Active Directory (Anglais)

How Microsoft EMS can support you in your journey to EU GDPR compliance – Part 5

AD -

Protecting data at the device and app level with Microsoft Intune

Over the past month, the Enterprise Mobility + Security (EMS) team has been blogging about Microsofts broad commitment to making sure our products and services comply with the GDPR and making sure that you our customers understand how our technologies can assist you with your GDPR compliance efforts. Weve outlined the four key steps that we recommend you take to get started:

  1. Discover: Identify what personal data you have and where it resides.
  2. Manage: Govern how personal data is used and accessed.
  3. Protect: Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.
  4. Report: Execute on data requests, report data breaches, and keep required documentation.

Microsoft Enterprise Mobility + Security delivers multiple capabilities that provide you with crucial advantages in each step. This is the fifth blog in a series about those capabilities. With this blog, we will focus on the capabilities delivered by Microsoft Intune to help you manage the use and access of data and to help in the protection of that data both key in fulfilling GDPR requirements.

Manage and protect your data with Intune

Organizations that use Intune have access to sophisticated mobile device management, mobile application management, and PC management capabilities from the cloud. These capabilities allow you to provide your users with access to company applications, data, and resources from virtually anywhere on almost any device in a way that helps you to keep company data (including data that may contain personal and sensitive information) secure.

These capabilities are critical if you consider how many companies deal with personal and sensitive data as a standard part of doing business. Take, for example, an automaker who maintains a record of every customer who has purchased a car in recent years. The automaker likely does so in files that include customer names, emails, identifier numbers, addresses, credit scores, etc. Employees of the automaker may regularly share personal data like this among themselves as they model future sales figures or try to determine how to build better cars based on customer feedback and they may be accessing this data on their mobile devices. An organization using Intune can create a secure container for this file with policies that protect company data at the device and app level. That container can be wiped at any moment if necessary. Intune also has tools you can use to inform your end-users about terms and conditions and about which data is collected and visible on managed devices.

This unique functionality can help you meet the GDPR expectation that personal data is adequately and appropriately protected, given the circumstances and risks. The ability to control this data is enhanced when you include Azure Information Protection to encrypt the data and Cloud App Security to ensure that its stored appropriately in a cloud app. With all this, EMS is well suited to enable the data protection demands of GDPR.


End-user transparency

Before we go into the specifics of how Intune helps you protect company data, its worth stating how strongly we believe in end-user empowerment. This is exemplified by the productivity experience we deliver to end users, and includes making sure that end users have full visibility into what data the IT team can access and affect in managed-device scenarios.

With Intune, you can provide users with access to your companys privacy statement, as well as present your own custom terms and conditions to inform them of your data processing activities and data collection. Once these elements of your IT practices are defined, you can embed these notifications into the enrollment process, to inform end users about the implications of their enrollment.

Controlling access and protecting data at the device level

Intunes mobile device management capabilities and device compliance policies ensure that devices attempting to access your organizations data or apps (which may contain personal and sensitive information) first meet your teams security requirements and standards. Administrators can set a number of device compliance policies, such as enforcing device enrollment, requiring domain join, requiring strong passwords, and automatic encryption. These policies may also be set to require that the device operating system (as well as key apps) be current and have the latest updates installed before access is granted.

You can use the compliance policy settings in Microsoft Intune to evaluate the compliance of employee devices against a set of rules you create. In cases where devices don’t meet the conditions you set up in the policies, Intune can guide the end user though enrolling the device (if its not already enrolled) and fixing the compliance issue.

To understand how robust these compliance policies are, consider these four ways Intune enforces advanced security polices for mobile devices, apps, and PCs:

  1. Intune delivers comprehensive settings management for mobile devices and PCs including iOS, Android, Windows, and MacOS.
  2. It provides the ability to deny specific applications or URL addresses from being accessed on mobile devices and PCs.
  3. It enables the execution of remote actions, like passcode reset, device lock, and remote wipe.
  4. It enables the enforcement of strict lock down policies for Supervised iOS devices, Android devices using Kiosk Mode, and Windows 10 devices using Assigned Access.
App protection policies give you granular control of what happens after data is accessed

Once mobile apps are granted access to company data, its critical to control what happens after the data is accessed. This is where Intunes mobile application management capabilities and app protection policies have an impact. These policies can protect the data at the app level (which includes app-level authentication) as well as copy/paste control and save-as control. Intunes application policies give you fine-grained control of what your users can do with the data they access in apps and this gives you extraordinary power to secure your data.

