Kurt Shintaku's Blog

Don’t miss an opportunity to "Ask Microsoft Anything" (AMA) about Microsoft Edge on Tuesday, January 30th, 2018.

The AMA will take place from 9:00 AM to 10:00 AM Pacific Time in the Microsoft Edge AMA space and we will have several members of the engineering and product teams on hand to answer your questions and listen to your feedback about how can we improve Microsoft Edge to make it work better for your organization.

• EVENT: Microsoft Edge “Ask Microsoft Anything” – January 30th, 2018, 9-10AM PST
  https://techcommunity.microsoft.com/t5/Microsoft-Edge-AMA/bd-p/MicrosoftEdgeAMA

With our developer guide, you’ll see how our comprehensive set of app platform services fit your needs, helping you navigate the architectural approaches and most common design patterns you face when building modern applications. And because Azure is constantly evolving, sign up to be notified of updates to the guide to ensure you make the most of any new Azure service.

In this developer’s guide, you’ll discover how to:

• Get started by using what you know
  Whatever tools and skills you use to create or edit your applications in your on-premises environment, you can use with Azure—from existing IDEs and editors to open-source programming languages and frameworks.
• Create more intelligent apps
  Easily embed natural and contextual interaction within your applications through machine learning and artificial intelligence capabilities—from enhanced search functionality to facial recognition to bot services.
• Manage app security, identity, and access
  Security and privacy are built into the Azure platform. Use a range of capabilities to help protect your services and data in the cloud, from authenticating users to encrypting data.
• Choose how and where to deploy
  Plan better, code together, and ship faster with Azure. Use the same containers, serverless computing, and Azure services to easily build, test, and deploy applications in the cloud or on-premises—you’re in control.

Download the free guide here:

• DOWNLOAD: The Developer’s Guide to Microsoft Azure – SECOND EDITION (PDF, 3.2MB, 62pgs)
  https://azure.microsoft.com/en-us/campaigns/developer-guide/?wt.mc_id=AID625426_QSG_SCL_218640

Did you know that there are live Azure training webcasts & online seminars being delivered every month at no cost?

Most of the time, these Azure centric training events are delivered by the Azure engineering teams that are responsible for the very technologies being presented.

Included in these are the MONTHLY free online trainings on Azure Active Directory, which include webinars on:

• Getting Ready for Azure AD
• Secure Your Identities with Azure Multi Factor Authentication
• Manage Your Enterprise Applications with Azure AD
• Azure AD Identity Protection and Privileged Access Management
• Intro to Azure AD B2C: Make it easy for your customers to securely Sign In and Sign Up to your applications
• Accessing Your Organization’s Internal Applications via Azure AD App Proxy
• Streamlining Password management Using Azure AD
• Azure AD Connect Health

This is where you will find updated dates/times for this series:

• Azure Active Directory Premium Customer Training Webinars
  https://aka.ms/aadwebinars

For these and other Azure training topics, visit:

• Microsoft Azure Events
  https://azure.microsoft.com/en-us/community/events/?EventType=webinar

To learn & prepare for Azure, sign up, risk free, for $200 in credit to use any service in Microsoft Azure:

• Microsoft Azure FREE offer
  https://azure.microsoft.com/en-us/free/

Got OneDrive for Business? Self-service file recovery is here!

The new “File Restore” is a complete self-service recovery solution, allowing for files to be easily recovered, whether they were accidentally deleted or corrupted after a malware infection.

Files can be recovered to their state within any second in the last 30 days. That allows granular control over rolling back to the specific version of a file you need, even if it has been compromised in some way.

Read more about the new feature on the announcement page here:

• OneDrive Blog: “Announcing New OneDrive for Business feature: Files Restore”
  https://techcommunity.microsoft.com/t5/OneDrive-Blog/Announcing-New-OneDrive-for-Business-feature-Files-Restore/ba-p/147436

The January update build of Office for Mac 2016 contains the following new features. Items are linked to help content when available.

We officially changed from 15.x builds to 16.x builds for Office 2016 for both subscription and perpetual license customers. Customers who are on 15.x builds should upgrade to 16.x builds as soon as possible to continue to receive security patches and hotfixes for Office 2016.

