Windows 10 Device Guard and Credential Guard Demystified

by Contributed | Jan 29, 2021 | Technology

This article is contributed. See the original author and article here.

While helping Windows Enterprise customers deploy and realize the benefits of Windows 10, I’ve observed there’s still a lot of confusion regarding the security features of the operating system. However, the key benefits of Windows 10 involve these deep security features. This post serves to detail the Device Guard and Credential Guard feature sets, and their relationship to each other.

First, let’s set the foundation by thinking about the purpose of each feature:

Device Guard is a group of key features, designed to harden a computer system against malware. Its focus is preventing malicious code from running by ensuring only known good code can run.

Credential Guard is a specific feature that is not part of Device Guard that aims to isolate and harden key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector.

The two are different, but complimentary as they offer different protections against different types of threats. Let’s dive in and take a logical approach to understanding each.

It’s worth noting here that these are enterprise features, and as such are included only in the Windows Enterprise client.

Virtual Secure Mode

The first technology you’ll need to understand before we can really dig into either Device Guard or Credential Guard, is Virtual Secure Mode (VSM). VSM is a feature that leverages the virtualization extensions of the CPU to provide added security of data in memory. We call this class of technology Virtualization Based Security (VBS), and you may have heard that term used elsewhere. Anytime we’re using virtualization extensions to provide security, we’re essentially talking about a VBS feature.

VSM leverages the on chip virtualization extensions of the CPU to sequester critical processes and their memory against tampering from malicious entities.

The way this works is the Hyper-V hypervisor is installed – the same way it gets added in when you install the Hyper-V role. Only the hypervisor itself is required, the Hyper-V services (that handle shared networking and the management of VMs themselves) and management tools aren’t required, but are optional if you’re using the machine for ‘real’ Hyper-V duties. As part of boot, the hypervisor loads and later calls the real ‘guest’ OS loaders.

The diagram below illustrates the relationship of the hypervisor with the installed operating system (usually referred to as the host operating system)

The difference between this and a traditional architecture is that the hypervisor sits directly on top of the hardware, rather than the host OS (Windows) directly interacting at that layer. The hypervisor serves to abstract the host OS (and any guest OS or processes) from the underlying hardware itself, providing control and scheduling functions that allow the hardware to be shared.

In VSM, we’re able to extend this by tagging specific processes and their associated memory as actually belonging to a separate operating system, creating a ‘bubble’ sitting on top of the hypervisor where security sensitive operations can occur, independent of the host OS:

In this way, the VSM instance is segregated from the normal operating system functions and is protected by attempts to read information in that mode. The protections are hardware assisted, since the hypervisor is requesting the hardware treat those memory pages differently. This is the same way to two virtual machines on the same host cannot interact with each other; their memory is independent and hardware regulated to ensure each VM can only access it’s own data.

From here, we now have a protected mode where we can run security sensitive operations. At the time of writing, we support three capabilities that can reside here: the Local Security Authority (LSA), and Code Integrity control functions in the form of Kernel Mode Code Integrity (KMCI) and the hypervisor code integrity control itself, which is called Hypervisor Code Integrity (HVCI).

Each of these capabilities (called Trustlets) are illustrated below:

When these capabilities are handled by Trustlets in VSM, the Host OS simply communicates with them through standard channels and capabilities inside of the OS. While this Trustlet-specific communication is allowed, having malicious code or users in the Host OS attempt to read or manipulate the data in VSM will be significantly harder than on a system without this configured, providing the security benefit.

Running LSA in VSM, causes the LSA process itself (LSASS) to remain in the Host OS, and a special, additional instance of LSA (called LSAIso – which stands for LSA Isolated) is created. This is to allow all of the standard calls to LSA to still succeed, offering excellent legacy and backwards compatibility, even for services or capabilities that require direct communication with LSA. In this respect, you can think of the remaining LSA instance in the Host OS as a ‘proxy’ or ‘stub’ instance that simply communicates with the isolated version in prescribed ways.

Deploying VSM is fairly straightforward. You simply need to verify you have the appropriate hardware configuration, install certain Windows features, and configure VSM via Group Policy.