Also, because Intune leverages the users identity in its approach, it can enable multi-identity usage of apps e.g., where app policies are intelligent enough to only apply to data thats applicable to corporate accounts.

Its also important to note that Intunes application management capabilities enable granular control of the data within Microsoft Office mobile apps on iOS and Android devices, and it helps enforce conditional access policies to Exchange Online, Exchange on-premises, SharePoint Online, and Skype for Business.


Six key ways Intune supports your GDPR compliance:

  1. You can enable your employees to securely access company information using mobile apps, as well as ensure that your data remains protected after its been accessed via restrictions on actions like copy/cut/paste/save-as.
  2. You can apply app protection policies to protect data with or without device enrollment. This allows you to protect company information even on unmanaged devices.
  3. Intune applies mobile application management policies to your existing line-of-business (LOB) applications using the Intune App Wrapping Tool without making code changes.
  4. It enables users to securely view content on devices within your managed app ecosystem using the Managed Browser and Azure Information Protection Viewer.
  5. You can encrypt company data within apps using the highest level of device encryption provided by iOS and Android.
  6. It allows you to protect your company data by enforcing PIN or credential policies.

With Intune, you can also selectively remove company data (apps, email, data, management policies, networking profiles, and more) from user devices and apps while leaving personal data intact.

Intunes Mobile Device Management and Mobile App Management capabilities help you protect access to data that may be considered as personal or sensitive as defined by the GDPR, and it ensures that your data remains protected even after its been accessed by users.

GDPR is great news for people demanding more digital privacy, and Intune as part of EMS is a great tool for the organizations adjusting the way they gather, use, and protect data.

Mobility and Identity admins, get EMS up and running at Microsoft Ignite!

AD -

Microsoft Ignite is your chance for access to in-depth training, deep dives and demos of new tech, and to connect with your peers. Keynotes by Satya Nadella, Microsoft CEO, and Harry Shum, Executive Vice President Microsoft AI, will showcase the Microsoft vision for the future. More than 700 sessions will give you insights and roadmaps from industry leaders so that you can bring back bold new ideas to your organization. Join us at Microsoft Ignite this year in Orlando, Florida from September 25-29, 2017.

In addition to the scheduled sessions available, were also offering a unique opportunity to get hands-on deployment guidance for Enterprise Mobility + Security at Microsoft Ignite pre-day on September 24. EMS pre-day sessions are designed for admins and include 1:1 collaboration with the engineers who built Microsoft Azure Active Directory and Microsoft Intune. You can tap into their knowledge to plan your deployment and skill up on the latest in identity and access management and mobile productivity.

This year, there are two EMS pre-day sessions offered for a limited number of Microsoft Ignite attendees:

  1. EMS pre-day option 1: Get mobile productivity up and running with Enterprise Mobility + Security (EMS) Intended for IT admins who manage apps and devices for their organizations and who are looking to understand how Microsoft Intune can help them manage mobile devices and applications, the pre-day will also address conditional access in detail and help you understand how Graph/Intune has been helping customers with automation and data extraction. This will be followed by 1:1 interaction time with engineering.
  2. EMS pre-day option 2: Get identity and access management up and running for Office365 and thousands of other applications Intended for Microsoft Azure Active Directory (Azure AD) administrators within Office365 and EMS, this pre-day provides attendees a deep dive in to end-to-end authentication and how it flows between Office 365 Applications as well as browser apps and native applications. This session also explores troubleshooting authentication as well as real world information on how to properly configure authentication and how it affects a user. This will be followed by 1:1 interaction time with engineering and an opportunity to troubleshoot your own organizations deployment blockers.

Pre-day sessions can fill up fast, to reserve your spot, simply select the Full Conference Pass + pre-day session option when you register for Microsoft Ignite. If youre already registered for Microsoft Ignite, you can sign in to your registration record and add the EMS pre-day session of your choice.

We look forward to working with you at one of the Ignite pre-day sessionsRegister now for Microsoft Ignite and EMS pre-day!

See you there!

Ransomware detection with Microsoft Advanced Threat Analytics and Cloud App Security

AD -

The rise of ransomware and its media presence in recent months has highlighted, perhaps now more than ever, the importance of robust security systems to detect and respond to devious and evolving threats. We know extortion via ransomware is an effective scare tactic after all, victims can be of both consumer and commercial variants and in all cases, attacks are evolving at a pace and frequency unparalleled by most other cybersecurity threats. Today, many strains of ransomware are searching for innovative and advanced ways to wreak the maximum amount of havoc possible to victims assets.

