by Scott Muniz | Jun 23, 2020 | Uncategorized
This article is contributed. See the original author and article here.
Over the years the Windows Containers team has strived to listen to customer feedback to implement features and allow new scenarios based on what we hear from you. Today we’re taking another step in expanding our ability to interact directly with customers! We are proud to announce a new GitHub repository dedicated to customer engagement and detailing our product roadmap.
The GitHub is available at https://github.com/microsoft/Windows-Containers. This will be the location on which you can interact with the product team. If you’re having trouble with Windows Containers or wish to ask for new features, track the status of existing issues, and check out our plan for the future, then this is the place to do so!
Interacting with the product team
One of the greatest things about repositories on GitHub is that they allow for interaction between repo owners and the public. The Issues tab allows you to add new items to our repository that will then be triaged by the product team. You can open issues to track bugs, feature requests, general questions, and more.
The product team composed by members of the platform (networking, security, and kernel) will regularly monitor this channel and triage new items as they come in. We will interact with users on these issues and populate our roadmap with the according stage.
Check out our roadmap
For the first time, the Windows Containers team will be publishing a roadmap of features and scenarios that are in progress, planned, or under consideration. We hope that this model will demonstrate our dedication to the investment we’re driving into the platform alongside our desire to meet your needs as the customer. Many of your production and mission critical workloads rely on the quality and stability of our product, so it is our utmost priority that the issues you care about most are addressed directly.
The Projects tab on our repository will display a Windows Containers roadmap project on which you can check backlog, planned items, what is in progress, what is currently in public preview, and what has been released:
The items in our roadmap might be from our customers or directly from the product team. You can then open the items to check the details, comment, up-vote, etc.
Let us know what you think about this new channel. We hope you enjoy it and more importantly: that you use it to interact with us!
by Scott Muniz | Jun 23, 2020 | Uncategorized
This article is contributed. See the original author and article here.
Did you know you can leverage Windows Update for Business to receive updates securely from Microsoft and reduce VPN traffic regardless of what tool you are using to manage updates today? In this blog, I’ll show you which Group Policies (GPs), Configuration Service Provider (CSP) policies, and upcoming Windows Update for Business Deployment Service (DS) controls can be leveraged by management solutions such as Microsoft Endpoint Configuration Manager and mobile device management (MDM) solutions to ensure that Windows 10 devices in your organization are always up to date with the latest security enhancements and Windows features.
As more organizations and their user base shift to remote work scenarios, we are fielding questions on how to optimize delivery of monthly security updates. Now is the time to take advantage of cloud services to keep remote workers protected and productive. Successfully managing security updates delivered directly through the internet empowers IT to optimize the end user experience while protecting corporate assets. If you are an IT administrator, you have a variety of options available to manage Windows 10 monthly security updates, no matter where you are in your update management journey.
In this post, we’ll also discuss the controls for managing update offerings that will allow for reliability and performance testing on a subset of systems before rolling out updates across the organization. This enables you to take advantage of a set of controls and built in mechanisms that leverage knowledge gained from updating millions of devices, to provide a positive update experience for those within your organization while keeping devices secure.
The next section of this guide will break configuration options into three categories:
- Traditional management through Windows Server Update Services (WSUS): How to leverage Group Policy via WSUS standalone, Configuration Manager, or other management tools
- Co-management: How to coordinate between Configuration Manager and Microsoft Intune
- Modern management: How to use Intune or other MDM settings
Depending on where you are in your management journey, you can leverage Windows Update for Business to optimize monthly security updates through the cloud to maximize both end user productivity and update patch compliance. Let’s start by looking at how to go from on-premises pointing to WSUS to pointing to Windows Update using the Windows Update policies.
Start pointing to Windows Update
For those using WSUS including Configuration Manager or WSUS standalone:
If your organization uses a WSUS-connected management tool today, the first step is to point your devices directly at the Windows Update service rather than at your local server. For this to work, you do not want to use a VPN allow list. If you do use a VPN allow list, please see Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager for best practices. For those who are using a WSUS management tool and are not using a VPN allow list, you can start pointing to Windows Update by using the following Group Policies (under the Windows Update node).
If you are an IT administrator using Configuration Manager, we recommend that you point to Windows Update by moving your Windows workload to Intune via co-management (see paths to co-management).