Step One: Configure Hardware

In order to use VSM, you’ll need a number of hardware features to be present and enabled in the firmware of the machine:

1. UEFI running in Native Mode (not Compatibility/CSM/Legacy mode)


2. Windows 64bit and it’s associated requirements


3. Second Layer Address Translation (SLAT) and Virtualization Extensions (Eg, Intel VT or AMD V)


4. A Trusted Platform Module (TPM) is recommended.

Step Two: Enable Windows Features

The Windows features you’ll need to make VSM work are called Hyper-V Hypervisor (you don’t need the other Hyper-V components) and Isolated User Mode:

If these options are greyed out or unavailable for install, it will typically indicate that the hardware requirements in step one haven’t been met.

You’ll notice the name of the feature is called Isolated User Mode in here. It actually is the Virtual Secure Mode feature – you can thank a last minute name change for that. In order to not confuse people, this isn’t planned to change to reflect the VSM name at this time, and may look to being integrated as a standard Windows feature at a later stage.

Update: In Windows 10, Version 1607 this is indeed an integrated feature and no longer needs to be explicitly enabled.

Step Three: Configure VSM

VSM and the Trustlets loaded within are controlled via either Mobile Device Management (MDM) or Group Policy (GP).

For the purposes of this article, I’ll cover the Group Policy method as that’s the most commonly used option, but the same configuration is possible with MDM.

The GP setting you need to know about is called Turn On Virtualization Based Security, located under Computer Configuration Administrative Templates System Device Guard in the Group Policy Object Editor:

Enabling this setting, and leaving all the settings blank or at their defaults will turn on VSM, ready for the steps below for Device Guard and Credential Guard. In this default state, only the Hypervisor Code Integrity (HVCI) runs in VSM until you enable the features below (protected KMCI and LSA).

Device Guard

Now that we have an understanding of Virtual Secure Mode, we can begin to discuss Device Guard. The most important thing to realize is that Device Guard is not a feature; rather it is a set of features designed to work together to prevent and eliminate untrusted code from running on a Windows 10 system.

Device Guard consists of three primary components:

• Configurable Code Integrity (CCI) – Ensures that only trusted code runs from the boot loader onwards.


• VSM Protected Code Integrity – Moves Kernel Mode Code Integrity (KMCI) and Hypervisor Code Integrity (HVCI) components into VSM, hardening them from attack.


• Platform and UEFI Secure Boot – Ensuring the boot binaries and UEFI firmware are signed and have not been tampered with.

When these features are enabled together, the system is protected by Device Guard, providing class leading malware resistance in Windows 10.

Configurable Code Integrity (CCI)

CCI dramatically changes the trust model of the system to require that code is signed and trusted for it to run. Other code simply cannot execute. While this is extremely effective from a security perspective, it provides some challenges in ensuring that code is signed.

Your existing applications will likely be a combination of code that is signed by the vendor, and code that is not. For code that is signed by the vendor, the easiest option is just to use a tool called signtool.exe to generate security catalogs (signatures) for just about any application.

More detail on this in an upcoming post.

The high level steps to configure code integrity for your organization is:

1. Group devices into similar roles – some systems might require different policies (or you may wish to enable CCI for only select systems such as Point of Sale systems or Kiosks.


2. Use PowerShell to create integrity policies from “golden” PCs
   (use the New-CIPolicy Cmdlet)


3. After auditing, merge code integrity policies using PowerShell (if needed)
   (Merge-CIPolicy Cmdlet)


4. Discover unsigned LOB apps and generate security catalogs as needed (Package Inspector & signtool.exe – more info on this in a subsequent post)


5. Deploy code integrity policies and catalog files
   (GP Setting Below + Copying .cat files to catroot – C:WindowsSystem32{F750E6C3-38EE-11D1-85E5-00C04FC295EE})

The Group Policy setting in question is Computer Configuration Administrative Templates System Device Guard  Deploy Code Integrity Policy:

VSM Protected Code Integrity

The next component of Device Guard we’ll cover is VSM hosted Kernel Mode Code Integrity (KMCI). KMCI is the component that handles the control aspects of enforcing code integrity for kernel mode code. When you use Configurable Code Integrity (CCI) to enforce a Code Integrity policy, it is KMCI and it’s User-Mode cousin, UMCI – that actually enforces the policy.

