Update 2103 for Microsoft Endpoint Configuration Manager current branch is now available

by Contributed | Apr 5, 2021 | Technology

This article is contributed. See the original author and article here.

Update 2103 for Microsoft Endpoint Configuration Manager current branch is now available. Microsoft Endpoint Manager is an integrated solution for managing all your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center.

You can now upgrade a client’s Windows OS by using a feature update deployed with a task sequence. This integration combines the simplicity of Windows servicing with the flexibility of task sequences. Servicing uses content that you synchronize through the software update point. This process simplifies the need to manually get, import, and maintain the Windows image content used with a standard task sequence to upgrade Windows.

feature update with task sequence

The size of the servicing ESD file is generally smaller than the OS upgrade package and WIM image file. You can also use Windows features such as Dynamic Update and Delivery Optimization. This type of task sequence extends support to Windows 10 on ARM64 devices.

For more information, see the following articles:

• For scenario guidance and planning, see Upgrade Windows to the latest version.


• For prerequisites, see Create a task sequence to upgrade an OS.


• For the new setting on the task sequence step, see About task sequence steps: Upgrade OS.

This release also includes:

Microsoft Endpoint Manager tenant attach

Display all applications for a device in Microsoft Endpoint Manager admin center – The Applications view for a tenant attached device in Microsoft Endpoint Manager admin center now displays more applications from Configuration Manager. Displayed applications include applications that are:

• Deployed to the device


• Deployed to a user that’s logged in to the device, primary user of the device, and applications previously installed for the user

The option, An administrator must approve a request for this application on the device, is no longer required to be set on the device available deployment for applications to be listed in the admin center. This improvement allows you to review when application installations are expected to occur on a device.

Tenant attach: Antivirus policy exclusions merge – When a tenant attached device is targeted with two or more antivirus policies, the settings for antivirus exclusions will merge before being applied to the client. This change results in the client receiving the exclusions defined in each policy, allowing for more granular control of antivirus exclusions.

Site infrastructure

Allow exclusion of organizational units (OU) from Active Directory User Discovery – You can now exclude OUs from Active Directory User Discovery.

New prerequisite checks

When you install or update to version 2103, there are several new warning prerequisite checks.

• Enable the site for HTTPS-only or enhanced HTTP – If your site is configured to allow HTTP communication without enhanced HTTP, you’ll see this warning. To improve the security of client communications, in the future Configuration Manager will require HTTPS communication or enhanced HTTP. Plan to configure the site for HTTPS only or to Use Configuration Manager-generated certificates for HTTP site systems.


• Deprecated Azure Monitor connector – We continue to see broad adoption of native Azure Monitor log query groups as customers shift more of their workloads to the cloud. Because of this reason, starting in November 2020, the Configuration Manager feature to synchronize collections to Azure Monitor was deprecated.

When you update to this release, this check warns about the presence of the Log Analytics connector for Azure Monitor. (This feature is called the OMS Connector in the Azure Services wizard.) This connector is deprecated, and will be removed from the product in a future release. At that time, this check will be an error that blocks upgrade.

• SQL Server Express version – If you have a secondary site that uses SQL Server Express edition, this check warns if the version is earlier than SQL Server 2016 with service pack 2 (13.0.5026.0). Microsoft recommends that you keep SQL Server Express up to date.

Collections

Improvements to the collection relationships viewer – Starting in version 2010, you can view dependency relationships between collections in a graphical format. The relationships for a collection were presented as two hierarchical trees, one for dependents and the other for dependencies. In this release, you can view both parent and child relationships together in a single graph. This change allows you to quickly see an overview of all the relationships of a collection at once and then drill down into specific related collections. It also includes other filtering and navigation improvements.

Improvements to query preview – You now have more options when using the collection query preview. The following improvements have been made to previewing collection queries:

• Limit the number of rows returned.


• Omit duplicate rows from the result set.


• Review statistics for the query preview such as number of rows returned and elapsed time.

