Intune Support Tip: Managing Compliance on HoloLens 2 with Microsoft Endpoint Manager

by Contributed | Jun 21, 2021 | Technology

This article is contributed. See the original author and article here.

By Per Larsen – Sr. Program Manager | Microsoft Endpoint Manager – Intune

How to manage compliance policies on HoloLens devices is one of the most common questions we get from customers as they start to manage their HoloLens fleet with Microsoft Endpoint Manager.

Compliance policies are used to mark the device compliant or non-compliant, which can be used in conjunction with Azure Active Directory (Azure AD) Conditional Access to allow or block access to corporate data.

Microsoft Intune as a capability of Endpoint Manager, uses Configuration Service Providers (CSPs) to control and verify many of the settings in the compliance policy, so those CSP’s need to be supported on the HoloLens. You can find out more about supported CSPs in the Policies in Policy CSP supported by HoloLens 2 document.

The same compliance policy is used for Windows 10 desktop and HoloLens in Microsoft Intune, however some settings supported for Windows 10 are not available for HoloLens. This is similar to how BitLocker and HoloLens work.

HoloLens 2 has BitLocker Device Encryption enabled automatically on the operating system and fixed data volumes and cannot be turned off – even by IT administrators – so that the device is always protected.

Settings available for HoloLens:

Can you use the profile?

Yes = The settings will work on HoloLens

Not applicable = Will show as Not applicable in the compliance status

* = Settings are not included in the supported list of CSP for Windows Holographic for Business

How to deploy a compliance policy to HoloLens

Scenarios drive whether you deploy your compliance policy to users in user groups or devices in device groups. When a compliance policy is deployed to a user, all the user’s devices are checked for compliance.

Example Scenario 1

Let’s take a HoloLens device that is enrolled into Intune by the Windows Autopilot self-deploying mode process and automatically put in KIOSK mode. When onboarded with Autopilot the device is enrolled . In this case, we recommend deploying your compliance policy to a device group. This can be done with an Azure AD static or dynamic group. You can populate a dynamic group with HoloLens devices by using a device attribute where “Model” is “HoloLens 2” or by a Group Tag set on the Autopilot object.

Example Scenario 2

You have a group of users that use both Windows 10 Desktop devices and HoloLens 2 devices. In this case, the same Intune compliance policy will be applicable to both devices. It therefore makes sense to deploy your compliance policy to a user group. Any setting that is not applicable on the HoloLens 2 can mark the device non-complaint.

Create the compliance policy

First, create a Filter to include or exclude HoloLens 2 devices when using user-based targeting:

1. Navigate to Tenant admin > Filters (preview) > Create, choose a Filter name.


2. From the Platform dropdown field, select “Windows 10” and click Next.
   
   
   
   


3. Complete the Rules section as follows, then click Next.
   
   
   
   • Property = Model
   
   
   • Operator = Equals
   
   
   • Value = HoloLens 2
     
     
     
     
   
   
   
   


4. Lastly, assign Scope tags if required, review your configuration, and then click Create.

Next, create the associated compliance policy:

1. Navigate to Devices > Windows > Compliance policies and select Create Policy.


2. Start by creating a simple compliance policy for your HoloLens devices, such as the following example:
   
   

Note that there is no primary user when a HoloLens 2 device is onboarded with Autopilot for HoloLens, as shown in the following image:

If a primary user is not identified, no one will receive an email if the compliance state of the device changes from compliant to non-compliant. You can change this by setting a primary user on the device so that Intune can send an email notification:

1. Navigate Devices > Windows and find the device you want to assign a primary user to.


2. Select Properties, click on Change Primary user, and then select the relevant user that will receive the non-compliant notification emails.
   
   

Conclusion

As new device types like HoloLens enter your endpoint estate, it’s critical that these devices are compliant with your corporate security policies to protect organizational data. Use these policies with Conditional Access to allow or block access to company resources for HoloLens 2 devices.

More info and feedback

For further resources on this subject, please see the links below.

Manage and use different device management features on Windows Holographic and HoloLens devices with Intune

Enroll HoloLens in MDM

Windows Autopilot for HoloLens 2

Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam  on Twitter. 

Certifications can spark confidence amidst unexpected changes

by Contributed | Jun 21, 2021 | Technology

This article is contributed. See the original author and article here.

While the pandemic has slowed down many aspects of life, research shows that the last 18 months has accelerated digitization and the tech employment market. By 2025, Microsoft estimates that 149 million new jobs will be added in technology industries. Leading those gains will be 98 million new software development jobs and 23 million cloud and data roles.¹

To help those around the world prepare for this growth, Microsoft’s skills initiative offers free training content and discounted certifications, and has helped over 30 million people in 249 countries and territories gain access to essential digital skills. As part of our ongoing #ProudToBeCertified blog series, we’d like to introduce you to Ricardo Lessa and how he went beyond personal advancement during the COVID crisis.

