Getting started with Microsoft Endpoint Manager

by Contributed | Jun 29, 2021 | Technology

This article is contributed. See the original author and article here.

By Adrian Moore – Sr Program Manager | Microsoft Endpoint Manager

As part of the Microsoft 365 license, your company is likely entitled to adopt Microsoft Endpoint Manager, which brings together Microsoft Intune and Configuration Manager into a unified platform to help protect and manage your organization’s devices and apps. Now what? Let’s go through the basics of managing your organization’s devices and mobile applications with Microsoft Intune.

A global cloud service architecture

Microsoft Intune was architected from the cloud and for the cloud and is closely tied with Azure Active Directory (Azure AD). Intune controls integrate with Azure AD and Conditional Access (CA) policies to help you manage access to your organization’s apps and devices and protect and isolate corporate data. Intune enhances CA with device–based compliance and can also take risk signals from Microsoft Defender for Endpoint, as well as mobile threat defense (MTD) apps. Intune also integrates with network access control (NAC) solutions to ensure only compliant devices can connect to your corporate network.

App stores are key parts of an Intune deployment. For iOS devices, you can use either the Apple Volume Purchase Program (VPP), which is part of Apple Business Manager, or the App Store. In the case of Android, either the Google Play app store for device administrator devices, or Managed Google Play for Android Enterprise devices can be used. For Windows, the Windows Store for Business provides a great experience for app deployment.

Your administrative management experience is centralized from the Microsoft Endpoint Manager admin center, which uses Microsoft Graph calls to the Intune service. Every action from app configuration to mobile device management settings to security in the admin center is a Microsoft Graph call. If you’re not familiar with Graph, take some time to understand it—specifically how it integrates with Microsoft Intune.

Intune Service Architecture.

Initially, Intune began as a combination of a set of services running on physical machines in a private datacenter, and a set of distributed services running on Azure. By 2018, all Intune services were re-architected to run on Microsoft Azure. Today, Intune’s cloud services are built on Azure Service Fabric. All services are deployed to a Service Fabric cluster consisting of a group of front-end and middle-tier nodes. We refer to these clusters as an Azure Scale Unit, or ASU.

Here’s what the backend architecture looks like:

Intune ASU Architecture: Global View.

• There are 18 clusters spread over three regions in North America, Europe, and Asia Pacific. Each cluster has about 5,000 services running, all partitioned to scale out.
  
  


• The clusters are completely isolated and independent of one other. They are hosted in different subscriptions and datacenters and cannot access each other.
  
  


• We back up data to an external persisted Azure table/blob storage. This enables fast recovery for replicas in case of catastrophic failure.

Moving from physical machines in a private datacenter to a cloud-based, micro-service architecture enabled Microsoft to scale Intune to billions of devices and apps and to rapidly deliver new innovations. Customers experienced increased reliability, stability, and performance of the service.  You can find out more about the development of this architecture in the blog post How we built (rebuilt!) Intune into a leading globally scaled cloud service.

Planning and deployment

A successful adoption or migration to Microsoft Intune starts with a plan. This plan depends on your company’s current device management solution, business goals, and technical requirements. Additionally, you should include key stakeholders who will support and collaborate with the plan.

The following resources will help plan and deploy Intune:

• Deployment guide: Setup or move to Microsoft Intune 


• Planning guide to move to Microsoft Intune 


• Set up Microsoft Intune

Device enrollment

You can manage devices and apps, and how they access company data, in Intune. To use Intune mobile device management (MDM), the devices must first be enrolled in the Intune service. When a device is enrolled, it’s issued an MDM certificate. This certificate is used to communicate with the Intune service.

Devices can be enrolled on the following platforms. For the specific versions, see Supported operating systems:

• Android


• iOS/iPadOS


• macOS


• Windows

Different platforms may have additional requirements. For example, iOS/iPadOS and macOS devices require an MDM push certificate from Apple.

The following resources will help you learn more about device enrollment for each platform:

• Configure device settings


• Windows security baselines


• iOS/iPadOS Enterprise security configuration framework


• Android Enterprise security configuration framework


• Device features and settings in Microsoft Intune


• Assign device profiles in Microsoft Intune


• App configuration policies for Microsoft Intune


• Manage endpoint security in Microsoft Intune

Compliance policies

MDM solutions like Intune can help set requirements for users and devices to protect organizational data. In Intune, you manage these requirements with compliance policies. There are two parts to compliance policies in Intune:

• Compliance policy settings  – Tenant-wide settings that are like a built-in compliance policy that every device receives. Compliance policy settings set a baseline for how compliance policy works in your Intune environment, including whether devices that haven’t received any device compliance policies are compliant or noncompliant.
  
  


• Device compliance policy – Platform-specific rules administrators can configure and deploy to groups of users or devices. These rules define requirements for devices, like minimum operating systems or the use of disk encryption. Devices must meet these rules to be considered compliant.