As we are entering this new age of cybersecurity, we want to provide powerful tools that can deliver control back to you through strong detection and remediation capabilities. Today we will show how two products that are a part of the Enterprise Mobility + Security (EMS) suite Microsoft Cloud App Security (MCAS) and Advanced Threat Analytics (ATA) can help to protect users both in the cloud and on-premises through robust detection systems. Well walk through the malware detection capabilities of each product as part of your comprehensive, defense-in-depth security strategy.

Lessons from UEBA: Detection through abnormal user and file behavior

As a User and Entity Behavior Analytics (UEBA) product, ATA learns the behavior of users and other entities in an organization and builds a behavioral profile around these. When malicious software establishes a foothold in a network, and starts to spread from a compromised machine to other computers in the network, an abnormal behavior detection is raised. Why? A departure from the norm of activity for the account indicates a probability of compromise; this detection and alert informs the admin immediately.

Similarly, Cloud App Security can detect abnormal file behavior across a tenants cloud applications. Cloud App Security will identify large amounts of deletions and file syncs across a short period of time; coupled with indications that files are ransomware encrypted (e.g., by file extension changes), the system will alert on these abnormalities through fully customizable activity policies. The speed of detection here is critical: since file deletion can be identified immediately, the chances of retrieving original files (which become immediately replaced by encrypted, ransomware-controlled files) are greatly increased.

As ransomware evolves, we are noting a shift in encryption tactics instead of using the well-known method of encrypting the first machine breached, some attackers are using the initial computer as a springboard to spread ransomware to any accessible machine in the network. Both Advanced Threat Analytics and Cloud App Security play important roles in this scenario: ATA to detect the compromised account used to spread the ransomware, and MCAS to detect the abnormal file behavior in cloud apps.

Behind the Anatomy of an Attack: Detection Through File and Protocol Abnormalities

Ransomware attackers can implement some network protocols (such as SMB/Kerberos) with only minor deviations from the normal implementation in an environment. These deviations may indicate the presence of an attacker attempting to leverage, or already successfully leveraging, compromised credentials. In some well-known ransomware campaigns, such deviations were noted. Advanced Threat Analytics detects these abnormalities in a users environment and alerts an admin immediately so that appropriate actions can be taken to protect the affected assets.

Remember, it wouldn’t be ransomware without a ransom note. As such, Cloud App Security file policies can be utilized to search for ransom notes in users cloud applications. When a ransom note is left behind, it usually details specific download instructions, navigation, and bitcoin payment terms. Using these types of indicators, Cloud App Security file policies can alert, for example, on the presence of .txt or .rtf or .html files that includes a combination of .onion and bitcoin, or Tor Browser and “ransom,” in their construction.

Cloud App Security threat detection also uses file policies to search for specific file extensions that are unique or non-standard. This can be as simple as a policy that looks for .locky or something more abstract such as .xyz or .rofl. Cloud App Security also delivers a built-in template for potential ransomware activity. This template is pre-populated with many of the most common extension types and is fully customizable. The policy template also allows governance actions to suspend suspect users, thereby mitigating the attack by preventing further encryption of most of the user’s files that are in Office 365, Box, or Dropbox.

Regaining control with support

Advanced Threat Analytics and Cloud App Security don’t replace endpoint ransomware detection or network Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Rather, they extend intelligent support and detection capabilities to your overall security coverage and accelerate how quickly your security operations teams can respond to hostile events. EMS is committed to providing the best protection, detection, and response to users to combat ever-evolving threats and support you in facing one of the strongest of cybersecurity issues: ransomware.

If you would like to learn more, please visit:

Advanced Threat Analytics Technical Documentation

Cloud App Security Technical Documentation

Cloud App Security Yammer

Advanced Threat Analytics Yammer


Thank you for your attention and support!

Hayden Hainsworth


Principal Group Program Manager

Microsoft Cloud + Enterprise Security Engineering Team

Today at Microsoft Inspire–Next generation architecture for RDS hosting

AD -

Join us today (find details at the end of this post) to see how you can make your hosted RDS environments more secure, scalable and efficient; discover the powerful new architecture that enables you to create the next generation of services for your customers, while taking your business to the next level of efficiency and growth.

The RDS modern infrastructure components we are showcasing today extend the current Windows Server 2016 RDS to enable partners to address new markets segments and customers while reducing the cost and complexity of hosted Windows desktop and application deployments.

Our Infrastructure and clients now utilize Azure Active Directory authentication to enable enhanced security features like conditional access, multi-factor authentication, taking advantage of the massive investments being made in our Intelligent Security Graph. We seamlessly integrate with classic Windows authentication to maintain application compatibility and provide a single sign-on user experience.