Improvements to collection evaluation view – The following improvements were made to the collection evaluation view:

• The central administration site (CAS) now displays a summary of collection evaluation status for all the primary sites in the hierarchy.


• Drill through from collection evaluation status queue to a collection.


• Copy text to the clipboard from the collection evaluation page.


• Configure the refresh interval for the collection evaluation statistics page.

Software Center

Change foreground color for Software Center branding – Software Center already provides various controls for you to customize the branding to support your organization’s brand. For some customers, their brand color doesn’t work well with the default white font color for a selected item. To better support these customers and improve accessibility, you can now configure a custom color for the foreground font.

Improved user experience and security with Software Center custom tabs – Since current branch version 1906, you can add up to five custom tabs to Software Center. These custom tabs let you give your users easy access to common web apps and other sites. Previously, to display websites Software Center used the Windows built-in Internet Explorer browser control.

Starting in this release, Software Center can now use the Microsoft Edge WebView2 browser control. The WebView2 browser control provides improved security and user experience. For example, more websites should work with these custom tabs without displaying script errors or security warnings.

Application management

Disable application deployments – You can now disable application deployments. Other objects already have similar behaviors:

• Software update deployments: Disable the deployment


• Phased deployments: Suspend the phase


• Package: Disable the program


• Task sequence: Disable the task sequence


• Configuration baseline: Disable the baseline

For device-based deployments, when you disable the deployment or object, use the client notification action to Download Computer Policy. This action immediately tells the client to update its policy from the site. If the deployment hasn’t already started, the client receives the updated policy that the object is now disabled.

Operating system deployment

Windows 10 Servicing dashboard changes – We’ve simplified the Windows 10 Servicing dashboard to make it more relevant. The new Quality Update Versions chart displays the top five revisions of Windows 10 across your devices. The Latest Feature Update chart shows the number of devices that installed the latest feature update. The Windows 10 Usage chart, showing the distribution of Windows 10 major releases, was renamed to Feature Update Versions. Servicing plan and Windows 10 ring information were removed from the dashboard.

Task sequence error shows more check readiness details – The task sequence progress can now display more information about readiness checks. If a task sequence fails because the client doesn’t meet the requirements configured in the Check readiness task sequence step, the user can now see more details about the failed prerequisites.

Encryption algorithm to capture and restore user state – The task sequence steps to Capture User State and Restore User State always encrypt the USMT state store. Previously, Configuration Manager configured USMT to use the 3DES algorithm. Starting in this release, both steps now use the highest supported encryption algorithm, AES 256.

Protection

Improvements to BitLocker management – In current branch version 2010, you can manage BitLocker policies and escrow recovery keys over a cloud management gateway (CMG). This support included a couple of limitations.

Starting in this release, BitLocker management policies over a CMG support the following capabilities:

• Recovery keys for removable drives


• TPM password hash, otherwise known as TPM owner authorization

This release also provides support for the following features:

• Enhanced HTTP


• The recovery service on management points that use a database replica.

Software updates

Approved scripts for orchestration groups – You can now select from scripts that have already been approved when configuring pre and post-scripts for an orchestration group. When in the Create Orchestration Group Wizard, you’ll see a new page called Script Picker. Select your pre and post scripts from your list of scripts that are already approved. You can still add scripts manually on the pre and post-script pages. Additionally, you can also edit scripts that you pre-populated from the Script Picker.

Change default maximum run time for software updates – Configuration Manager sets the following maximum run time for these categories of software updates:

• Feature updates for Windows: 120 minutes


• Non-feature updates for Windows: 60 minutes


• Updates for Microsoft 365 Apps (Office 365 updates): 60 minutes

All other software updates outside these categories, such as third-party updates, were given a maximum run time of 10 minutes. Starting in this release, the default maximum run time for these updates is 60 minutes rather than 10 minutes. The new maximum run time will only apply to new updates that are synchronized from Microsoft Update. It doesn’t change the run time on existing updates.