The following articles will help you understand how to create and monitor compliance policies in Intune, as well as how to integrate with MTD and NAC solutions, and Conditional Access:

• Device compliance policies in Microsoft Intune


• Create a compliance policy in Microsoft Intune


• Enable Mobile Threat Defense connector in Microsoft Intune


• Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune


• Network access control integration with Microsoft Intune


• Integrate with Conditional Access


• App-based Conditional Access with Intune


• Conditional Access scenarios


• Monitor device compliance policies in Microsoft Intune

Intune app protection policies

Intune app protection policies (APP) allow you to protect organizational data within an application.  Together with app configuration capabilities, you can implement mobile application management (MAM) in Intune to help protect sensitive data that is accessed from both managed and unmanaged devices. With MAM without enrollment (MAM-WE), you can use Intune to manage work or school-related apps, including productivity apps such as the Microsoft Office apps, on almost any device, including personal devices in bring-your-own-device (BYOD) scenarios. See the official list of Microsoft Intune protected apps available for public use.

To get an overview of app protection policies and how they work, check out the following articles:

• App protection policies overview


• Data protection framework using app protection policies


• Understand app protection policy delivery timing


• How to create and assign app protection policies


• How to manage data transfer between iOS apps in Microsoft Intune


• How to monitor app protection policies


• Review client app protection logs


• Frequently asked questions about MAM and app protection

Delivering apps to devices

Intune supports a wide range of apps, including store apps for iOS, macOS, Android, and Windows, and line–of–business (LOB) apps. You can manage app deployment from the Microsoft Endpoint Manager admin center. Also, you can use Intune to orchestrate store app deployment with Managed Google Play, the Apple App Store, and the Microsoft Store.

Check out these resources to find out how to add and manage apps with Intune:

• What is app management in Microsoft Intune


• Add apps to Microsoft Intune


• Add and assign Managed Google Play apps to Android Enterprise devices


• Add iOS store apps to Microsoft Intune


• How to manage iOS and macOS apps purchased through Apple Business Manager


• Windows 10 app deployment by using Microsoft Intune


• How to protect your company app data with Microsoft Intune


• Manage Android Enterprise system apps in Microsoft Intune

Privacy and personal data in Intune

You should understand how Intune collects, stores, retains, processes, secures, shares, audits, and exports personal data. Microsoft Intune does not use any personal data collected as part of providing the service for profiling, advertising, or marketing purposes.

The following resources will help you understand privacy and personal data in Intune:

• Privacy and personal data in Intune


• Optional diagnostic data from Intune Client apps


• Data collection in Intune


• Data storage and processing in Intune


• Audit, export, or delete personal data in Intune

Intune service updates

New feature releases for Intune typically have a six to eight-week cadence, from planning to release, called a sprint. Intune releases use a YYMM naming convention. For example, 2107 would be a July 2021 release.

How updates are released

Our monthly release process is a methodical update of many different environments, first across multiple Azure services and then in the admin center which makes it available for use. An internal environment called Self Host is the first environment to receive the release. This is used only by the Intune engineering teams. We then roll out to the Microsoft tenant, which manages over 650,000 devices. Once we’ve validated there are no key issues with the services, we then begin rolling out to customer environments in a phased approach. Once all tenants have been successfully updated, we update the Microsoft Endpoint Manager admin center. This phased approach lets us identify issues before they impact the service or our customers.

Updating the Company Portal app is a different process. Microsoft is subject to the release requirements and processes of the Apple App Store and Google Play, and sometimes mobile carriers. It isn’t always possible to align Intune release updates with updates to the Company Portal. See UI updates for Intune end-user apps for information on Company Portal updates.

How can I tell if a service update is complete for my tenant?

1. Sign in to the Microsoft Endpoint Manager admin center.


2. Select Tenant administration > Tenant status to see your tenant’s name and location, MDM authority, account status, and service release number. In the example below, the tenant has the 2104 (April 2021) service release.
   
   Example screenshot of the Tenant admin > Tenant status blade.

Keeping up to date about releases

Keeping up to date about releases and changes is an important part of your Intune deployment. Intune provides several ways to stay current about latest updates to the service:

• What’s new in Intune  – Learn what’s new each week in in Microsoft Intune, including an overview of the current release, notices, information about earlier releases, and other information. Content is published at the end of the current sprint once the UI updates start rolling out in the Microsoft Endpoint Manager admin center.
  
  


• Message Center – When the service update is completely rolled out, you’ll see a message posted in the Tenant status – Service health and message center, or you can view the same messages in the Message Center at portal.office.com. We use service APIs to pull just the Microsoft Endpoint Manager messages from Office into the Microsoft Endpoint Manager admin center UI.
  
  


• Microsoft Intune Tenant Status page  – A centralized hub where you can view current information and communications about the Intune service and your tenant status.
  