The RDS modern infrastructure components provide functionality that extends the current RD Web Access, RD Gateway, and RD Connection Broker services, as well as adding a new RD Diagnostics service. The RDS modern infrastructure components are implemented as .NET Web Services enabling a wide variety of deployment options. For example:

  • Both single and multi-tenant deployments, making smaller deployments (less than 100 users) much more economically viable, while providing the necessary security of tenant isolation
  • Deployments on Microsoft Azure, on-premises equipment, and hybrid configurations
  • Virtual machines or Azure App Services can be used for deployment

Azure App Services, part of Azures Platform-as-a-Service environment, simplifies the deployment and management of the RDS modern infrastructure because it abstracts the details of the virtual machines, networking, and storage. This simplifies administrative tasks like configuring scale out/in of a service to dynamically and automatically handle fluctuating usage patterns.

The new infrastructure will also include a web client that allows users to connect from any HTML5 browser. The web client, combined with the other RDS modern infrastructure features, allows many Windows applications to be easily transformed into a Web-based Software-as-a-Service (SaaS) application without having to rewrite a line of code.

Join us today to learn more and sign up for the upcoming technical preview!

Session details:

Remote Desktop Services (RDS): Why do you support 247 infrastructure for apps that run 8AM 5PM?
Wednesday, July 12, 2017 2:30 PM-3:30 PM (UTC-05:00) Eastern Time (US & Canada) – 202B, WEWCC

For related information, please see Windows Server 2016 Remote Desktop Services documentation and the RDS Azure Quickstart Templates.

Sign up today!

New Public Preview: Azure AD Domain Services admin UX in the new Azure Portal

AD -

Howdy folks,

I’m excited to announce the public preview of Azure AD Domain Services in the new Azure portal. You can now create new managed AD domains and perform administrative tasks like configuring secure LDAP using the Azure portal. If you follow the blog, you already know that Azure AD Domain Services is pretty cool. It provides managed domain services like domain join, group policy, LDAP, and Kerberos/NTLM authentication, all fully compatible with Windows Server Active Directory.

What might surprise you is that over 8000 (!!) customers are already using Azure AD Domain Services today!

And qith this new public preview, we’ve made it even easier to create a managed AD domain using our brand-new wizard experience. The wizard knits tasks like creating virtual networks, configuring group membership of the delegated administrator group, and enabling domain services into a simple, intuitive, step-by-step experience.

Getting started

Here’s how to get started with the new Azure portal experience:

  1. If Azure AD Domain Services is not enabled for your Azure directory Create a new managed domain using the new Azure portal.
  2. If you’ve already enabled Azure AD Domain Services for your Azure directory Contact us via email to migrate your existing managed AD domain to the new Azure portal. From there, you can administer your existing managed AD domain using the new Azure portal.
Note: This public preview release supports only classic Azure virtual networks. We don’t support Resource Manager-based virtual networks yet, but the team is hard at work making that happen and we hope to preview it soon!
We want to hear from you!

As always, your feedback is very important to us! Please share your comments, questions, or concerns on our discussion forum, send us an email at, or simply comment below.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Microsoft 365 and Enterprise Mobility + Security

AD -

Today at Microsoft Inspire in Washington DC,Microsoft unveiled Microsoft 365, a new set of commercial offerings that include Office 365, Windows 10, and Enterprise Mobility + Security (EMS). Microsoft 365 delivers a complete, intelligent, and secure solution to empower employees.

To address the needs of organizations of all sizes, we introduced Microsoft 365 Enterprise for large customers, and Microsoft 365 Business for small and medium-sized businesses. They provide a comprehensive set of productivity and security capabilities while simplifying delivery and management for IT.

As part of this, EMS protects across users, devices, apps and data and is specifically designed to work together with Office 365 and Windows 10 to enable security that does not compromise user experience. EMS also secures and manages across thousands of SaaS applications, on-premises apps, as well as safeguarding data across iOS and Android devices. Most recently we integrated the management experience for IT into a single easy to use console. All this adds up to an intelligent security solution to support your organizations digital transformation.

In the 3 years that EMS has been available, over 46 thousand organizations have chosen EMS and our install base has seen 12 consecutive quarters of triple digit Y/Y growth. These customers have chosen EMS to secure their move to a new culture of work.


Plante Moran, one of the largest certified public accounting and business advisory firms in the United States, chose EMS to enable productivity and security:

We were using Good for Enterprise to manage and secure mobile email access, but that was just managing email, not devices, says Sean Bulger, End User Systems Administrator at Plante Moran. We wanted to go beyond that, so our professional staff could access all kinds of information, not just email, from any place and any device, while maintaining a strong level of security.