With this release, Co-Authoring is now available on the Mac.

Availability

Office Insiders Slow channel went live on January 8, 2018 with Version 16.9.0 (Build 18010702)

Production channel went live on January 18, 2018 with Version 16.9.0 (Build 18011602)

Documentation

This release contains these Security Updates documented in the following articles:

• CVE-2018-0792: Microsoft Word Remote Code Execution Vulnerability
• CVE-2018-0794: Microsoft Word Remote Code Execution Vulnerability
• CVE-2018-0793: Microsoft Outlook Remote Code Execution Vulnerability

Release notes, What’s New and update history articles for Office 2016 for Mac.

• Update history for Office 2016 for Mac
• Release Notes for Office 2016 for Mac
• What’s new in Office 365 – Latest updates for Mac

The following content is available to customers.

• Office Insiders Program
• How to Opt-In or Opt-Out of the Office Insider Program for Office 2016 for Mac
• What’s new for Office Insiders – Latest updates for Mac

The following user assistance content is updated each month with descriptions of new features.

If you are a SQL Server customer with Software Assurance, you will soon be able to use your existing SQL Server licenses toward Azure SQL Database Managed Instance and pay only for the underlying compute and storage.

What is SQL Database Managed Instance?
SQL Database Managed Instance is an expansion of the existing SQL Database service, providing a third deployment option alongside single databases and elastic pools. It is designed to provide the strongest compatibility with existing SQL Server applications for database lift-and-shift to a fully managed PaaS, without application changes. SQL Database Managed Instance provides additional compatibility with key features available with the SQL Server programming model and out-of-the-box support for the large majority of SQL Server features, like SQLAgent, Change Data Capture, DBMail and Service Broker, to name a few, and accompanying tools and services.

What is Azure Hybrid Benefit for SQL Server?
Azure Hybrid Benefit for SQL Server helps you maximise the value from your current licence investments and accelerate your migration to the cloud. The Azure-based hybrid benefit enables you to use your SQL Server licences with Software Assurance to pay a reduced rate for Azure SQL Database Managed Instance.

What products are eligible for Azure Hybrid Benefit for SQL Server?
This hybrid benefit is only available for use with Azure SQL Database Managed Instance.

When will Azure Hybrid Benefit for SQL Server be available?
Further details about the programme and how you can participate will be coming in Q1 CY2018.

• SOURCE: Azure Hybrid Benefit for SQL Server & Azure SQL Database Managed Instance
  https://azure.microsoft.com/en-us/pricing/hybrid-benefit/

This is a PowerPoint deck that goes over the recent Spectre/Meltdown concern for Enterprise customers.  It doesn’t have any indicators that it’s NDA or anything and I think the material is pretty important to everyone so… here’s the document for download:

• Microsoft Security Release – January 9, 2018 (21 slides, .PDF, 1.4MB)
  https://1drv.ms/b/s!Ao0Dfn8MQdoArNh7ziZ5i2r3_Iqj5w

Here’s some additional information on specifics that IT Professionals should know:

Additional Info / Frequent Questions:

Details for the registry keys:

FeatureSettingsOverride represents a bitmap that overrides the default setting and controls which mitigations will be disabled. Bit 0 controls the mitigation corresponding to CVE-2017-5715 and Bit 1 controls the mitigation corresponding to CVE-2017-5754. The bits are set to “Zero” to enable the mitigation and to “One” to disable the mitigation.

FeatureSettingsOverrideMask represents a bitmap mask that is used in conjunction with FeatureSettingsOverride and in this case, we use the value 3 (0x11) which indicates the first two bits that correspond to the available mitigations. This registry key is set to 3 both when we want to enable the mitigations and to disable the mitigations.

MinVmVersionForCpuBasedMitigations is for Hyper-V hosts. This registry key defines the minimum VM version that will be able to use the updated firmware capabilities (CVE-2017-5715). We set this to 1.0 to cover all VM versions. Note that this registry value will be ignored (benign) on non-Hyper-V hosts. For more details, see https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms

Why is Edge and IE listed as an “affected product?”