Moving KMCI to being protected by VSM ensures that it is hardened to tampering by malware and malicious users.

Platform & UEFI Secure Boot

While not a new feature (introduced in Windows 8), Secure Boot provides a high-value security benefit by ensuring that firmware and boot loader code is protected from tampering using signatures and measurements.

To deploy this feature you must be UEFI booting (not legacy), and the Secure Boot option (if supported) must be enabled in the UEFI. Once this is done, you can build the machine (you’ll have to wipe & reload if you’re switching from legacy to UEFI) and it will utilize Secure Boot automatically.

For more information about the specifics of deploying Device Guard, start with the deployment guide.

Credential Guard

Although separate from Device Guard, the Credential Guard feature also leverages Virtual Secure Mode by placing an isolated version of the Local Security Authority (LSA – or LSASS) under it’s protection.

The LSA performs a number of security sensitive operations, the main one being the storage and management of user and system credentials (hence the name – Credential Guard)

Credential guard is enabled by configuring VSM (steps above) and configuring the Virtualization Based Security Group Policy setting with Credential Guard configured to be enabled.

Once this is done, you can easily check if Credential Guard (or many of the other features from this article) is enabled by launching MSINFO32.EXE and viewing the following information:

You can also check for the presence of the LSAIso process, which is running in VSM:

I hope this article has been useful for you and answered at least some of your questions about Device Guard and Credential Guard.

If your thirst for knowledge is not yet quenched and you need more information while you wait for the follow up posts, check out the following Channel9 videos that cover this topic:

https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-in-Windows-10-with-Dave-Probert
https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel
https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-in-Windows-10-with-Dave-Probert

Stay tuned for further posts about this and other Windows 10 features. Hey, why not subscribe?

Author: Ash

Developers Unite to Hack for Social Justice

by Contributed | Jan 28, 2021 | Technology

This article is contributed. See the original author and article here.

Over the course of 8 weeks, developers gathered virtually to participate in the Microsoft Azure Hack for Social Justice event. The hackathon challenge statement was straightforward: design and build an application prototype that uses Azure to address a social justice issue. Participants were given access to Microsoft technical mentors, dedicated Azure environment, and self-paced learning resources. Although technology alone cannot solve complex societal issues, our hope is that participants will develop solutions that can help empower communities and drive change.

Over 500 participants registered for the hack, 300+ were from the U.S., and 6 winning projects were selected. Check out these creations:

1st Place : Equitable Restroom Access for Gender Non-Conforming 

Created by: Mahesh Babu (@smaheshbabu) 

Provides safe restroom access for transgender, gender non-conforming, disabled individuals, and parents traveling with kids to find restrooms per their needs.

Azure Services Used: Azure Functions, Azure SendGrid

2nd Place: GetPro

Created by: Amina Fong (@fongamina), William Broniec (@1345613864), Zechen Lu (@tommylu123) 

Web app that centralizes information and professional resources for underrepresented populations to help even the playing field in educational and career opportunities.

Azure Services Used: Azure App Services, Azure SQL Database

3rd Place: Legal Helper Bot

Created by: Murtada Ahmed

Not knowing the law and ones rights can expose already vulnerable groups to more discrimination and abuse. Legal Helper Bot was created to change that.

Azure Services Used: Azure Bot Services, Azure Storage

Honorable Mentions

Racial Bias and Score Prediction of COMPAS Score

Created by: Yuki Ao (@aoyingxue) 

Inform people of the racial bias in the U.S. Justice system and give the offenders a chance to know their score level beforehand.

TutorFirst

Created by: Farhan Mashud (@fm1539), Isfar Oshir (@iao233), Mohammed Uddin (@msu227) 

App for low income students to receive free, high quality tutoring from tutor volunteers.