TLS certificate pinning for devices scanning HTTPS-configured WSUS servers – Further increase the security of HTTPS scans against WSUS by enforcing certificate pinning. To enable this behavior:

• Ensure your software update points are configured to use TLS/SSL


• Add the certificates for your WSUS servers to the new WindowsServerUpdateServices certificate store on your clients


• Verify the Enforce TLS certificate pinning for Windows Update client for detecting updates software updates client setting is set to Yes (default).

Community hub

Download Power BI report templates from Community hub – Community hub now supports contributing and downloading Power BI report template files. This integration allows administrators to easily share and reuse Power BI reports. Contributing and downloading Power BI report template is also available for current branch versions of Configuration Manager.

Access the top queries shared in the Community hub from CMPivot – You can now access the top CMPivot queries shared in the Community hub from on-premises CMPivot. By leveraging pre-created CMPivot queries shared by the broader community, CMPivot users gain access to a wider variety of queries. On-premises CMPivot accesses the Community hub and returns a list of the top downloaded CMPivot queries. Users can review the top queries, customize them, and then run on-demand. This improvement gives a wider selection of queries for immediate usage without having to construct them and also allows information sharing on how to build queries for future reference.

Configuration Manager console

Centralized management of console extensions

Configuration Manager now supports a new style of console extensions that have the following benefits:

1. Centralized management of console extensions for the site from the console instead of manually placing binaries on individual consoles.


2. A clear separation of console extensions from different extension providers.


3. The ability for admins to have more control over which console extensions are loaded and used in the environment, to keep them more secure.


4. A hierarchy setting that allows for only using the new style of console extension.

The old style of console extensions may start being phased out in favor of the new style, which is more secure and centrally managed.

Add a report as a favorite – Configuration Manager ships with several hundred reports by default, and you may have added more to that list. Instead of continually searching for reports you commonly use, you can now make a report a favorite. This action allows you to quickly access it from the new Favorites node.

Improvements to the product lifecycle dashboard – This release includes improvements to the product lifecycle dashboard to make it more actionable for you.

• Customize the timeframe on the charts for your preference.


• Search, sort, and filter the data.


• View a list of devices with products that are near or at end of support, and you need to update.

Support Center

Improvements to Support Center – Support Center is now split into the following tools:

• Support Center Client Data Collector: Collects data from a device to view in the Support Center Viewer. This separate tool encompasses the existing Support Center action to Collect selected data.


• Support Center Client Tools: The other Support Center troubleshooting functionality, except for Collect selected data.

Support Center Viewer, Support Center OneTrace and Support Center Log File Viewer are still a part of Support Center.

OneTrace support for jump lists – Support Center OneTrace now supports jump lists for recently opened files. Jump lists let you quickly go to previously opened files, so you can work faster.

There are now three methods to open recent files in OneTrace:

• Windows taskbar jump list


• Windows Start menu recently opened list


• In OneTrace from File menu or Recently opened tab.

Other

For more information on changes to the Windows PowerShell cmdlets for Configuration Manager, see version 2103 release notes.

For more details and to view the full list of new features in this update, check out our What’s new in version 2103 of Microsoft Endpoint Configuration Manager documentation. 

Note: As the update is rolled out globally in the coming weeks, it will be automatically downloaded, and you’ll be notified when it’s ready to install from the “Updates and Servicing” node in your Configuration Manager console. If you can’t wait to try these new features, see these instructions on how to use the PowerShell script to ensure that you are in the first wave of customers getting the update. By running this script, you’ll see the update available in your console right away.  

For assistance with the upgrade process, please post your questions in the Site and Client Deployment forum. Send us your Configuration Manager feedback through Send-a-Smile in the Configuration Manager console.  Continue to share and vote on ideas about new features in Configuration Manager.

