in-seconds-with-sketch2code/
• Sketch 2 Code - https://www.ailab.microsoft.com/experiments/30c61484-d081-4072-99d6-e132d362b99d
• Sketch 2 Code on YouTube: https://www.youtube.com/watch?time_continue=1&v=V6pqqPPHyYM
• Sketch 2 Code on GitHub - https://github.com/Microsoft/ailab/tree/master/Sketch2Code

The latest cumulative update for Exchange Server 2016 is now available on the download center. There is no release for Exchange Server 2013 or Exchange Server 2010 as these products are both in the extended support phase of lifecycle. The cumulative update released today includes fixes to customer reported issues, all previously reported security/quality issues and updated functionality.

Updated Pre-requisite requirements

.NET Framework 4.7.2 Support

.NET Framework 4.7.2 is now supported with Exchange Server 2016 Cumulative Update 11. .NET Framework 4.7.2 will be required on Exchange Server 2016 with the Cumulative Update released in June, 2019.

We have validated .NET Framework 4.7.2 on the previously released Exchange Server 2013 Cumulative Update 21 and are announcing .NET Framework support with Exchange Server 2013 Cumulative Update 21 as well.

.NET Framework 4.7.2 will be required on the forthcoming Exchange Server 2019. Windows Server 2019, which is also required for Exchange Server 2019, installs .NET Framework 4.7.2 by default.

Changes to Visual C++ Version Dependencies

With today’s release we are updating the Visual C++ runtime version dependencies on Exchange Server 2016. Effective with Cumulative Update 11, all Exchange Server 2016 roles (Management Tools, Mailbox, Edge) will require installation of Visual C++ 2012 runtime. This is a change from Cumulative Update 10 where Visual C++ 2013 was incorrectly listed as being required on all roles. Visual C++ 2013 runtime, in addition to Visual C++ 2012, is required on the Mailbox role only.

Versions of Exchange setup before Cumulative Update 11 silently installed Visual C++ 2010 and 2012 components. Exchange setup has been changed in Cumulative Update 11 and later to enforce the Visual C++ runtime requirements using setup pre-requisite rules. When installing Cumulative Update 11 or later for the first time on an existing server, setup will detect the presence of the previously installed instances of Visual C++ placed there by Exchange setup and will not indicate that the Visual C++ 2012 runtime needs to be installed.

However, when setup performs the first upgrade of a server to Cumulative Update 11 or later, it will remove the versions of the Visual C++ binaries placed there by Exchange setup previously. This removal is necessary to change setup behavior, correct the condition which caused us to issue an advisory to install MS11-025 and ensure that future Visual C++ updates are applied by Windows Update and Microsoft Update.

Important: To avoid a setup failure, it is necessary to install the Visual C++ 2012 runtime before installing Cumulative Update 11 or later for the first time on an existing server. The setup pre-requisite rule works as expected when using Cumulative Update 11 or later to install a new server using the Cumulative Update 11 or later package.

Note: Exchange Server 2019, when released, will include the Visual C++ pre-requisite rules enforced by setup.

Release Details

KB articles that describe the fixes in each release are available as follows:

• Exchange Server 2016 Cumulative Update 11 (KB4134118), Download, UM Lang Packs

The updates released today do not include new updates to Active Directory Schema. If upgrading from an older Exchange version or installing a new server, Active Directory updates may still be required. These updates will apply automatically during setup if the logged on user has the required permissions. If the Exchange Administrator lacks permissions to update Active Directory Schema, a Schema Admin must execute SETUP /PrepareSchema prior to the first Exchange Server installation or upgrade.

Cumulative Update 11 does require an Administrator to execute SETUP /PrepareAD to ensure RBAC roles are current before applying the cumulative update released today.

Adjustment to Cumulative Update Release Schedule

Due to the delay associated with Cumulative Update 11, there will not be a cumulative update released in December 2018. Our next planned set of quarterly updates will occur in March 2019 and will include Exchange Server 2016 Cumulative Update 12 and Exchange Server 2019 Cumulative Update 1.

Additional Information

Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate TechNet documentation.

Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.

Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the currently supported cumulative update for the product version in use, e.g., 2013 Cumulative Update 21, 2016 Cumulative Update 10 or 9.

For the latest information on Exchange Server and product announcements please see What's New in Exchange Server 2016 and Exchange Server 2016 Release Notes. You can also find updated information on Exchange Server 2013 in What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet.

Note: Documentation may not be fully available at the time this post is published.

The Exchange Team

Por: Trudy Norris-Grey, CityNext, infraestructura conectada y Desarrollo de negocios globales en Microsoft in Government

Este año en Smart City Expo World Congress 2018, Microsoft se unirá a los líderes globales para compartir soluciones innovadoras enfocadas en la transformación digital de las ciudades. En este texto, se describe la manera en que Microsoft brinda servicios inteligentes y una plataforma confiable para las soluciones de los socios que impulsan a las ciudades a ser más seguras, prósperas y sustentables. Únanse a Microsoft y a sus socios en SCEWC 2018.

Cerca del 55% de los habitantes del planeta viven en la actualidad en áreas urbanas, y se espera que este porcentaje se incremente a un 68% (más de 6 mil millones de personas) para 2050. En correlación directa, se espera que el número de automóviles en el camino sea más del doble a cerca de 2 mil millones para 2050, lo que agravará los problemas de tránsito y amontonamiento. Conforme crecen las ciudades y se vuelven más pobladas, los planeadores urbanos enfrentan el reto de asegurar que los ciudadanos tienen opciones de transporte sustentables y económicas que cumplan con sus necesidades. Esto pondrá un presión significativa en las ciudades, que ya consumen alrededor del 75% de la energía global primaria, y deben determinar cómo mantener a millones de ciudadanos en movimiento a través de transportación pública y privada.