Feminist Action Board

Created by: Aroma Rodrigues (@AromaRodrigues) 

Subscribes to a news API to provide real time news on gender violence and tracks organizations, petitions, and initiatives

On behalf of the Microsoft U.S. Azure team, I’d like to sincerely thank all of the participants, and congratulate the winners on a job well done. Also, thank you to the mentors and judges who volunteered their time to give back to the community. 

Next up: check out these new hackathons that are open for registration

• Microsoft Azure U.S. Hack for Accessibility (Jan 28 – Mar 15, 2021)


• Microsoft Azure AI Hackathon (Jan 26 – April 5, 2021)

Update Baseline joins the Security Compliance Toolkit

by Contributed | Jan 28, 2021 | Technology

This article is contributed. See the original author and article here.

We are excited to announce that the Update Baseline is now a part of the Security Compliance Toolkit! If you’re not yet familiar with this great tool, the Update Baseline offers Microsoft’s set of recommended policy configurations for Windows Updates to help you:

• Ensure that the devices on your network receive the latest monthly security updates in a timely manner.


• Provide a great end user experience throughout the update process.

The Update Baseline includes Windows Update policies as well as power and Delivery Optimization policies—all designed to streamline the update process, improve patch compliance, and help ensure your devices stay secure. In fact, devices that are configured using  the Update Baseline reach, on average, a compliance rate between 80-90% within 28 days.

What is included in the Update Baseline?

For Windows Update policies, the Update Baseline offers recommendations around:

• Deadlines, the most powerful tool in the IT administrator’s arsenal for ensuring devices get updated on time.


• Downloading and installing updates in the background without disturbing end users. This also removes bottlenecks from the update process.


• A great end user experience. Users don’t have to approve updates, but they get notified when an update requires a restart.


• Accommodating low activity devices (which tend to be some of the hardest to update) to ensure the best-possible user experience while respecting compliance goals.

How do I apply the Update Baseline?

If you manage your devices via Group Policy, you can apply the Update Baseline using the familiar Security Compliance Toolkit framework. With a single PowerShell command, the Update Baseline Group Policy Object (GPO) can be loaded into Group Policy Management Center (GPMC) as shown below:

You can add the MSFT Windows Update GPO that adds the Update Baseline to GPMC with a single command.

You can then view the Update Baseline GPO (MSFT Windows Update) in the GPMC.

That’s it! Simple and easy.

Download the updated Security Compliance Toolkit today to start applying security configuration baselines for Windows and other Microsoft products.

I also encourage you to learn more about common policy configuration mistakes for managing Windows updates and what you can do to avoid them to improve update adoption and provide a great user experience.

Other cool tidbits? The Update Baseline will continue to be updated and improved as needed, and an Intune solution to apply the Update Baseline is coming soon! Let us know your thoughts and leave a comment below.

Announcing first-ever Office Scripts AMA on February 16th!

by Contributed | Jan 28, 2021 | Technology

This article is contributed. See the original author and article here.

We’re so excited to announce our first-ever Ask Microsoft Anything (AMA) for Office Scripts! The AMA will take place on Tuesday, February 16, 2021, from 9:00 a.m. to 10:00 a.m. PT in the Excel AMA space. Add the event to your calendar and view it in your time zone here. 

During this AMA, you will have the opportunity to share your questions and feedback about Office Scripts and receive responses directly from our product team. Facing trouble with automating on Excel for web? Have an idea that would make our feature better? Let us know- we’re eager to hear and learn from you! 

Looking forward to seeing you at the AMA. In the meantime, happy scripting! 

The Office Scripts team 

Join Our Security Community

by Contributed | Jan 28, 2021 | Technology

This article is contributed. See the original author and article here.

Want to help defend the world against cyber attacks? We want you to influence our designs, plans, and guidance so we can have a global impact together. That’s why we need your participation in our security community.

As part of our community, you can speak directly to our engineering teams and get early access to changes by joining our webinars, participating in private previews, reviewing product roadmaps, attending in-person events, or providing feedback on our forums. 

Webinars

To check out our upcoming webinars, or recordings of past webinars, visit https://aka.ms/SecurityWebinars. 

Videos

We’re creating a series of short videos detailing a particular feature or scenario. Check them out at https://aka.ms/SecurityCommunityVideos. 