  
  
  
  1. Navigate to the Microsoft Endpoint Manager admin center.
  
  
  2. Select  Tenant administration > Tenant status > Service Health > Message center.
  
  
  3. Select a message under INTUNE MESSAGE CENTER to read it.
     
     
  
  
  
  


• Get the latest announcements from Twitter — @IntuneSuppTeam.

Intune also shares information about updates in development, posts service incidents in Microsoft Endpoint Manager admin center, and can send email notifications. To learn how to stay current with this information, see Staying up to date on Intune new features, service changes, and service health.

We hope you found this overview of Intune helpful. Check out Tips and tricks for managing Intune to continue learning how to get the best out of your Intune deployment.

Resources and feedback 

For additional information on this subject, see the following documentation: 

Microsoft Intune overview

Device management overview

Tutorial: Walkthrough Intune in Microsoft Endpoint Manager

High-level architecture for Microsoft Intune

If you have any questions, reply to this post or reach out to @IntuneSuppTeam on Twitter.

Azure Arc-enabled data services Jumpstart updates

by Contributed | Jun 29, 2021 | Technology

This article is contributed. See the original author and article here.

Since the beginning of the Azure Arc Jumpstart project, our team has been devoted to providing our tech community an easy, efficient, and fun way of deploying various Azure Arc scenarios in an automated fashion. 

With the announcement of Azure Arc-enabled data services general availability, we are also excited to share with you the evolution of the related Jumpstart scenarios around it.

The Jumpstart project is an extension to the core Azure Arc products suite and as such, it is our core mission to provide our users with the most up-to-date deployment scenarios.

Support for directly connected mode

With directly connected mode, Azure Arc-enabled data services can now be projected as Azure resources in the portal and have 1st class API representation. For this release, we’ve updated both the Azure Kubernetes Service (AKS) and the Google Kubernetes Engine (GKE) scenarios to support directly connected mode.

As we continue to invest more efforts in creating Cluster API (CAPI) scenarios that leverage the Cluster API Azure Provider (CAPZ), in addition to the AKS and GKE updates mentioned above, 3 new scenarios were created using CAPI/CAPZ. These scenarios are great for those who want to deploy data services on an unmanaged Kubernetes environment to have more control but also to stimulate a closer “on-premises Kubernetes” experience.

Modular automation

As you already may know, Azure Arc-enabled data services support SQL Managed Instance and PostgreSQL Hyperscale. With our new and updated scenarios, we now allow for a parametrized deployment. A user can now use the same code base and choose if he wants to deploy just the Azure Arc data controller, SQL Managed Instance, PostgreSQL Hyperscale, or both. 

Although we provide 3 distinct scenarios to make things clean and easy to follow, a user can simply choose the deployment environment with just a couple of parameters.

[Note] We will be updating the AWS EKS scenario in our upcoming future releases.

ArcBox updates

At our Microsoft Build event last month, we announced the Jumpstart ArcBox solution. A super easy to deploy a full sandbox environment for you to get going with Azure Arc. We are happy to share that ArcBox now also supports Azure Arc-enabled data services in a directly connected mode so in a single ArcBox resource group you will now get both SQL Managed Instance and PostgreSQL Hyperscale deployed and projected as Azure Arc resources.

Azure Arc Partners

Microsoft partners are a critical part of the overall Azure Arc success! For many months now, the different engineering, marketing, and sales organizations within Microsoft have been working hard on building the right messaging, technical content, and strategy for Azure Arc and for our partners. In this new blog post, you can read all about our work and the Azure Arc partners available so you can make your organization successful with the technology.

We hope you will enjoy these cool updates and please reach out for any questions.

Lior

Azure Arc service and technology partners

by Contributed | Jun 29, 2021 | Technology

This article is contributed. See the original author and article here.

The Azure Arc partner ecosystem offers customers validated, enterprise grade solutions to run Azure on-premises and at the edge. Launched at Microsoft Ignite 2021 with support from industry-leading OEMs, hardware providers, platform providers, and ISVs, we are happy to announce the expansion of the Azure Arc network of trusted partners and validated platforms to data services.

Azure Arc validation program

The Azure Arc validation program ensures customers can adopt from a wide range of partner solutions to fit their needs with the confidence that they have been designed, engineered, configured, and tested to run Azure data services and Kubernetes distributions.

With these validated solutions, customers receive the benefits of enterprise performance and scale to deploy and operate their data services across their entire estate, as well as the assurance of enterprise grade support.

Technology partners & platforms

Our partnership with industry leading OEMs and storage providers delivers HCI and hardware-as-a-service (HaaS) solutions that combine hardware and software platforms that are optimized to run hybrid data workloads.