Thank you, 

The Configuration Manager team 

Additional resources: 

• What’s New in Configuration Manager 


• Documentation for Configuration Manager 


• Microsoft Endpoint Manager announcement


• Microsoft Endpoint Manager vision statement


• Evaluate Configuration Manager in a lab 


• Upgrade to Configuration Manager


• Configuration Manager Forums 


• Configuration Manager Support 


• Report an issue 


• Provide suggestions 

Confidently modernize to cloud authentication with Azure AD staged rollout, now generally available

by Contributed | Apr 5, 2021 | Technology

This article is contributed. See the original author and article here.

Howdy folks,

I’m excited to announce that staged rollout to cloud authentication is now generally available! This feature allows you to selectively test groups of users with cloud authentication methods, such as pass-through authentication (PTA) or password hash sync (PHS), while all other users in the federated domains continue to use federation services, such as AD FS, Ping Federate, Okta, or any other federation services to authenticate users.

Moving your Azure AD authentication from federation services to the cloud allows you to manage user and device sign-in from a single control plane in Azure AD. Some of the benefits using cloud authentication include reducing the dependency on on-premises infrastructure, which typically includes a farm of servers and proxies that need to be accessible from the internet. In addition, you can take advantage of security capabilities like: Azure AD multifactor authentication (MFA), Conditional Access, Identity Protection for leaked credentials, Identity Governance, and more.

New with the general availability, we’ve added the ability to monitor the users and groups added or removed from staged rollout and users sign-ins while in staged rollout, using the new Hybrid Auth workbooks in the Azure portal.  In addition, we’ve built a staged rollout interactive guide to help you learn more and deploy this feature.

Hybrid Auth workbook

As always, we’d love to hear your feedback or suggestions in the comments or on Twitter (@AzureAD).

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

Learn more about Microsoft identity:

• Return to the Azure Active Directory Identity blog home


• Join the conversation on Twitter and LinkedIn


• Share product suggestions on the Azure Feedback Forum

Azure Workbooks – New Experience for Gallery

by Contributed | Apr 5, 2021 | Technology

This article is contributed. See the original author and article here.

Gallery! It is Azure Portal blade where you manage and use Azure Workbooks. We recently rolled out a new and improved experience  for Gallery to make it convenient and meet growing demand for organizing, sorting, managing all workbook types – templates and your workbooks. 

 

Here are some of the salient features

 

1. There are 4 tabs to help organize workbook types 

• All (default) is a composite and allows to search across these types. 


• Public Templates – Ready to use, get started functional workbooks published by Microsoft


• My Workbooks  – Workbooks you create or are shared with you 


• My Templates – Templates you create or are shared with you

Each tab has a full list and a total count for that type. 

2. The list provides a grid with

a) info on workbook/ template beyond just the name. This includes description, last modified date, Tags, home (subscription, resource group, region),  etc..

b) ability to sort on these elements (columns)

3. There is additional filter by resource group which applies to your workbooks and your templates. Note – currently it is possible to select only one subscription. When private workbooks are deprecated, it will be possible to select multiple subscription.

4. For each workbook there is an action ellipse that allows to 

• View resource – Access Workbook Resource blade to get information such as resource id of the workbooks and/ or add tags to the workbook, manage locks etc 


• Delete or Rename workbook 


• Pin workbook to dashboard 


• [coming soon] Copy Link 

5. It is now possible to select multiple workbooks and do a bulk operation like delete 

6. Community Git Repo on toolbar has a link to Azure Community Github Repo and in some special cases like Azure Security Center gallery it has addition link to it’s specific Repo 

7. Browse across galleries is retained and allows to search for any workbook or template by its name independent of its home or association to a resource/ gallery 

Learn more here and we would love to hear from you so share your feedback with us. 

Thanks,

Azure Workbooks Team

Reducing the distance to your Azure ML remote compute jobs

by Contributed | Apr 5, 2021 | Technology

This article is contributed. See the original author and article here.

Under (hopefully) rare circumstances, after developing a training script and thorough local testing, it can still happen that the same script fails when executed on a remote AML compute target. Here, we are sharing some best practices around how to debug remote workloads on Azure ML.