G&J Pepsi-Cola Bottlers uses EMS to centrally manage and protect devices and an expanding portfolio of on-premises and cloud-based applications and services:

We needed to provide single sign-on for ADP [payroll services], for Oracle, for Meraki, for all of these software-as-a-service solutions that we have. We also needed to secure our mobile devices and push applications to them. We’ve completely transformed the way our business operates.
Eric McKinney, Cloud Services Manager at G&J

Grnges, a leading global manufacturer, relies on research and development to stay a leader and data security is a high priority. Thats why the Swedish manufacturer turned to Microsoft Enterprise Mobility + Security (EMS).

We sleep better at night knowing that the information is not accessible for parties who shouldn’t access it. It’s important for us to be sure that we can secure business critical data that we don’t want to share with everybody else.
Bilal Chebaro: Chief Information Officer, Grnges

If youre in Washington DC this week attending Microsoft Inspire do come see some of our sessions or visit us at our booth.

How Microsoft EMS Can Support You in Your Journey to EU GDPR Compliance – Part 4

AD -

How to gain visibility and control of data in cloud apps

This post is authored by Rue Limones, Senior Program Manager, Cloud App Security Engineering Team.

Checking in: Your Journey to GDPR Compliance

In the whitepaper Beginning Your GDPR Journey, we introduce five key use case scenarios that are relevant to GDPR compliance where Microsoft Enterprise Mobility + Security (EMS) technologies provide critical support:

  • How to provide persistent data protection on-premises and in the cloud
  • How to grant and restrict access to data
  • How to gain visibility and control of data in cloud apps
  • How to protect data in mobile devices and applications
  • How to detect data breaches before they cause damage

Were now halfway through our blog series introducing these solutions. Its a great time to take stock and understand both how far youve come and what more we can tackle together. In previous blogs, we showcased the ability of Azure Information Protection (AIP) to provide persistent data protection both on-premises and in the cloud, as well as the role of and Azure Active Directory (Azure AD) in granting and restricting access to data through risk-based conditional access controls. Next, well turn to a discussion of Microsoft Cloud App Security to understand its role in the last two uses cases and in your own GDPR journey. Youll discover how Cloud App Security ensures you have powerful visibility into, and control over, your data in SaaS apps while also giving you the ability to detect data breaches before they cause damage to the user or your organization.

Visibility and Control through Cloud App Security Step 1: App Discovery

Deep visibility into user behavior and the movement of data in cloud apps is essential to meeting the GDPR requirements regarding data protection and security, but this is no easy task. A robust cloud app identification capability is your first step. Cloud App Security can discover and assess over 14K+ cloud apps against a set of 60 service, compliance, and security factors. A total risk assessment score and a report card for the app are the results of this analysis.

Now that you understand the relative risk assessment of each app, Cloud App Security policies allow you to enforce specific user behaviors in your enterprise cloud apps. App discovery and discovery anomaly policies will notify you when new apps are detected within your organization or when unusual occurrences are noted within an app. For example, you can use a discovery policy to alert when 20 or more users are detected using new apps with risk assessment score of 4 or less. These policies play an important part in understanding and enforcing the use of safe and sanctioned apps for protecting personal and sensitive data.

Step 2: Data Discovery

As you may have guessed, discovering cloud app usage isnt always enough. If the data moving within these apps is subject to the GDPR, the apps must be governed under GDPR compliant policies and controls. For data discovery, Cloud App Security can identify unprotected personal or sensitive data with native DLP, Office DLP, or 3rd party solutions as well as detect external sharing or collaboration at a file level. As mentioned in the Part 2 blog, Cloud App Security also integrates with AIP to read file labels. Identifying personal and sensitive data you store is important for your GDPR compliance journey.

Step 3: Control Data

To secure visibility and control of data in your cloud apps, the last step is to establish controls over the data itself. With CAS, you can employ file policies to scan for specific files or file types (such as shared files), data (such as personally identifiable information), and apply governance actions.

Customizing these policies is key and will allow you to tailor the detections to your specific GDPR needs. For example, you can use a file policy to detect when personal and sensitive data are shared externally AND set the governance actions to remove external users. The ability to change sharing permissions, remove collaborators, or place users in quarantine provides near real-time control over your data.

At this point, youve gained visibility into your cloud apps and youve formulated discovery and file policy controls, but you still need a way to detect and respond to threats targeting your organization and users and do so in a way that conforms to the GDPR mandates.