Partner	Solution	Description	Link
Azure Kubernetes Service (AKS)	Azure Kubernetes Service	Deploy and manage containerized applications more easily with a fully managed Kubernetes service.	azure.microsoft.com/en-ca/services/kubernetes-service/
	Charmed Kubernetes	The Azure Arc dashboard combined with Charmed Kubernetes’ full lifecycle automation tooling to drastically simplify multi-cloud deployments and operations traceability with GitOps.	ubuntu.com/blog/gitops-with-azure-arc-and-charmed-kubernetes
	Storage Solutions	Get the scalability, intelligence, and cloud integration you need to unlock the value of your data. Dell EMC PowerFlex Dell EMC PowerStore Dell EMC PowerMax	delltechnologies.com/storage
	Hyperconverged Solutions	Benefit from an HCI portfolio that allows for choice based on infrastructure, operational models and desired IT outcomes. Dell EMC PowerFlex Dell EMC Integrated System for Microsoft Azure Stack HCI	delltechnologies.com/hci
	as-a-Service Solutions	Experience the ease and agility of as-a-Service combined with the power and control of leading technology infrastructure. Dell Technologies APEX Data Storage Services	delltechnologies.com/apex
	Hybrid cloud Kubernetes with Nutanix HCI + Karbon and Azure Arc	Fast-track your cloud native journey! Make hybrid cloud Kubernetes a reality by extending Microsoft Azure and Azure Arc Data Services to Karbon Kubernetes clusters on Nutanix’s industry-leading Hyperconverged Infrastructure (HCI).	nutanix.com/solutions/cloud-native/hybrid-cloud-kubernetes
	FlashArray and PX-Backup	Pure Storage and PX-Backup delivers an enterprise-grade point-and-click , container-native, backup and disaster recovery solution with fine grained protection, security, and audit capabilities.	purestorage.com/azure-arc
	Rancher	Together, Azure Arc and SUSE Rancher (SUSE’s GitOps-enabled Kubernetes management platform) provides a complete, open, and interoperable software stack for DevOps to deploy, secure, and manage their Kubernetes clusters.	suse.com/solutions/cloud-native-transformation/
	Azure Red Hat OpenShift	Azure Red Hat OpenShift provides highly available, fully managed Red Hat OpenShift clusters on-demand, monitored and operated jointly by Microsoft and Red Hat with an integrated support experience.	azure.microsoft.com/en-us/services/openshift/
	Red Hat OpenShift	Red Hat OpenShift is for innovation without limitation — bringing big ideas to life through intelligent applications with the security-focused hybrid cloud platform open to any team or infrastructure.	openshift.com
	SUSE Linux Enterprise Server   SUSE Manager	Supported by Microsoft Azure Arc for servers, SUSE Linux Enterprise Server simplifies an enterprise’s journey to a hybrid cloud infrastructure. In concert with Azure Arc, SUSE Manager orchestrates the deployment and lifecycle of the systems, while Azure Arc manages policy compliance.	suse.com/c/suse-accelerates-transformation-in-the-cloud-with-solutions-for-microsoft-azure/
	VMware Tanzu Kubernetes Grid	Run your containerized applications and Azure Arc-enabled data services anywhere, at enterprise-scale with VMware Tanzu Kubernetes Grid.	tanzu.vmware.com/kubernetes-grid

Featured service partners

Whether you are just getting started with migration and modernization efforts or in the middle of a multi-year smart factory rollout, our consulting services partners can help you choose the validated infrastructures and applications that are specifically configured and tested to work with Azure Arc.