To start pointing to Windows Update using Windows Update for Business policies, you will need to set the following policies:
|
Type
|
Policy name
|
Configure to
|
|
GP
|
Do not allow update deferral policies to cause scans against Windows Update
|
Unconfigured or disabled
|
|
CSP
|
Update/DisableDualScan
|
0, allow
|
|
Type
|
Policy name
|
Configure to
|
|
GP
|
Do not connect to any Windows Update Intranet locations
|
Unconfigured or disabled
|
|
CSP
|
Update/AllowUpdateService
|
1, allow
|
Once you have connected to the Windows Update service, you need to determine which update types that you want devices in your organization to be offered, including Windows 10 feature updates, quality updates, driver updates, and Microsoft product updates. Once you have determined the types of updates which you want to be offered to your devices, you can utilize the controls outlined in the next section to ensure that devices are offered the updates that you want them to receive when you want them to receive them.
Manage offering to get quality updates only
Manage if drivers are offered
Drivers can help ensure that a device is working at its best, but you may want to not offer these to your devices until you feel comfortable using Windows Update for Business to manage your Windows quality updates. To prevent drivers from being offered to the devices, consider setting the following:
|
Type
|
Policy name
|
Configure to
|
|
GP
|
Do not include drivers with Windows Updates
|
Enabled = no drivers
|
|
CSP
|
Update/ExcludeWUDriversInQualityUpdate
|
1, exclude
|
Manage when feature updates are offered
Semi-annual Windows 10 feature updates releases provide new experiences, services and enhancements, but we understand that you may not be ready to provide those updates to devices in your organization. Devices can remain on a Windows 10 Feature Update OS version receiving monthly quality updates, which provide bug fixes, reliability improvements and security enhancements so long as the Feature Update is in support. Please see the Windows 10 release information page for details on supported versions. Depending on which OS version you are using, different settings are available to be configured to get to a predictable and consistent end user update experience. The following tables show the different setting options depending on the OS version of the device.
For devices on Windows 10, version 1903 or greater:
Devices on Windows 10, version 1903 can use deferrals to remain on version 1903. A device using deferrals will update semi-annually to an update that is at least the specified number of deferral days old. For example, if version 1909 was released on November 12th, 2019 then a 1903 device with a 365 day deferral would update on November 11th, 2020 to version 1909. If you want to remain for a longer period of time or move directly from version 1903 to 2004, see the options listed below for devices on Windows 10, version 1803 or greater.
|
Type
|
Policy name
|
Configure to
|
|
GP
|
Select when Preview builds and feature updates are received, defer feature updates
|
Enable then defer feature updates for 365 days, the device will receive version 1909 when version 1909 is 365 days old in November 2020.
|
|
CSP
|
Update/DeferFeatureUpdatesPeriodInDays
|
For devices on Windows 10, version 1803 or greater:
If you need your devices to remain on their current feature update beyond when deferrals would allow or until the current OS version reaches end of service, then you should specify a specific version for the device to stay on until end of service or until the policy is changed to a newer Windows 10 feature update.
|
Type
|
Policy name
|
Configure to
|
|
Windows Update for Business DS
|
Windows 10 Feature Updates (Preview)
|
Specify a specific version (e.g. 1809) to move to and/or stay on until the policy is changed or until end of service.
|
|
GP
|
Select the target Feature Update version
|
|
CSP
|
Update/TargetReleaseVersion
|
|
Note: The Windows Update for Business Deployment Service controls are currently in preview with Intune and are the recommended path for customers who are using Microsoft Endpoint Manager.
|
OR
If you only need to delay feature updates temporarily, you can consider utilizing pause. See the next section for details on how to configure pause.
For devices on Windows 10, version 1709 or below:
Utilizing the Feature Update Pause Start Date policy you can reset the Pause Feature Update start date every 34 days to pause feature updates for as long as you need until your current version reaches end of service.
|
Type
|
Policy name
|
Configure to
|
|
GP
|
Select when Preview builds and Feature Updates are received, pause Feature Updates starting
|
Enter a date from which to start pausing update for 35 days (e.g. 2020-06-15).
|
|
CSP
|
Update/PauseFeatureUpdatesStartTime
|
Ensure patch compliance
The best way to ensure patch compliance is by utilizing compliance deadlines. Compliance deadlines represent a set of policies designed to keep devices secure by ensuring updates are installed within a certain number of days after being offered to the device. Compliance deadlines provide a balance of minimizing end user disruption and achieving update patch compliance goals, keeping end users both protected and productive.
The charts below show how to set the recommended compliance deadline(s) for your current OS version.
For devices on Windows 10, version 1709 or greater:
For devices on Windows 10, version 1703 or lower (as of this post):
For a best in class experience, do not set any other Windows Update policies. This will ensure a less disruptive end user experience by allowing the device to automatically update outside of active hours when the end user is away. If the deadline is reached, the device will switch to an interactive experience showing multiple notifications to the end user prompting them to schedule the reboots (or reboot now) before finally forcing them to reboot in order to keep the device secure.