Enhanced Threat Detection and Response

While your discovery and file policies are at work, Cloud App Security uses behavioral analytics and a robust anomaly detection engine to deliver enhanced threat detection and response capabilities. How does this apply to GDPR? The required GDPR timelines and conditions to report data breaches are stringent; the better informed the detection-to-response cycle is, the more equipped you will be to meet these requirements. Lets walk through each of the key advantages that Cloud App Security provides here:

User-Centered Detections

As each user interacts with a cloud app, the service assesses the risk in users behavior. Impossible travel, a sudden and unexpected download (and possible exfiltration) of data, or spontaneous administrative activity may all be signs of a data breach. Through anomaly detection policies, Cloud App Security applies behavioral analysis to these events to signal you when something abnormal is found. Even better, detection isnt driven by Cloud App Security alone; all services in EMS are working in concert to strengthen detection across on-premises and in the cloud.

Activity policies leveraging an apps API can also be used to monitor specific user activities. For example, if you label personal and sensitive files as GDPR Sensitive, you can use an activity policy to monitor when anyone accesses these files from an off-corporate network IP address. Your security operations personnel can review this activity and anomaly alerts, conduct further investigation, and continuously customize the policies as needed.

Intelligence-Driven Detections

Cloud App Securitys threat intelligence and detection capabilities are enhanced with the Microsoft Intelligent Security Graph. Acting as a vast repository of threat intelligence and security research data, the graph not only provides CAS, but also all EMS security solutions, with powerful and actionable information.

Coordinated Response

Cloud App Security can take immediate action to suspend a user, revoke a password, or remove sharing permissions of a sensitive file they have accessed. At the same time, all EMS solutions work to formulate complimentary responses. As you learned in the previous post, Azure AD delivers risk-based conditional access. When abnormal events are detected, a users risk level increases and triggers a response in access policies. Like an automated lowering of a fortresss gates when an advancing threat is sensed; you want this to be swift, responsive, and well-integrated, and its exactly that!

Whats Ahead?

Cloud App Security and EMS are here to support you in your GDPR compliance journey. In future blogs, youll discover how our other security features will enhance the visibility, control, threat detection, and response capabilities we introduced in todays discussion. More importantly, youll witness the power of the EMS to deliver the best integrated and most holistic solution to help meet your organizations GDPR needs!

As always, the team at Microsoft encourages to you explore further:

Better together: Intune and Azure Active Directory team up to improve user access

AD -

The Intune Managed Browser for iOS and Android devices plays a key role in ensuring that data on mobile devices stays secure. It lets you safely view and navigate web pages that might contain company information, and provides a secure web-browsing experience. Today, were excited to announce a series of new enhancements that make it easier for your users to access the web apps and resources they need from anywhere. These new experiences are made possible by integrating the Intune Managed Browser with Azure Active Directory Application Proxy and the MyApps portal.

Give users secure and seamless access to web apps from anywhere with the Managed Browser and Application Proxy

The Azure AD Application Proxy enables you to provide your users with secure remote access to on-premises web applications. It is simple to use and configure, without requiring changes to your network infrastructure, and allows you to secure your applications with all the security features of Azure AD. When you provide remote access through Application Proxy you create an externally accessible URL for your internal resources. However, in some cases the internal & external URLs are different, requiring users to remember two URLs. Additional challenges can also arise when multiple applications are linked to each other using internal URLs, which may cause the links to break when accessed from the internet under certain circumstances. Broken links frustrate users and can stop productivity in its tracks unintentionally barring them from accessing important resources on the go.

The new integration between the Intune Managed Browser and Azure AD Application Proxy solves this problem. Now, regardless of location, users can access the Azure AD Application Proxy apps their IT has provisioned to them simply by typing the internal URL into the Managed Browser. This simplifies the process for everyone, making sure that your users enjoy easy, secure access to the web apps they depend on to get their work done.

Heres a quick diagram of what whats happening in the background to deliver this new experience:



Intune App Protection policies and the Managed Browser make sure that links in email work, even outside of your network

Weve all clicked on links in email that dont work, and often this is because the link is for an internal site that is not accessible outside the network. This is another frustrating scenario that can be easily solved with the Managed Browser and this new integration with the Azure AD Application Proxy. By configuring Intune App Protection policies for Outlook to automatically open https links with the Managed Browser, emailed links work regardless of a users location to access internal sites published with Application Proxy.



MyApps and Managed Browser make it easy for end users to find apps

Finally, finding and accessing applicationsboth on-premises applications published with Application Proxy and cloud applications integrated with Azure ADis easier than ever with Managed Browser. The MyApps experience is now integrated into the Managed Browser to allow users to easily find and have seamless access into their apps while benefiting from everything that Managed Browser offers.