Ricardo: Helping others starts with helping yourself

Ricardo Lessa has a history of resilience and self-motivation. When he came out of the datacenter, Ricardo launched his career as an entrepreneur. For about a decade, he ran his own company until the pandemic struck in 2020. When the pandemic started, “My sources of income were literally cut off,” says Ricardo. He was forced to close his business. Searching for new opportunities, a Microsoft MVP and colleague introduced him to the power of certification through Microsoft Learn.

Making the most of available resources, Ricardo was able to earn Microsoft Certifications that helped him land a job as a pre-sales engineer. And that’s just the beginning. Certification is more than a credential; it’s a personal confidence builder, as Ricardo explains, “the term ‘proud to be’ is the sense of accomplishment for getting the job done, for having completed a stage, for having progressed, for truly scoring a win. And, on a personal level, it greatly improves our focus, our discipline and, consequently, our results.”

Ricardo was inspired by how his colleague’s advice had made a real impact on his career. So, they joined forces and found a way to help others in similar circumstances. “This situation and its demands inspired us to do something new – something unique,” he says. And together, they began a new technical support community: CloudExpert, an online network of support, training, and resources for professionals designed to get members trained to progress on their career paths. The goal of this network is to help peers rekindle their dreams and get back in the job market sooner than later.

By creating this new support system for others, Ricardo discovered more about himself than he ever imagined. “I was able to believe again in the possibility of starting over,” Ricardo says, “updating myself and returning to the IT market. I dreamed that I could influence others so that they can overcome hardship and believe in a new beginning. And it happened!”

Share your #ProudToBeCertified stories and opportunities

Like Ricardo’s initiative, the Microsoft Certification community can help you and your peers move forward, no matter how the world changes around you. Keep an eye out for more stories in this #ProudToBeCertified blog series and the latest videos – where people like you are dedicating themselves to continuing education to get an edge in our competitive and changing market.

Have a Microsoft Certifications story to share? We’d love to hear how you got started on your path, where it took you, the obstacles you overcame, or the confidence you gained from earning your first or fifteenth certification. Submit your own on Twitter, LinkedIn, or your preferred platform with #ProudToBeCertified.

Related posts:

• More and more people are #ProudToBeCertified with Microsoft


• Why you should celebrate your Microsoft skills and certifications


• Need another reason to earn a Microsoft Certification?

¹Microsoft Data Science, utilizing LinkedIn Data. Methodology and assumptions can be found in the white paper “Methodology: Digitization Capacity of the World Economy.”

²Official Microsoft Blog, “Building a more inclusive skills-based economy: The next steps for our global skills initiative,” Brad Smith, March 30, 2021

Threat & vulnerability management integrates with ServiceNow VR

by Contributed | Jun 21, 2021 | Technology

This article is contributed. See the original author and article here.

Most enterprises rely on a multitude of vendors, security solutions, and IT tools to combat advanced cyber-attacks. At Microsoft, we believe that when these solutions work well together, customers benefit and can build stronger defenses.

That’s why we are excited to announce the general availability of a new integration between Microsoft threat and vulnerability management and ServiceNow Vulnerability Response (VR). The integration between these two products gives customers more flexibility in managing the end- to-end workflow of their vulnerability management program and aims to:

• Optimize vulnerability prioritization


• Automate response workflows


• Speed up overall time to remediation

ServiceNow’s VR module ingests asset information, data of open and fixed vulnerabilities, as well as recommendations from Microsoft threat and vulnerability management. It syncs these findings into VR tables and data structures, where vulnerabilities are matched against existing assets in your CMDB or creates a new Configuration Item (CI) if no match is found. The integration leverages standard Vulnerability Response data import and CI reconciliation methods.

Image 1: Vulnerability Response Workflow Diagram

The diagram above shows the import of vulnerability assessment content from Microsoft threat and vulnerability management into ServiceNow VR to orchestrate the remediation workflow of vulnerabilities.

Once ServiceNow VR has ingested information from Microsoft threat and vulnerability management, security teams can start with a top-level view of the ingested data or dive deep using various views. Some of the available views include vulnerability groups, vulnerable items, and security recommendations taken directly from Microsoft threat and vulnerability management. 

Image 2: Integration run status dashboard

Image 2 shows an all-up integration run status and details of how much data has been ingested over the last 30 days. The included timeline shows performance metrics over the same period.