Below you can see examples of some of the prompts that end users will see when the recommended deadline policy is configured and other notification policies remain unset. To see the full notification flow, please see Compliance Deadline Notification Flow on Windows Update for Business.
Questions?
If you have any questions concerning this process, please post them below, or check out these pages for more information:
by Scott Muniz | Jun 23, 2020 | Uncategorized
This article is contributed. See the original author and article here.
To meet our customers where they are and relieve customer challenges in managing multiple security solutions to protect their unique range of platforms and products, we have been working to extend the richness of Microsoft Defender ATP to non-Windows platforms. Today we are excited to announce general availability of Microsoft Defender Advanced Threat Protection (ATP) for Linux!
Adding Linux into the existing selection of natively supported platforms by Microsoft Defender ATP marks an important moment for all our customers. It makes Microsoft Defender Security Center a truly unified surface for monitoring and managing security of the full spectrum of desktop and server platforms that are common across enterprise environments (Windows, Windows Server, macOS, and Linux).
Microsoft Defender ATP for Linux supports recent versions of the six most common Linux Server distributions:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2
It can be deployed and configured using Puppet, Ansible, or using your existing Linux configuration management tool.
This initial release delivers strong preventive capabilities, a full command line experience on the client to configure and manage the agent, initiate scans, manage threats, and a familiar integrated experience for machines and alert monitoring in the Microsoft Defender Security Center.
We are just at the beginning of our Linux journey and we are not stopping here! We are committed to continuous expansion of our capabilities for Linux and will be bringing you enhancements in the coming months. We can’t wait for you to become part of our Linux journey and try out new capabilities as they become available. Make sure to turn on preview features in Microsoft Defender Security Center to get the latest updates before anyone else and stay tuned to our blog and Twitter channel for the latest announcements.
How to get started
Microsoft Defender ATP for Linux requires the Microsoft Defender ATP for Servers license. You can find this information in our product terms. Please reach out to your account team for more information and eligibility.
To get started, visit our documentation: http://aka.ms/mdatplinuxonboarding
If you are already running Microsoft Defender ATP for Linux preview, make sure you update the agent to version 101.00.75 or higher.
If you’re not yet taking advantage of Microsoft’s industry leading security optics and detection capabilities for endpoints, sign up for a free trial of Microsoft Defender ATP today.
Microsoft Defender ATP team
by Scott Muniz | Jun 23, 2020 | Uncategorized
This article is contributed. See the original author and article here.
We are excited to announce the public preview of our mobile threat defense capabilities with Microsoft Defender ATP for Android. As Rob Lefferts, Corporate Vice President, Microsoft 365 Security and Compliance, mentioned in his blog, the threats in the mobile space are unique, and as more and more people use mobile devices for work, the need for organizations to protect data that is accessed through their users’ devices is increasingly imperative.
After offering a preview of these capabilities at RSA Conference 2020, we were thrilled by the response from our customers and the industry. Over the last several months, we’ve been working closely with customers who are our design partners, listening to their feedback, and enhancing the product.
Key Capabilities
The public preview of Microsoft Defender ATP for Android will offer protection against phishing and unsafe network connections from apps, websites, and malicious apps. In addition, the ability to restrict access to corporate data from devices that are deemed “risky” will enable enterprises to secure users and data on their Android devices. All events and alerts will be available through a single pane of glass in the Microsoft Defender Security Center, giving security teams a centralized view of threats on Android devices along with other platforms. These capabilities empower enterprises to enable strong security while ensuring their employees remain productive working on their Android devices. Let’s dive into each of these capabilities in more detail.
Web protection
Phishing is one of the biggest threat vectors on mobile, with the majority of attacks happening outside of email such as via phishing sites, messaging apps, games, and other applications. Other potential threats come from apps which may make connections to unsafe domains, unknowingly to the user and security teams. Web protection capabilities in Microsoft Defender ATP for Android help to address these challenges with:
- Anti-phishing: Access to unsafe websites from SMS/text, WhatsApp, email, browsers, and other apps is instantly blocked. To do this, we leverage the Microsoft Defender SmartScreen service to help determine whether a URL is potentially malicious. This works in conjunction with Android to enable the app to inspect the URL to provide anti-phishing protection. If access to a malicious site is blocked, the device user will get a notification about this with the options to allow the connection, report it safe, or dismiss the notification. Security teams are notified about attempts to access malicious sites via an alert in the Microsoft Defender Security Center.