Users will find quick access to MyApps on their Managed Browser homepage and in their bookmarks, giving them fewer clicks to reach any application they may need to access. Plus, the Managed Browser supports the single sign-on functionality you have come to love with apps integrated with Azure AD.



These awesome experiences are all available now. For details, see our documentation.

Wed love to hear your feedback! Leave a note on this blog, or reach out to us at with questions or comments.

Partners: Connect with the EMS team at Microsoft Inspire in Washington, DC!

AD -

Enterprise Mobility + Security will have a large presence at the first Microsoft Inspire, and wed love to connect with you there! Microsoft Inspire is our premier annual partner conference and was formerly known as the Worldwide Partner Conference, or WPC.

This years event will be held from July 9th to July 13th in Washington D.C., and there will be eight Enterprise Mobility + Security sessions:

Code Title Description Date/Time CE416t Use Microsoft Graph API to programmatically manage EMS Customers and partners have been looking for a way to programmatically manage and integrate with Enterprise Mobility + Security (EMS). Integrate with EMS using Microsoft Graph API to manage Intune admin scenarios, integrate systems & workflows and generate custom reports through Power BI.




CE417t Gain visibility and protection against cloud security threats Learn how Microsoft Cloud App Security takes the visibility, control and protection your customers have come to expect on-premises and extends them to your cloud apps. Cloud apps are essential to today’s connected work force, but they also introduce a unique set of security concerns.



1:00pm 1:30pm

CE414 Identity Driven Security Understand the role of identity in Cybersecurity solutions. 7/10/2017

4:00pm 5:00pm

  CE416 Managed Mobile Productivity Employees need to get work done on any device anywhere. Accomplishing this while protecting corporate data is one of ITs biggest challenges. EMS makes it easier to access resources, protect data for Office 365 and other apps, and simplify the management of your enterprise mobility management needs.



1:00pm 2:00pm

CE410p Selling deeper customer connections and faster digital transformation: Azure Active Directory B2C opens new opportunities Azure AD B2C helps deliver beautiful, custom login and registration experiences. With extensibility enabling connections to CRM databases, marketing analytics, and account verification systems, Microsofts investment in identity protection and reliability are tools for winning cloud-based proposals.



3:00pm 3:20pm

CE411p Identity-Driven Security through Conditional Access Conditional access provides the control and protection needed to keep corporate data secure, while giving teams an experience that allows them to do their best work from any device. Allow or block access or challenge users with Multi-Factor Authentication, device enrollment, or password change.



4:20pm 4:40pm

CE412p Secure your complete data lifecycle using Azure Information Protection Data is traveling to more locations than ever. Its hard to identify sensitive data and protect it against accidental or malicious breaches. Learn how classifying, labeling and protecting data using Azure Information Protection can help you secure data throughout its complete lifecycle.



1:40pm 2:00pm

CE413p Protect your network from malicious attacks with Microsoft Advanced Threat Analytics Inside-out security is necessary with our current mobile and connected workforce, and having eyes and ears on your network will help your customers be prepared.


3:00pm 3:20pm


In addition to the sessions, well have a significant presence at the Security booth on the expo floor, where you can connect with folks from our engineering, marketing, and sales organizations. Please stop by and say Hello. Log on to MyInspire now to schedule your sessions. Were looking forward to seeing you there!

System Center Updates Publisher June 2017 Preview is now available

AD -

Today we are announcing availability of System Center Updates Publisher (SCUP) Preview. Many of you are using SCUP 2011 now to:

  • Import updates from external catalogs (non-Microsoft update catalogs).
  • Modify update definitions including applicability, and deployment metadata.
  • Export updates to external catalogs.
  • Publish updates to an update server.

This SCUP preview adds support for Windows 10 and Windows Server 2016. Users who are familiar with SCUP 2011 will be able to easily use the preview on Windows 10 and Windows Server 2016 systems as there are no major changes to the way the SCUP works.

Joining the preview

We are excited to have you join our preview! To get started:

  1. Download the SCUP Preview here.
  2. Run UpdatesPublisher.msi on a computer that meets the prerequisites.
  3. Configure the options for SCUP.
  4. Start using the features of SCUP.

For a walkthrough of these steps please read our System Center Updates Publisher documentation.