Image 3: Overview of ingested vulnerable items

Image 4: Overview of Microsoft threat and vulnerability management security recommendations

As part of the remediation workflow, ServiceNow VR prioritizes vulnerabilities using asset and business context, along with vulnerability risk scores. The risk score and rating take the vulnerability information and configuration item into account. Security teams can customize the risk calculator based on their organization’s preferences and requirements, optimizing the prioritization of vulnerabilities.

Users can then investigate each vulnerability and associated details within the ServiceNow console.

Image 5: Details view of vulnerable items

Lastly, ServiceNow VR provides a grouping of vulnerabilities based on the Microsoft recommendations and automatically assigns tickets to the relevant IT owners and sets the SLAs using predefined rules. This enables customers to use existing workflows and established processes in their organization and create an end-to-end process across the vulnerability management program.

The integration between Microsoft threat and vulnerability management and ServiceNow VR can help security teams create more automated remediation workflows and drive efficiencies with their IT counterparts.

An added focus on interoperability

Microsoft threat and vulnerability management APIs empower security teams to deliver greater value to their vulnerability management program. The set of APIs that was used to build the ServiceNow integration gives customers and partners full access to the threat and vulnerability management dataset, including:

• Vulnerability assessment


• Security configuration assessment


• Software inventory for all devices

If you want to know how to use these APIs to create custom reports, build automations, and more, check out this blog post.

As we continue to expand the depth and breadth of Microsoft’s vulnerability management capabilities, our team is focused on building a broad ecosystem of integration partners. We understand that our customers have existing investments and established processes to run their security and IT operations and we want to ensure our products support these requirements. If you would like to see additional integrations within Microsoft Defender for Endpoint, go to the Partner Application page in the Microsoft Defender Security Center, and click Recommend other partners.

More information and feedback

• The threat and vulnerability management capabilities are part of Microsoft Defender for Endpoint and enable organizations to effectively identify, assess, and remediate endpoint weaknesses to reduce organizational risk.


• Check out the step-by-step guide on how to setup and use the integration.


• Get the integration in the ServiceNow store.


• We want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

Build serverless, full stack applications in Azure

by Contributed | Jun 21, 2021 | Technology

This article is contributed. See the original author and article here.

Whether you’re new or seasoned to cloud, development, and SQL, building and architecting applications in the cloud has become a required skill for many roles. We recently announced a new learning path to help developers of all skill levels learn how to create applications quickly and effectively with Azure. The new learning path is Build serverless, full stack applications in Azure.

In this learning path, you’ll learn how to create, build, and deploy modern full stack applications in Azure leveraging the language of your choice (Python, Node.js, or .NET) and with a Vue.js frontend. Topics covered include modern database capabilities, CI/CD and DevOps, backend API development, REST, and more. Using a real-world scenario of trying to catch the bus, you will learn how to build a solution that integrates Azure SQL Database, Azure Functions, Azure Static Web Apps, Logic Apps, Visual Studio Code and GitHub Actions.

In addition to this new learning path which allows you to get hands on for FREE in Microsoft Learn’s Azure sandbox, Davide Mauri and myself, who built the learning path, presented this content as part of Microsoft Build in May, and you can access the recording here.

If you aren’t interested in completing all of the modules, but want to dive into a specific topic, the modules are standalone, and you can learn at your own pace. Here are the modules:

1. Architect modern applications using Azure SQL Database


2. Deploy serverless APIs with Azure Functions, Logic Apps, and Azure SQL Database


3. Build full stack applications with Azure Static Web Apps and Azure SQL Database


4. Architect full-stack applications and automate deployments with GitHub

If you want more content like this, I recommend checking out Azure SQL Fundamentals and subscribing to Data Exposed where we have mini-series like Azure SQL for beginners, Migrating to SQL, and more! If you have other questions or feedback, please reach out to me on Twitter @AnalyticAnna.

Updates to Azure Arc-enabled Machine Learning

by Contributed | Jun 21, 2021 | Technology

This article is contributed. See the original author and article here.

Azure Machine Learning (AML) team is excited to announce the availability of Azure Arc-enabled Machine Learning (ML) public preview release. All customers of Azure Arc-enabled Kubernetes now can deploy AzureML extension release and bring AML to , and the edge using Kubernetes on their hardware of choice.

The design for Azure Arc-enabled ML helps IT Operators leverage native Kubernetes concepts such as namespace, node selector, and resources requests/limits for ML compute utilization and optimization. By letting the IT operator manage ML compute setup, Azure Arc-enabled ML creates a seamless AML experience for data scientists who do not need to learn or use Kubernetes directly. Data scientists now can focus on models and work with tools such as Azure Machine Learning AML Studio, AML 2.0 CLI, AML Python SDK, productivity tools like Jupyter notebook, and ML frameworks like TensorFlow and PyTorch.