Partner	Solution	Description	Link
	Azure Governance Solution	AHEAD created the Azure Governance Framework to allow enterprises to develop and maintain a fully optimized, and secure environment.	AHEAD Azure Governance Solution
	Cloud and Application Services	Avanade provides a turnkey, managed Azure Stack solution. Through a single provider, you get a Microsoft certified hardware platform, Azure Stack software setup and configuration, a hybrid cloud foundations workshop, and then we run and manage it for you.	Accelerating Cloud Migrations And Extending Cloud Services | Avanade Insights Blog
	AzCOP	The power of automation on a unified platform providing benefits of self-services cloud. Consolidates all aspects of sourcing, managing and delivering cloud services across matrix teams while managing cloud risk and compliance	AzCOP – Cloud Orchestration & Provisioning | BrainScale Inc
	Azure Arc	Learn how Microsoft and ClearDATA together can provide a comprehensive view into both your on-premises and cloud PHI data security and compliance by using Azure Arc.	Healthcare Compliance
	Cognizant Cloud Operate	Accelerated, factory-based, agile framework for migrating and transforming enterprise data center workloads to cloud using best of breed tools, custom blueprints, governance and optimization.	Cloud Managed Services—Cloud Operate | Cognizant
	Azure Cloud Economics Assessment and Migration	Undergoing the Cloud Economics Assessment will allow for effective forecasting of Azure Infrastructure usage, ensuring a well defined migration plan and transition to the cloud.	Azure Accelerate – Core BTS
	Azure Arc Datacenter Management Assessment	**Cloud-first hybrid management** Simplify the management of complex and distributed environments across private & public clouds, datacenters, and edge.	Azure Arc Datacenter Management Assessment: 5-day – Microsoft Azure Marketplace
	Do it hybrid	Azure Arc enables Everis to help organizations design and achieve business goals extending the Azure’s capabilities and having unified operations. Do it hybrid streamlines the management of distributed environments anywhere.	everis cloud adoption journey > cloud implementation > cloud hybrid
	Azure Validation & Optimization	An Azure validation and optimization project is for customers seeking a professional review of cloud usage, services consumed, architecture, subscriptions and workloads to validate and identify areas of optimization.	App Modernization “Smart Start”: 2-Hr Briefing – Microsoft Azure Marketplace
	Azure Arc Fast Start	Azure Arc Fast Start helps organizations adopt Azure Arc to drastically simplify management and operation with a clients hybrid cloud. Microsoft® Azure Arc was designed with hybrid solutions at the core to simplify workload management and operational burden across resources, no matter where they live.	Hybrid Container Management With Azure Arc Strategy Workshop | Insight
	Managed Cloud Services for Azure	KoçSistem MCS for Azure is a portal to manage cloud licenses and monitors usage/consumption for Microsoft Cloud Customers.	KoçSistem Teknolojiyi Türkiye’nin Lider Markaları ile Buluşturuyor! (kocsistem.com.tr)
	Cloud Next	Cloud Next is a multi and hybrid cloud platform built by KPMG Ignition Tokyo (KIT). The goals of Cloud Next are to provide a secure, low-cost, and 24×7 supported environment where clients and KPMG member firms can host their digital solutions.	KPMG Ignition Tokyo
	Database Modernization	Azure DB and Cosmos DB Migration Accelerator Pack helps organizations understand and plan on-prem data estate migration and modernization to Azure.	Nous Azure Arc based Hybrid Solution
	Azure Governance Services for a Fully Governed Cloud Environment	SNP’s Azure Adoption Framework is designed to help customers create and implement the business and technology	Hybrid Cloud Solutions- 4 Week Implementation – Microsoft Azure Marketplace
	Azure Migration & Managed Service	We help enterprises distribute workloads based on criticality & functionality between private & public clouds.	TCS’ Services for Cloud Migration to Azure for Digital Transformation
	Azure Arc Hybrid Cloud	A new management tool for hybrid cloud application infrastructures. It’s designed to manage resources in a cloudlike manner wherever they are, treating Azure’s resource tooling as your control plane.	Managed Services | UniSystems

Getting started resources

• Watch the Azure Hybrid and Multicloud Digital Event on demand 


• Read the Azure Arc-enabled Azure SQL GA announce blog


• Review Azure Arc documentation and read about the latest scenarios for the Azure Arc Jumpstart program


• Find an Azure Partner

Digital transformation at SKF through data driven manufacturing approach using Azure Arc enabled SQL

by Contributed | Jun 29, 2021 | Technology

This article is contributed. See the original author and article here.

Introduction

SKF, a leading global supplier of bearings, seals and lubrication systems operating 91 manufacturing sites in 28 countries, wanted to transform from a traditional manufacturing organization to a ‘Factory of the Future’ vision. SKF provides reliable rotation to industries all over the world, offering products and services around the rotating shaft including bearings, seals, lubrication management, artificial intelligence and wireless condition monitoring.

SKF has been on a journey to digitally transform the company’s backbone through harnessing the power of technology, interconnecting processes, streamlining operations and delivering industry-leading digital products and services for customers. As part of this transition, they wanted to modernize their factories to transform from a reactive to more predictive workflows using data driven methodology and cloud native operating models in the hybrid cloud environment. Using Azure Arc infrastructure and services, SKF has reduced costs, improved effectiveness, streamlined management and is able to make real-time decisions within the constraints of performance and availability expectations.

In this blog, @svollbehr and I will outline the hybrid cloud architecture, the use of Azure Arc-enabled data services, Azure Stack HCI and applications SKF deployed to realize this vision.

A data driven hybrid cloud approach

As SKF looked for a solution that supported their data-driven manufacturing vision for the Factories of the Future, they wanted a solution that was able to support distributed innovation and  development, high availability, scalability and ease of deployment. They wanted each of their factories to be able to collect, process, analyze data to make real-time decisions autonomously while being managed centrally. At the same time, they had constraints of data latency, data resiliency and data sovereignty for critical production systems that could not be compromised.

The drivers behind adopting a hybrid cloud model came from factories having to meet customer performance requirements, many of which depend on ability to analyze and synthesize the data. Recently, the Data Analytics paradigms have shifted from Big Data Analysis in the cloud to more Data-Driven Manufacturing at the machine, production line and factory edge. Adopting cloud native operating models but in such capacity where they can execute workloads physically on-premises at their factories turned out to be the right choice for SKF.