Email List

To receive emails about upcoming webinars, events, and other announcements, visit https://aka.ms/SecurityEmailList.

Forums & Blogs

Got questions or feedback? Check out our product-specific forums where you can speak directly to our engineering teams, and our blogs where you can see the latest product developments. Go here and then click the join button. 

Ninja Training

Want to go deep into the technical details? Our Ninja Training is for you.

• Azure Security Center Ninja Training


• Azure Sentinel Ninja Training


• Microsoft 365 Defender Ninja Training

Podcasts

Check out our Azure Security Podcast at https://aka.ms/AzSecPod and our Azure Security Center In The Field podcast at https://aka.ms/ASCInTheField. 

Private Communities

We have several private communities that operate under NDA that may be right for you.

To apply to join our private preview program, where you can get early access to changes in exchange for your feedback, visit https://aka.ms/SecurityPrP. 

To apply join our US government security community, visit https://aka.ms/SecGovCommunity. 

GitHub

We welcome your contributions at our GitHub repositories. You can also find workbooks, scripts, playbooks, detections, sample data, and more.

• Azure Network Security GitHub      


• Azure Security Center GitHub


• Azure Sentinel GitHub


• Microsoft 365 Defender GitHub


• Microsoft Cloud App Security GitHub


• Microsoft Graph Security API GitHub

Forums

Azure Active Directory

Azure Advanced Threat Protection and ATA

Microsoft Information Protection

Azure Security Center

Azure Security Center for IoT

Azure Security and Identity

Azure Sentinel

Azure Network Security

Microsoft Cloud App Security

Microsoft Defender Advanced Threat Protection 

Microsoft Graph Security API

Office 365 Identity & Authentication

Microsoft Security and Compliance

–>

Find Us on LinkedIn 

We have a general discussion group on LinkedIn called the Microsoft Security Community, where I announce highlights from this site. Please join the group and feel free to connect with me. 

Workspace Quota Limit -Unable to create Synapse Workspace due to subscription limit

by Contributed | Jan 28, 2021 | Technology

This article is contributed. See the original author and article here.

This article describes to check your quota and what should be your next when you reach Synapse workspace default limit.

If you exceeds workspace limits the error message you receive is – “ReachedPerSubscriptionWorkspaceLimit: Reached the maximum number of workspaces allowed for Subscription”

 Facts: 

Current default limit is 20 Synapse workspaces per subscription/region. i.e.  There is a limit of 20 SQL servers per subscription by default.

Check Details about your subscription and workspaces:

Get the details about the workspace created in your subscription. This will help to optimize your resources

1. Check for workspaces created and regions available to the subscription.

• Using Rest API

Following are list Rest APIs for Synapse

Azure Synapse Analytics REST API Reference | Microsoft Docs

1. Available Regions

Ref document:  Providers – Get (Azure Resource Management) | Microsoft Docs

GET https://management.azure.com/subscriptions/{SuBGUID}/providers/Microsoft.Synapse?api-version=2020-06-01

1. Workspaces List

Workspaces – List (Azure Synapse) | Microsoft Docs

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Synapse/workspaces?api-version=2019-06-01-preview

• Using PoweShell script

Run following script in PowerShell 7

$SubscriptionId ={SubscriptionId}

 
# ------------------------------------------------------------------
 
# first login to Azure Account
Write-Host "Connecting to Azure Account..."
if((Get-AzContext) -eq $null)
{
    Connect-AzAccount
}
 
# set subscription context
Write-Host "Selecting subscription..."
$context = Set-AzContext -Subscription $SubscriptionId
 
# get AAD token for REST calls
Write-Host "Getting Bearer token from AAD for REST calls..."
$apiToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id, $null, "Never", $null)
$headers = @{ 'authorization' = ('Bearer {0}' -f ($apiToken.AccessToken)) }
 
# Get Locations where Synapse is available
Write-Host "Getting Locations where Synapse is available..."
$synapseLocations = Get-AzLocation | Where-Object { $_.Providers -contains "Microsoft.Synapse" } | Sort-Object Location | Select-Object Location, DisplayName
 