IT Operator experience – ML compute setup

Once Kubernetes cluster is up and running, IT Operator can follow 3 simple steps below to prepare cluster for AML workload:

• Connect Kubernetes cluster to Azure via Azure Arc


• Deploy AzureML extension to Azure Arc-enabled cluster


• Create a compute target for Data Scientists to use

For the first two steps, IT Operator can simply run the following two CLI commands to accomplish:

Once AzureML extension installation completes in cluster, you will see following AzureML pods running inside the :

With your cluster ready to take AML workload, now you can head over to AML Studio portal and create compute target for Data Scientists to use, see below AML Studio compute attach UI:

Note by clicking “New->Kubernetes (preview)”, the Azure Arc-enabled Kubernetes clusters will automatically appear in a dropdown list for IT Operator to attach. In the process of Studio UI attach operation, IT Operator could provide an optional JSON configuration file specifying namespace, node selector, and resources requests/limits to be used for the compute target being created. With these advanced configurations in compute target, IT Operator help Data Scientists target a subset of nodes such as GPU pool or CPU pool for training job, improves compute resource utilization and avoids fragmentation. For more information about creating compute targets using these custom properties, please refer to AML documentation.

For upcoming Azure Arc-enabled ML update release, we plan to support compute target creation through CLI command as well, and ML compute setup experience will be simplified to following 3 CLI commands:

Note when connecting Kubernetes cluster to Azure via Azure Arc, IT Operator can also specify configuration setting to enable outbound proxy server. We are pleased to announce that Azure Arc-enabled Machine Learning fully supports model training on-premises with outbound proxy server connection.

Data Scientist experience – train models

Once the attached Kubernetes compute target is available, Data Scientist can discover the list of compute targets in AML Studio UI compute section. Data Scientist can choose a suitable compute target to submit training job, such as GPU compute target, or CPU compute target with proper resources requests for particular training job workload, such as the # of vCPU cores and memory. Data Scientist can submit job either through AML 2.0 CLI or AML Python SDK, in either case Data Scientist will specify compute target name at job submission time. Azure Arc-enabled ML supports the following built-in AML training features seamlessly:

• Train models with AML 2.0 CLI
  
  
  
  • Basic Python training job
  
  
  • Distributed training – PyTorch
  
  
  • Distributed training – TensorFlow
  
  
  • Distributed training – MPI
  
  
  • Sweep hyperparameters
  
  
  
  


• Train models with AML Python SDK
  
  
  
  • Configure and submit training run
  
  
  • Tune hyperparameters
  
  
  • Scikit-learn
  
  
  • TensorFlow
  
  
  • PyTorch
  
  
  
  


• Build and use ML pipelines including AML Designer pipeline support

For those Data Science professionals who have used AML Python SDK, existing AML Python SDK examples and notebooks, or your existing projects will work out-of-box with a simple change of compute target name in Python script. If you are not familiar with Python SDK yet, please refer to above links to get started.

AML team is extremely excited that Azure Arc-enabled ML supports the latest and greatest AML 2.0 CLI training job submission, which is in public preview also. Train models with AML 2.0 CLI is simple and easy with following CLI command:

Let’s take a look at job YAML file:

Note job YAML file specifies all training job needed resources and assets including training scripts and compute target. In this case, Data Scientist is using Azure Arc-enabled compute target created by IT Operator earlier. Running the job creation CLI command will submit job to Azure Arc-enabled Kubernetes cluster and opens AML Studio UI portal for Data Scientist to monitor job running status, analyze metrics, and examine logs. Please refer to Train models with the 2.0 CLI for more information and examples.

Get started today

In this post, we provided status updates to Azure Arc-enabled Machine Learning and showed how IT Operator can easily setup and prepare Azure Arc-enabled Kubernetes cluster for AML workload, and how Data Scientist can easily train models with AML 2.0 CLI and Kubernetes compute target.

To get started with Azure Arc-enabled ML for training public preview, visit Azure Arc-enabled ML Training Public Preview Github repository, where you can find detailed documentation for IT Operator and Data Scientist, and examples for you to try out easily. In addition, visit the official AML documentation to find more information.

Azure Arc-enabled ML also supports model training with interactive job experience and debugging, which is in private preview. Please sign up here for interactive job private preview.

After Data Scientist trains a model, ML Engineer or Model Deployment Pro can deploy the model with Azure Arc-enabled ML on the same Arc-enabled Kubernetes cluster, which is in private preview too. Please sign up here for inference private preview.

Also, check out these additional great AML blog posts!

• Announcing the new CLI and ARM REST APIs for Azure Machine Learning


• Run Azure Machine Learning anywhere – on hybrid and in multi-cloud with Azure Arc