• Variant 1 of Spectre will exploit JaveScript, so both Edge and IE need to be harden by the update.

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

Why is SQL listed as an “affected product?”
SQL is listed as being vulnerable to “Side channel attacks.”   SQL is a bit unique when compared to most Windows applications in that it talks directly to the underlying hardware through an OS like later aptly called SQLOS. 
https://blogs.msdn.microsoft.com/sqlosteam/2010/06/23/sqlos-resources/

Will the patch handle KVAS or KPTI?
No.  According to this link, once the update is installed it is recommended to choose the listed scenario and follow recommendations on whether to enable KVAS or KPTI.
https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server

Will the patch install the needed registry key?
No.  This is why Antivirus needs to be updated first.  The Anti-Virus vendors will add the necessary registry key that is needed to protect the users once the patch is installed.  So guidance is to update the anti-virus first.
https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

Regarding AMD Based Devices
https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices

Overview of Meltdown and Spectre (not a Microsoft link)
Official advisories by vendor
https://meltdownattack.com/

Azure provides a great environment for dev/test.  This is true both for scenarios where you want to:

1. Dev/test in the cloud and then run the production app in the cloud
2. Dev/test in the cloud and then run the production app using an existing on-premises server environment.

Azure’s IaaS and Virtual Networking capabilities make it really easy to enable enterprise development teams to use the cloud to do this.  Using the cloud for dev/test enables development teams to work in a flexible, agile, way without ever being bottlenecked waiting for resources from their IT department.  Development teams can instead use Azure in a self-service way to spin up or down resources in minutes.  And then when they are ready to deploy their apps they can choose to do so either in the cloud or using their existing on-premises servers.  This later option makes it really easy to start leveraging the cloud even without having to fully bet on it yet for production scenarios.

We announced a number of enhancements to Azure that make it an even better environment in which to do dev/test:

• No Charge for Stopped VMs
• Pay by the Minute Billing
• MSDN Use Rights now supported on Azure
• Heavily Discounted MSDN Dev/Test Rates
• MSDN Monetary Credits
• Portal Support for Better Tracking MSDN Monetary Credit Usage

The combination enables an amazing Dev/Test cloud solution, and an unbeatable offer for all MSDN customers. 

https://weblogs.asp.net/scottgu/windows-azure-announcing-major-improvements-for-dev-test-in-the-cloud

INSTRUCTIONS ON USE:  MSDN Dev/Test offer in the Enterprise Agreement (EA)*:

As an Azure Enterprise Administrator, you can now enable Account Owners at your organization to create subscriptions based on the new EA MSDN Dev/Test offer. You can do this by checking the box under the MSDN column for that Account Owner from within the Enterprise Portal. In order for this to function correctly, please let the Account Owner know once you’ve made this change so that they can set up the EA MSDN Dev/Test subscriptions needed for your teams of MSDN subscribers. This new offer enables your active MSDN subscribers to run development and testing workloads on Azure at special dev/test rates, with access to the full gallery of MSDN images including Windows 8.1 and Windows 10.
To set up the Enterprise MSDN Dev/Test offer:

1. Log in as the enterprise administrator 
2. Go to accountsmanage departments and accounts
3. Go to the account where you would like to enable dev/test MSDN access
4. Select the MSDN checkbox per column
5. EA MSDN subscriptions will be converted to the EA MSDN Dev/Test offer 
• Other subscription offer types, such as PAYG, associated with the account will be converted to Microsoft Azure Enterprise offers
   

*Not applicable to Azure Gov customers at this time

https://enterpriseazure.blob.core.windows.net/msdn/MSDN_Enable_Account.pdf

—————

Azure DevTest Labs

Microsoft has a solution called Azure DevTest Labs now.

Azure DevTest Labs is a service that helps developers and testers quickly create environments in Azure while minimizing waste and controlling cost. You can test the latest version of your application by quickly provisioning Windows and Linux environments using reusable templates and artifacts. Easily integrate your deployment pipeline with DevTest Labs to provision on-demand environments. Scale up your load testing by provisioning multiple test agents, and create pre-provisioned environments for training and demos.