- Blocking unsafe connections: The same Microsoft Defender SmartScreen technology is used to also block unsafe network connections that apps automatically might make on the user’s behalf without them knowing. Just as in the phishing example, the user is immediately informed that this activity is blocked and is given the same choices to allow it, report it as unsafe, or dismiss the notification as the product screenshot shows. Alerts for this scenario also show up in the Microsoft Defender Security Center. When these connections are attempted on a user’s device, security teams are notified of this via an alert in the Microsoft Defender Security Center.
- Custom indicators: Security teams can create custom indicators, giving them more fine-grained control over allowing and blocking URLs and domains users connect to from their Android devices. This can be done in the Microsoft Defender Security Center and is an extension of our custom indicators capability already available for Windows.
Malware scanning
Enterprises deploying Android can leverage built-in protections in the Android platform to limit installation of apps to trusted sources as well as tools like Google Play Protect to significantly reduce the threat surface of potentially harmful apps being installed on devices. Microsoft Defender ATP fortifies this by introducing additional visibility and controls to deliver further assurances on keeping devices free of threats to device security.
Microsoft Defender ATP for Android uses cloud protection powered by deep learning and heuristics to provide coverage for low-fidelity signals which are inconclusively handled by signatures, in addition to offering signature based malware detection. This protection extends to both malicious apps and files on the device.
Scans are instantly performed detect malware and potentially unwanted applications (PUA). If a safe app is downloaded, the end user will see a lightweight notification letting them know the app is clean.
Blocking access to sensitive data
Additional layers of protection against malicious access to sensitive corporate information is offered by integrating with Microsoft Endpoint Manager, which includes both Microsoft Intune and Configuration Manager. For example, a compromised device would be blocked from accessing Outlook email. When Microsoft Defender ATP for Android finds that a device has malicious apps installed, it will classify the device as “high risk” and will flag it in the Microsoft Defender Security Center. Microsoft Intune uses the device’s risk level in conjunction with pre-defined compliance polices to activate Conditional Access rules that block access to corporate assets from the high risk device. The screenshot shows an example of how the end-user would get a notification that their device doesn’t comply with their organization’s policies, and how to remediate. Once the malicious app is uninstalled, access to corporate assets is restored automatically for the mobile device. You can learn about how to set up this integration in our documentation.
Unified SecOps experience
The Microsoft Defender Security Center acts as the single pane of glass experience for security teams to get a centralized view of threats and activities. All the alerts for phishing and malware on Android devices are surfaced here. As part of the alert, analysts see the name of the threat, its severity, the alert process tree for the incident, and other additional context including file details and associated SHA information. Android device related alerts also roll up into the incident where analysts can get a more holistic view of attacks associated with a device.
In the devices list, Android devices are also visible with their associated risk levels. In the device information page, security analysts can see the number of incidents, active alerts, and logged on users associated with the device.
This is the same familiar experience that we deliver to security teams for Windows, Mac, and Linux.
We’re excited to be sharing these new features with you. In the coming months, we’ll be rolling out more capabilities for Android and we’ll be releasing Microsoft Defender ATP for iOS later this year – stay tuned!
Getting started with Microsoft Defender ATP for Android
Those customers that have preview features turned on can start trying out Microsoft Defender ATP for Android today. If you haven’t yet opted in, we encourage you to turn on preview features in the Microsoft Defender Security Center today.
Join us as we advance in our journey across platforms. For more information, including detailed system requirements, prerequisites, deployment and configuration steps, and a list of improvements and new features, check out the documentation.
To share feedback, you can use the “send feedback” option in the Microsoft Defender ATP for Android app.
If you’re not yet taking advantage of Microsoft’s industry leading security optics and detection capabilities for endpoints, sign up for a free trial of Microsoft Defender ATP today.
by Scott Muniz | Jun 23, 2020 | Uncategorized
This article is contributed. See the original author and article here.
Over the past few months, we’ve seen tremendous transformations take place as companies adapt to remote work environments. One key trend has been the rise of virtual meetings, as companies look to maintain their rhythm of business and keep human connections while working remote. However, as the volume of meetings increase, teams face challenges with management, efficacy, and engagement. To overcome some of these challenges, we’ll highlight a few popular Teams app integrations that can help you drive effective meetings while working remote.
Streamline agenda preparation and meeting management
Effective meetings require more than corralling a group together to discuss – it requires thoughtfulness around agenda preparation, clarity on objectives, and defined sets of action items. An easy path to plan a successful meeting is to consider apps that streamline the agenda preparation and meeting management process.