The Azure Hybrid Cloud solution offered them a unique value proposition that is aligned with SKF’s Digital Manufacturing vision. It allowed them to reduce implementation and operating costs by using it as standardized IT/OT platform across all factories, with fit for purpose configurations for every factory, while facilitating for distributed innovation and development for competitive advantage.

Azure Arc – platform for digital transformation and application modernization

SKF’s challenge was the need to able to provide over 90 factories with a platform that provides speed, reliability and low cost, while providing support for critical production systems. The platforms and solutions that they wanted to adopt had to be operated both in cloud and on-premises, and ideally be cloud-controlled centrally while enabling a local control point of execution on-premises with elastic scale and high availability using cloud services at the edge.

SKF chose Azure Kubernetes Service on Azure Stack HCI, and Azure Arc-enabled Kubernetes, as the primary hosting platform for modern workloads. The fact that Microsoft has also chosen this strategy, allow them to deploy Azure Arc-enabled data services and Azure Edge/IoT Services virtually on any of their new or existing environments in a consistent automated fashion.

Cloud managed, locally executed services on the edge

SKF has manufacturing plants worldwide that will be automated using their modern cloud-native applications as part of SKF’s Manufacturing Execution System harmonization strategy. Deployed in each manufacturing plant, these applications collect data from machines and sensors in the production lines over to be stored on-premises in the factory location as well as selectively in Azure cloud. This allows for ease of use for applications, analytics, and visualization of data in the factory with low latency and in the cloud for visibility across factories and locations.

This architecture consists of the following Azure hybrid components:

Azure Stack HCI: Azure Stack Edge or Hyper Converged Infrastructure cluster solutions host virtualized Windows and Linux workloads in a hybrid on-premises environment. Azure Stack Edge and HCI are both running Kubernetes making it easy to manage applications using Open-source tools, such as ArgoCD. This gave SKF the ability to run compute intensive workloads and build intelligence at the edge.

Azure Arc-enabled Kubernetes: Azure Kubernetes Service and Azure Arc for Kubernetes allow ease of operations and control along with cloud connectivity to be centrally managed from Azure. Kubernetes is used as the container infrastructure platform in the Digital Manufacturing architecture. Kubernetes also meets the requirements for scalability and availability for the databases in the architecture.

Azure SQL Edge on Kubernetes: Azure SQL Edge hosts a lightweight SQL database that allows for rapid ingestion, store and forward to the node where applications can make use of time series functions in the architecture.

Azure Arc-enabled data services on Kubernetes: is the foundation for the factory and acts as the central point of data aggregation and persistence. It can be configured to host multiple numbers of either Azure SQL Managed Instances or PostgreSQL Hyperscale. These instances can be scaled up or down dynamically, configured to be high available, always current with the regular updates and monitored centrally in the Azure cloud.

Azure IoT Edge Hub on Kubernetes: Azure IoT Edge Hub enables the data routing on Edge as well as data streaming to the cloud.

This platform makes it easier for SKF to run its business-critical containerized applications in the cloud as well as factory edge.

Declarative infrastructure deployment in hybrid cloud

The ability to automate deployments in a consistent manner across its factories globally was an important factor to SKF to scale out the solution with speed. SKF used Git repository to store declarative infrastructure descriptions and integrated that into their Continuous integration/Continuous deployment (CI/CD) pipelines. ArgoCD, an open-source tool, was used as a GitOps operator for central application deployments to Kubernetes clusters across all factories. Secrets were stored in Azure KeyVault and are retrieved into Kubernetes clusters to operate the applications. Azure portal was used to monitor these applications centrally from the cloud.

This architecture allowed infrastructure management to be fully automated. The application, SQL database or other infrastructure resource updates could be applied with zero downtime to factories.

Low latency data flow from IIoT devices to processing nodes

The factory machines and sensors are connected using a Brown Field Connector (BFC). These connectors collect manufacturing process metrics and sensor data that are streamed in real time to the application platform running on top of either Azure Stack Edge or Azure Stack HCI. The application platform is based on Kubernetes and running for example on Azure Kubernetes Service on HCI (AKS-HCI).  Azure IoT Edge Hub and Azure SQL Edge on Kubernetes are used for aggregating the streaming data from all the Industrial IoT (IIoT) devices.  This timeseries data containing readings from the machines and sensors is then processed and transformed by Azure Functions and then forwarded to the HCI for storage. The data is stored in a SQL Managed Instance (SQL MI) operated in Azure Arc-enabled data services running in the AKS-HCI. Here, the cloud native applications process the data and drive actions to keep the factories running efficiently.