# ------------------------------------------------------------------------------
# get subscription quota and regional available SLOs for Synapse SQL
 
Write-Host "Getting subscription quota settings for Synapse..."
$quotaResults = [System.Collections.ObjectModel.Collection[psobject]]@()
 
foreach($location in $synapseLocations)
{
    # ------------------
    # available slos
    # https://docs.microsoft.com/en-us/rest/api/sql/capabilities/listbylocation
    $capabilitiesUri = "https://management.azure.com/subscriptions/$SubscriptionId/providers/Microsoft.Sql/locations/$($location.Location)/capabilities?api-version=2020-08-01-preview"
    $regionalCapabilities = ConvertFrom-Json (Invoke-WebRequest -Method Get -Uri $capabilitiesUri -Headers $headers).Content
    
    # ------------------------------------
 
    $quotaResults += [PSCustomObject]@{
        Location = $location.Location;
        DisplayName = $location.DisplayName;
        Status = $regionalCapabilities.status;
    }
}
 
$quotaResults | ft -AutoSize

Sample output.

2. Check details about usage matrix for SQL Pools

• Using Rest API.

Workspace Managed Sql Server Usages – List (Azure Synapse) | Microsoft Docs

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Synapse/workspaces/{workspaceName}/sqlUsages?api-version=2019-06-01-preview

• Using PowerShell

Use following script in PowerShell 7

$SubscriptionId ={SubscriptionId}
# ------------------------------------------------------------------
# first login to Azure Account
Write-Host "Connecting to Azure Account..."
if((Get-AzContext) -eq $null)
{
    Connect-AzAccount
}
# set subscription context
Write-Host "Selecting subscription..."
$context = Set-AzContext -Subscription $SubscriptionId
# get AAD token for REST calls
Write-Host "Getting Bearer token from AAD for REST calls..."
$apiToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id, $null, "Never", $null)
$headers = @{ 'authorization' = ('Bearer {0}' -f ($apiToken.AccessToken)) }
# ------------------------------------------------------------------------------
# SQL server DTU limits
Write-Host "Getting SQL DTU limits..."
# all servers in this subscription for SQL
# https://docs.microsoft.com/en-us/rest/api/sql/servers/list
# GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Sql/servers?api-version=2019-06-01-preview
$serversUri = "https://management.azure.com/subscriptions/$SubscriptionId/providers/Microsoft.Sql/servers?api-version=2019-06-01-preview"
$serverList = (ConvertFrom-Json (Invoke-WebRequest -Method Get -Uri $serversUri -Headers $headers).Content).value
$serverQuotas = @()
foreach($server in $serverList)
{
    # usage detail of indiviual server
    # https://docs.microsoft.com/en-us/rest/api/sql/servers/usages
    # GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/usages?api-version=2014-01-01
    $serverQuotaUri = "https://management.azure.com$($server.id)/usages?api-version=2014-01-01"
    $serverQuota = (ConvertFrom-Json (Invoke-WebRequest -Method Get -Uri $serverQuotaUri -Headers $headers).Content).value
$serverQuotas += [PSCustomObject]@{
        Location = $server.location;
        Id = $server.id;
        Name = $server.name;
        CurrentDTU = ($serverQuota | ? { $_.name -eq 'server_dtu_quota_current' }).currentValue;
        DTULimit = ($serverQuota | ? { $_.name -eq 'server_dtu_quota_current' }).limit;
    }
}
$serverQuotas | Sort-Object Location, Name | ft Location, Name, CurrentDTU, DTULimit -AutoSize

Sample result

Next Step: If you want to increase the quota, feel free to contact us through @ support .

Security Community Webinars

by Contributed | Jan 28, 2021 | Technology

This article is contributed. See the original author and article here.

Welcome to the Security Community webinar calendar!   Please note that the registration links will be made available approximately two weeks before the webinar. Until then, all dates are tentative. Recordings of previous webinars are below. Want to join our email list to be notified about future webinars? Visit https://aka.ms/SecurityCommunity.

Upcoming Public Community Webinars:

Asterisk (*) indicates updates to the deck.

Recordings of Past Webinars:

Asterisk (*) indicates updates to the file.