Por fortuna para los ciudadanos de la actualidad, el futuro de la movilidad urbana nunca había sido tan brillante.

Imaginen un mundo donde los vehículos autónomos recorren las calles y las autopistas. Las ciudades conectan a los ciudadanos en formas multi modales de transporte, como trenes, autobuses, y compartir viajes, con planeación intuitiva de recorrido y sistemas de pago. Los ricos datos de la infraestructura inteligente, las redes de transporte, y los vehículos conectados impulsarán a los planeadores urbanos, agencias de tránsito, y a otros líderes urbanos a progresar en la movilidad urbana para las futuras generaciones. Las ciudades tendrán la capacidad de adaptarse en tiempo real a las preferencias del viajero y construir modelos tarifarios dinámicos, así como de gestionar de manera proactiva la infraestructura y el flujo del tránsito de los vehículos al anticiparse a problemas antes de que ocurran e identificar tendencias emergentes.

Este futuro de movilidad inteligente se vuelve cada vez más una realidad conforme las ciudades y los líderes urbanos voltean hacia la transformación digital.

La visión de Microsoft para mejorar la movilidad urbana

Microsoft y sus socios han comenzado a desarrollar tecnologías de vanguardia que impulsas a las ciudades para establecer redes inteligentes de transporte y optimizar la movilidad urbana para los ciudadanos, y todo inicia con los datos. Las soluciones de Microsoft y de sus socios ayudan a las ciudades a construir infraestructuras inteligentes al conectar miles de millones de dispositivos soportados por IoT en el entorno, sobre una plataforma segura que se extiende desde los circuitos hasta la nube.

Una vez conectada, esta vasta red de dispositivos impulsa a las ciudades a generar los ricos datos requeridos para aplicar Inteligencia Artificial (IA) y descubrir información de valor que puede utilizarse para tomar acciones. Al agregar IoT y datos de ubicación mientras se utiliza tecnología segura de nube, las ciudades y agencias de tránsito pueden utilizar IA para identificar congestiones o enrutar el tránsito, alertar a los ciudadanos sobre opciones de estacionamiento, asegurar una operación consistente del tránsito de vehículos con mantenimiento predictivo, y desarrollar programas para incentivar el uso del tránsito. Incluso pueden mejorar la gestión inteligente de energía al optimizar la carga de vehículos eléctricos con datos recabados de las redes inteligentes.

Connected Vehicle Platform de Microsoft, apoyada por socios líderes en la industria, utiliza datos para llevar a las ciudades a un nuevo nivel de movilidad urbana. La telemática y los servicios predictivos mejoran la experiencia del conductor a través del uso de datos de telemetría para entregar notificaciones de mantenimiento predictivo. Los consumidores pueden mantenerse conectados con soluciones de conferencia, herramientas de productividad, y soporte de asistente personal inteligente dentro del vehículo. Los sistemas avanzados de asistencia al conductor incrementan la seguridad y el desempeño al entregar datos del ambiente y el camino al conductor o al sistema autónomo de conducción en tiempo real, todo esto mientras se utilizan servicios o datos de ubicación para navegar, buscar, recorrer y mejorar el tiempo de traslado.

Los socios ya han comenzado a ayudar a las ciudades a reimaginar la transportación con nuestras poderosas tecnologías

Cubic Transportation Systems, socio de Microsoft, es un líder integrador de tecnología de pago e información que conecta a más de 38 millones de viajeros diarios a nivel global cada día, y que procesa 24 mil millones de transacciones al año. Cubic construye soluciones inteligentes en una plataforma versátil para la gestión de la movilidad, con un enfoque en agencias de transportación en ciudades responsables de la gestión de redes de caminos y transporte público. Cubic trabaja para crear las maneras más sencillas para que los ciudadanos viajen y paguen con Microsoft, se apoya en la nube para gestionar datos de manera segura, y soporta la flexibilidad y escalabilidad que los clientes necesitan para responder en un ambiente que cambia de manera constante.

PwC, socio de Microsoft, es otro gran ejemplo de cómo podría ser el futuro de las ciudades inteligentes. Sus capacidades abarcan las diversas necesidades de las ciudades modernas y de sus ciudadanos a través de la movilidad urbana y a través de infraestructura, datos, analítica, así como de planeación colaborativa y seguridad pública. Como líder profesional de la industria de servicios, PwC trabajó con la provincia de Ontario para unificar 11 agencias de tránsito a través de PRESTO, un programa que ayudó a los ciudadanos a viajar de manera más eficiente a través de un sistema de una tarjeta de pago. Al aprovechar la poderosa y escalable plataforma de datos de Microsoft y las visualizaciones de Power BI, PwC impulsó a la provincia para convertir la analítica en una plataforma de decisiones y acciones, y hacer los cambios (como los pagos) que los clientes querían.

Conecten con nosotros en SCEWC 2018 para conocer más sobre cómo mejorar la movilidad urbana en su ciudad

Microsoft entrega tecnología de punta para la creación de ciudades inteligentes y para redefinir la movilidad urbana. Conozcan más sobre cómo Microsoft y sus socios, como Cubic Transportation Systems y PwC, crean un futuro más móvil para los ciudadanos del mañana. También, visiten nuestro stand en Smart City Expo World Congress 2018 y, ¡Regístrense para asistir a CityNext Intelligent Cities Forum!