This architecture not only meets several business and compliance goals by processing data locally on-premises but also gives improved performance due to low data latency. The critical production applications in the factory are deployed in a scalable and high available architecture for Azure Arc-enabled data services using Availability Groups with a cloud connected on-premises Kubernetes. The Azure Arc-enabled data service is a central component in the hybrid architecture and used in every factory as the primary database solution for modern workloads. The data in SQL MI is exposed by a set of APIs running as containers in AKS. Finally, to visualize for example Operational Equipment Efficiency (OEE) they have implemented dashboards to display data real-time on this architecture.

The Dataflow architecture built on top of Kubernetes and Arc gives the capability of managing through a unified control plane as follows:

1.   Custom OPC-UA configurator module is running on the IoT Edge for Kubernetes that configures the custom OPC-UA data collector module. The custom module reads configurations from the SQL MI database.


2.   Custom OPC-UA data collector module connects to an OPC-UA server on a Brown Field Connector (BFC) to collect, transform and route signal data from all the endpoints. Data is routed using IoT Edge Hub to other modules like SQL Edge or IoT Hub in Azure cloud.


3.   Data is stored in Azure SQL Edge enables application to make use of SQL Edge unique time series functions to clean and aggregate the data. It also allows for running machine learning models deployed on top of SQL Edge.


4.   Data is transferred to Azure Arc-enabled data services where it is stored in SQL MI. Here is where data can be joined with other information which is business critical for the factory. These databases act as the central source of information in the factory applications help drive dashboards and applications.


5.   Data can further be exchanged and synchronized with Azure cloud using Azure Data Factory to be ingested in either Azure Data Lake or Azure SQL Databases.

Real-time decisions using intelligence at the edge

Business critical applications use the data stored in the SQL MI databases to process and drive manufacturing dashboards for the factory staff to closely monitor the factory operations. Azure Arc-enabled SQL MI running on AKS-HCI delivers low latency high compute performance at the edge to run data analytics workloads that is also highly available. This approach future proofs the platform for adding ML and other data analytics in future. The entire solution is delivered through Microsoft providing better integration, consistency, flexibility at lower cost.

‘Factory of the Future’ is here

As SKF rolls out the solution to its global factories using Azure Hybrid, it is already on path to implement its ‘Factory of the Future’ vision with the benefits of AKS-HCI, Azure Arc-enabled SQL to run their factories at scale. These are some of the most important benefits that SKF has realized using Arc-enabled Data Services.

• Facilitate for distributed innovation and development for competitive advantage


• Reduce implementation and operating costs of their highly available IT/OT platform


• Scale out easily with single pane of glass management and continuous rollout of the latest features and benefits for intelligent edge.

As new Azure Arc services like Azure Arc-enabled ML, Azure Arc-enabled App services, SKF has future proofed their factories using the Azure Arc and Azure Hybrid Cloud services.

Conclusion

SKF is a visionary manufacturer who is rapidly adopting cloud to transform the business using data driven methodology and cloud native operating models in a hybrid cloud environment. Azure Hybrid platform with Azure Arc-enabled data services, SQL MI, AKS-HCI on Azure Stack HCI and Azure SQL Edge with Azure IoT hub have been the cornerstone of this transformation. It has been possible to get this alignment due to a productive partnership between two global leaders – SKF and Microsoft to deliver industry-leading digital products and services to customers.

To know more about Azure Arc, Azure Hybrid and SKF’s journey please sign up to watch the Azure Hybrid and Multicloud Digital Event.

Vulnerability management for Linux now generally available

by Contributed | Jun 29, 2021 | Technology

This article is contributed. See the original author and article here.

In May we announced the support for Linux across our threat and vulnerability management capabilities in Microsoft Defender for Endpoint. Today, we are excited to announce that threat and vulnerability management for Linux is now generally available across Red Hat, Ubuntu, CentOS, SUSE, and Oracle, with support for Debian coming soon. In addition to Linux, the threat and vulnerability management capabilities already support macOS and Windows, with support for Android and iOS coming later this summer to further expand our support of third party platforms.   

Vulnerability Management plays a crucial role in monitoring an organization’s overall security posture. That’s why we continue to expand our cross-platform support to equip security teams with real-time insights into risk with continuous vulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities for all their platforms. With the general availability of support for Linux, organizations can now review vulnerabilities within installed apps across the Linux OS and issue remediation tasks for affected .

Image 1: Software inventory page in the vulnerability management console, showing various Linux platforms

Image 2: Software inventory page in the vulnerability management portal, showing glibc across various Linux systems

Support for the various Linux platforms in threat and vulnerability management closely follows what is available across our Endpoint Detection and Response (EDR) capabilities. This alignment ensures a consistent experience for Microsoft Defender for Endpoint customers, as we continue to expand our cross-platform support.

More information and feedback

The threat and vulnerability management capabilities are part of Microsoft Defender for Endpoint and enable organizations to effectively identify, assess, and remediate endpoint weaknesses to reduce organizational risk.