SoapBox simplifies the agenda preparation and management process by allowing teams to build, collaborate, and action team meeting agendas without leaving their workspace in Teams. Using its bot and tabs, teams have a single integrated workspace where they can build agenda items, capture meeting minutes, and monitor resolution of action items – removing the administrative hurdles typically experienced with meeting management.
Collaborate with shared meeting agendas
Build agendas collaboratively by adding items to a shared agenda – reinforcing teamwork and helping ensure each attendee is fully aligned and aware of the scope and objectives of the meeting. You can also access an inventory of suggested agenda items that can be used as a supplement. Teams notifications are surfaced each time agenda items are added, closed, and reminders are sent for upcoming meetings to ensure accountability across the team.
Manage your meetings, capture minutes, and assign action items
As your meeting gets underway, tick off agenda items as you cover them, so that you know what items remain outstanding. Any agenda items not covered automatically roll over into your next meeting in the series, as needed. You can also capture meeting minutes and action items from within the app, so that team members have a central repository in Teams to access.
Access AI-powered insights from the conversations you’re having with your team
Using machine learning, SoapBox can decipher the topics you’re discussing most (and least) frequently across all your meetings. Based on your meeting insights, it will serve up suggested questions and reading materials that will help you better prepare and balance future meetings.
Learn more about SoapBox for Teams and its offering plans and how it can help you plan and manage effective meetings!
Increase engagement and human connection with visual communication
Keeping your teams engaged and connected can be a struggle – especially with a screen taking the place of a person. Prezi Video helps address these challenges by letting you overlay your visuals directly on screen next to you, making meetings engaging and bringing back the human connection element that’s missing in remote work. By putting you and your content together on the same screen – you create a natural, human interaction with your audience and make the meeting more impactful.
Maintaining the human connection with your team
Meetings are effective when attendees are engaged and have a connection with the presenter. When you remove that engagement by speaking behind material, you lose that human connection and begin to lose your audience’s full attention. With Prezi Video, you strengthen that connection with your team by keeping you and your content together on the same screen for a powerful presentation experience. Attendees remain engaged throughout the live video meeting and can engage in real-time collaboration – creating an effective presentation experience for the entire team.
Send useful pre-recorded, asynchronous updates
When live meetings aren’t needed or aren’t feasible, you can create a quick video update to share directly in your Teams channel, helping your team stay up to date without interrupting their workflow with asynchronous communication. Easy integration of your must-have information and graphics into your video screen means that team members can share and discuss key data at a time that works best for them.
Balance time and productivity
Without requiring a designer, you can create stunning videos with pre-made templates and high-quality images available on Prezi Video and save precious meeting time for more impactful discussions or even cancel a meeting entirely by sending a video and having the discussion in your team’s channel instead, saving everyone time.
Learn more about Prezi Video for Teams to get started for free and see how it can help you create powerful visual communications!
Energize your meetings with interactive challenges
Sometimes meetings just need a jolt to keep attendees engaged. Consider introducing short interactive challenges in the middle of a meeting to inject some energy. Kahoot! is a game-based learning platform that makes it easy to create, share, and play learning challenges (kahoots). Whether it’s business-focused or for fun, you can gamify the meeting experience to increase attention and engagement. With its recent integration with Teams, meeting hosts can present live kahoots during meetings or assign self-paced challenges after meetings.
Launch a live challenge in your Teams meeting
Host live kahoots during a meeting to keep your attendees engaged and energized. Whether you’re looking to kick off the meeting with an ice breaker, facilitating Q&A, or gathering feedback – you can quickly access your kahoots within Teams and share your screen to allow participants to join. You can also import your PowerPoint slides into your kahoot to gamify your existing presentations. Increase engagement and run the entire experience from the Kahoot! app within Teams.
Assign a self-paced challenge in your Teams channel for your attendees
Reinforce discussion points by assigning a challenge to attendees after a meeting, which can be accessed directly from Teams. They’ll receive automated reminders to complete and you’ll be able to leverage an interactive experience to drive home key points that you want them to remember.
Results and Reporting
If you’d like to view data from the challenge, a report will be linked directly from the podium for the host to review – allowing you can see how your attendees have performed and to measure their level of engagement. Reports for live games hosted within Teams are available by logging into your account on the kahoot website.
Learn more about Kahoot! for Teams and their offerings and how it can help you create live games in your presentations!
Learn more!
If you’d like to learn how to better use apps in Teams to enhance remote work, see our remote work Teams apps site with more use cases and ideas, and take advantage of the free virtual training events each week.
For Teams end-users:
For Teams Admins:
- Join our Chalk Talk series, where members of Teams engineering walk through the security, deployment, and management of third-party integrations.
Recent Comments