Debugging remote workloads can be broken down into two basic steps:

1. Getting access to a command line on the remote AML compute target.


2. Using command line tools for investigation and debugging.

The below snapshot shows what your stack trace may look like if you follow the steps below.

Enable SSH access to your remote AML compute target

You will have to be able to connect to your remote compute target via SSH. By default, SSH access is disabled, so you will have to make sure you enable SSH access during the provisioning of the compute target. The below screenshot shows where to find the option.

RPDB

For debugging, we are using rpdb, a wrapper for the python debugger pdb, which is part of the Python Standard Library. Using rpdb, we can connect to and debug a running process.

One of the really convenient aspects of using rpdb is that it won’t affect the performance of your training script, unless you set a breakpoint, either statically or dynamically, as described below.

Software Prerequisites

We recommend you install at least two packages, to make this work (1) rpdb and (2) netcat-openbsd. You can simply add rpdb to the pip packages of your Conda dependencies in your AzureML environment.

Netcat-openbsd can be either installed manually, when you start to debug a run (after attaching to running docker container, see below), or you can build a custom docker image for execution. For this we recommend starting from one of the base Docker images for AzureML containers, and simply adding netcat-openbsd to the packages installed by the apt package manager.

Modifying the training script for debugging

Consider the following two scenarios. Either you want to set a breakpoint and then step through the code from there, to see what is going wrong. In this case, you only have to add one line to your training script (towards the top of the training script) to create a breakpoint:

import rpdb; rpdb.set_trace()

Alternatively, you may have a training script that just somehow gets stuck, without failing. In this case, you can’t really set a breakpoint, because you don’t know where the script gets stuck. We experienced this situation when we trained a pytorch model, using multiple workers for data loading. A thread contention caused the data loader to hang, and we needed to know where/why the thread contention occurred.

If you are facing this situation, you can make some modifications to the training script that will allow you to send a signal to the training script, which will dynamically set a breakpoint at the current execution step, so you can use the debugger to figure out what is going on. To do this, add the following code to your training script.

import rpdb
def handle_pdb(sig, frame):
    rpdb.set_trace()

Then add the following code, so that the above method is called when SIGUSR1 signal is sent to the python process.

if __name__ == "__main__":
    import signal
    signal.signal(signal.SIGUSR1, handle_pdb)

Connect to your remote compute target

This first thing to do is to go to the list of nodes on your compute target, identify the run that you would like to debug, and copy the “Connection string”. This is shown in the following screenshot.

You can then use the terminal of your choice (e.g. Anaconda command prompt) to connect to the node via SSH. Once logged in, you can use the usual commands for investigation (e.g. vmstat, top, free)

Debugging

If you want to dig deeper, you can attach to the docker container, inside of which your training script is running, and start debugging.

To do this, you have to first get the ID of the running container (using “docker ps”). Then you can attach to it, using “docker attach <id>”. If you didn’t include netcat-openbsd in your docker image, you can do so after attaching to the container.

If you set a breakpoint (by adding the line “rpdb.set_trace()”, mentioned above), you can now connect to the process, using the binary “nc” from the netcat-openbsd package: “nc 127.0.0.1 4444”. This will get you to pdb for debugging. If you have never used pdb, just type “help”, and you will find the usual commands for debugging.

If you followed the above instructions, for handling the SIGUSR1 signal, you can also send a signal, to pause execution, and continue in debug mode. In other words, this allows you to set a breakpoint at the current execution step.

First, send the signal: kill -n 10 <proc_id> (or kill -s SIGUSR1 <proc_id>)

Then you can use “nc” again for connecting to pdb.

Note: Think carefully before you start debugging a running process with pdb, because you won’t be able to leave the pdb session without killing the process. You can, however, keep the job running, you’ll just have to leave the pdb session open.

Closing remarks

We hope you found this blog post useful. Our intent was to demystify remote workloads, getting you closer to debugging them like you would, if your scripts were being executed locally. Please leave questions and suggestions in the comments below!