Check out our documentation for a complete overview of supported operating systems and platforms.

We want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

Windows Insiders gain new DNS over HTTPS controls

by Contributed | Jun 29, 2021 | Technology

This article is contributed. See the original author and article here.

Credit and thanks to Alexandru Jercaianu and Vladimir Cernov for implementation work

Over the last year, we have been improving the DNS over HTTPS (DoH) functionality in the Windows DNS client. Now we are pleased to introduce you to the different features now available through the Windows Insider program.

To start with, we want to note that the registry key controls documented in our original DoH testing blog post are no longer applicable. As stated there, those instructions were time limited to the initial DoH test rollout. If you did ever set that key, please delete it then reboot your machine before proceeding with the rest of this blog post.

Next, we will be reviewing the new configuration behavior, how Windows will know if a DNS server supports DoH, and what our next steps are in advancing encrypted DNS discovery.

UI

The first control you should try out is the new UI fields in the Settings app, originally announced on the Insider blog. When Windows knows a given DNS server’s IP address has a corresponding DoH server, it will unlock a dropdown that lets you decide whether to require encryption always be used, use encryption but fall back to plain-text DNS when encryption fails, or not to use encryption (the default value).

GPO

For enterprise administrators, we have provided a new GPO for controlling DoH behavior. This will allow the use of DoH to be allowed, required, or prohibited system-wide.

• Allowed will defer the use of DoH to local settings available in the UI per network adapter.


• Required will prevent the use of configured DNS servers if they do not support DoH and will disable fallback to plain-text DNS.


• Prohibited will prevent any local DoH settings from taking effect, ensuring Windows functions as it did before the DoH client using plain-text DNS only.

NRPT

The Name Resolution Policy Table (NRPT) allows administrators to specify rules for name resolution by namespace. For example, you can create an NRPT rule that specifies all queries for “*.microsoft.com” must be sent to a specific DNS server.

If Windows knows that a DNS server provided in an NRPT rule supports DoH (see the next section for how this works), then the traffic affected by the NRPT rule will inherit the benefits of using DoH. This allows admins who want to use DoH for some namespaces and not others to configure that behavior.

Knowing a server supports DoH

All these mechanisms rely on Windows already knowing a given DNS server IP address supports DoH. We ship a few definitions of known DoH servers in Windows:

Other definitions need to be added using the netsh command. To start with, you can check to see what DoH server definitions we already know by retrieving them:

Using netsh

netsh dns show encryption

Using PowerShell

Get-DnsClientDohServerAddress

Then you can add another server definition to the list and ensure it never falls back to plain-text DNS:

Using netsh

netsh dns add encryption server=<resolver-IP-address> dohtemplate=<resolver-DoH-template> autoupgrade=yes udpfallback=no

Using PowerShell

Add-DnsClientDohServerAddress -ServerAddress ‘<resolver-IP-address>’ -DohTemplate ‘<resolver-DoH-template>’ -AllowFallbackToUdp $False -AutoUpgrade $True

If you prefer to allow fallback so that when encryption fails you can still make DNS queries, you can run the same commands with the fallback flag toggled to add a new server:

Using netsh

netsh dns add encryption server=<resolver-IP-address> dohtemplate=<resolver-DoH-template> autoupgrade=yes udpfallback=yes

Using PowerShell

Add-DnsClientDohServerAddress -ServerAddress ‘<resolver-IP-address>’ -DohTemplate ‘<resolver-DoH-template>’ -AllowFallbackToUdp $True -AutoUpgrade $True

The `-AutoUpgrade` and `-AllowFallbackToUdp` flags together represent the values present in the Setting app per-server dropdown. If for some reason you want to add these DoH server definitions but leave them to use unencrypted DNS for now, you can set the `-AutoUpgrade` flag to false instead of true as in the examples above.

If you want to edit an existing list entry rather than adding a new one, you can use the `Set-DnsClientDohServerAddress` cmdlet in place of the `Add-DnsClientDohServerAddress` cmdlet.

It would be easier for users and administrators if we allowed a DoH server to have its IP address determined by resolving its domain name. However, we have chosen not to allow that. Supporting this would mean that before a DoH connection could we established, we would have to first send a plain-text DNS query to bootstrap it. This means a node on the network path could maliciously modify or block the DoH server name query. Right now, the only way we can avoid this is to have Windows know in advance the mapping between IP addresses and DoH templates.

Coming up next

Going forward, we want to be able to directly discover DoH server configuration from the DNS server. This would mean DoH servers could be used without having to include it in Windows or manually configure the IP address to DoH template mapping. We are currently contributing to two proposals in the IETF ADD WG to enable this: Discovery of Designated Resolvers (DDR) and Discovery of Network-designated Resolvers (DNR). We look forward to updating you with our first tests in supporting DoH discovery!