For an explanation of Azure DevTest Labs, check this out:

• https://docs.microsoft.com/en-us/azure/devtest-lab/devtest-lab-overview

For more information on getting Azure DevTest Labs, check this out:

• http://aka.ms/dtl

We sent the following to our Enterprise Support customers about Spectre, Meltdown, & Windows Systems a week ago and I thought I’d share it:

Alert – Guidance to protect against the speculative execution side-channel vulnerabilities

What is the purpose of this alert?

This alert is to provide you with guidance concerning CPU Microcode vulnerabilities being reported in press starting on Wednesday, January 3, 2018. To get all available protections, customers will need to install updates from both software and hardware vendors.

Executive Summary

Microsoft is aware of a new publicly disclosed class of vulnerabilities referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems including Intel, AMD, and ARM. Note: this issue will affect other systems such as Android, Chrome, iOS, MacOS, so we advise customers to seek out guidance from those vendors.

Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See below for more details.

Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. Microsoft continues working closely with industry partners including chip makers, hardware OEMs and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and in some cases updates to AV software as well.

This advisory addresses the following vulnerabilities:

• CVE-2017-5715 (branch target injection)
• CVE-2017-5753 (bounds check bypass)
• CVE-2017-5754 (rogue data cache load)

Recommended Actions – Consumers

For consumers, the best protection is to keep your computers up to date. You can do this by taking advantage of automatic update. Learn how to turn on automatic updates here. In addition to installing the January 2018 Windows security updates, you may also need to install firmware updates from your device manufacturer for increased protection. Check with your device manufacturer for relevant updates.

If automatic updates are enabled, the January 2018 Windows security update will be offered to the devices running supported anti-virus (AV) applications. Updates can be installed in any order.

1. If you have automatic updating enabled and configured to provide updates for Windows, the updates are delivered to you when they are released, if your device and software are compatible. We recommend you verify these updates are installed. If automatic update is not enabled, manually check for and install the January 2018 Windows operating system security update.
2. Install applicable firmware update provided by your OEM device manufacturer.

Recommended Actions – Enterprise

Security Advisory 180002 has sections that provide specific guidance for Windows clients, Windows servers,  and Microsoft Cloud platforms. Additional guidance provided in the security advisory includes answers to frequently asked questions, guidance for how to verify that protections are enabled.

Associated Support Articles and Additional Resources

• Security Advisory 180002 – Guidance to protect against the speculative execution side-channel vulnerabilities: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
• KB 4073119 – Windows Client Guidance for IT Pros to protect against the speculative execution side-channel vulnerabilities: https://support.microsoft.com/help/4073119
• KB 4072698 – Windows Server Guidance to protect against the speculative execution side-channel vulnerabilities: https://support.microsoft.com/help/4072698
• KB 4072699 – Important Information regarding the Windows Security Updates Released January 2018 (A/V): https://support.microsoft.com/help/4072699
• KB 4073229 – Protect your device against the recent chip-related security vulnerability: https://support.microsoft.com/help/4073229
• KB 4073225 – SQL Server Guidance to protect against the speculative execution side-channel vulnerabilities: https://support.microsoft.com/help/4073225
• KB 4073235 – Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities: https://support.microsoft.com/help/4073235
• Azure blog – Securing Azure customers from CPU vulnerability: https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
• The Microsoft Security Update Guide: http://aka.ms/securityupdateguide

Regarding Information Consistency

We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft’s security content posted to the web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s web-based security content, the information in Microsoft’s web-based security content is authoritative.

Much of this and more is reflected on this post from our Support database:

• Protect your Windows devices against Spectre and Meltdown
  https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown

More discussion is available from our Security web sites:

MICROSOFT SECURE BLOG
Refer this blog to understand the performance impact of Spectre and Meltdown mitigations on Windows Systems.

• Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems (Jan 9th, 2018)
  https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/ 

MICROSOFT SECURITY RESEARCH CENTER
For more technical details, please see:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002