We would love to hear your feedback. If you have a feature request, share your ideas with us on the Configuration Manager UserVoice site. You can report issues with SCUP on Connect or reach out to us directly at

Frequently Asked Questions

Q. Does this release include SCUP integration with the Configuration Manager Console?

A. This preview is to enable SCUP 2011 features on our newest OSes and is not directly related to work that is planned for Configuration Manager Console Integration. For the latest news about that, please see the UserVoice item here.


Q. Can I use this preview release with Windows 7 or WSUS 3.x?

A. Windows 7 and WSUS 3.x are not supported with this release. Please continue to use SCUP 2011.


Q. Does this preview release support upgrade from SCUP 2011?

A. For Windows 8.1 and Server 2012 R2 systems that have SCUP 2011 installed, installation of the preview will not uninstall or interfere with the existing SCUP 2011 installation. On these systems, you may continue to use SCUP 2011 or use the preview version, however the two installations will not share data.

Azure Information Protection Documentation Update for June 2017

AD -

Hi everybody

Our technical writer, Carol Bailey, is letting you know whats new and hot in the docs for June.

Reminders: Follow us on Twitter(@DanPlastina)and join in our peer community

Dan (on behalf of the Information Protection team)

The Documentation for Azure Information Protection has been updated on the web and the latest content has aJune2017(or later) date at the top of the article.

Updates for this month support the continued updates for unifying template configuration in the Azure portal, the new GA release of the Azure Information Protection client, and the new privacy controls for the document tracking site.

Have feedback about the documentation content for Azure Information Protection? We value customer feedback and try to incorporate it whenever possible. If you have feedback about our documentation, let us know by

What’s new in the documentation for Azure Information Protection, June 2016

Documentationarticles that have significant technical changes since the last update (May 2017):

Frequently asked questions about data protection in Azure Information Protection

– New entry to help Mac users ramp up quickly:How do I configure a Mac computer to protect and track documents?

Requirements for Azure Information Protection

– Updated support statements for the versions of Office supported, and removed the previous restriction that Windows Server 2016 was supported for PowerShell only.

How to configure a label for Rights Management protection

– Updated for the new preview options that brings templates to the Azure portal.

How to configure labels for different languages in Azure Information Protection

– New article, that explains the new preview feature to display your labels in the languages that your users need. This feature needs a minimum version of the client that is 1.8 and now available as a preview version on the Download Center.

Azure Information Protection client: Version release history

– Updated for the new GA release,Version

Azure Information Protection client administrator guide

– Updated the installation section for the new .msi installation option:Options to install the Azure Information Protection client for users

Configuring and using document tracking for Azure Information Protection

– New section in the Azure Information Protection client admin guide: Privacy controls for your document tracking site. This section contains the technical documentation for admins that was announced with the blog post,Azure Information Protection Do not track feature now in Preview. The updated version of the corresponding AADRM module with the 3 new cmdlets (Set-AadrmDoNotTrackUserGroup, Clear-AadrmDoNotTrackUserGroup, and Get-AadrmDoNotTrackUserGroup) are also published, and the end user documentation for document tracking is also updated to explain why information about users from their organization might not be displayed but documents can always be revoked.


Join us July 6th for the first Azure AD B2B collaboration AMA!

AD -

Howdy folks,

Those of you who follow the blog will remember that we held our first Azure AD AMA a few months back. It was quite a hit and we got a ton of great feedback from customers and partners on it. So, we thought wed do another one! This time were focusing on a specific topic, how to use Azure AD to easily enable cross-company, cloud based collaboration.

I hope youll join us Wednesday, July 6th, at 9am PST/12pm EST for the first Azure AD B2B collaboration-hosted Ask Me Anything (AMA) on theMicrosoft Tech Community. Youll be able to connect directly with the Azure AD B2B collaboration team, who will be on hand to answer your questions and listen to feedback.

Add the AMA to yourcalendar! When:

Thursday, July 6, 2017from09:00 amto10:00 am Pacific Time


TheAzure AD B2B Community

Whats an AMA session?

Well have folks from the Azure AD B2B engineering team available to answer any questions you have. You can ask us anything about our products, services, or even our team!

Why are we doing an AMA?

Connect directly with customers, hear your feedback, and answer your questions, such as:

  • What is Microsofts strategy around Azure AD B2B?
  • Whats possible with Azure AD B2B today?
  • Will B2B help meet this specific goal I or my customer have?
  • I want to get insight into a specific issue I or my customer is having.
  • How do I submit Azure AD B2B feature requests?
Who will be at the AMA?

Well have program managers, developers, and technical thought leaders from the Azure AD B2B engineering team in attendance and look forward to connecting with you all!

I sure hope youll join us! Were always looking for opportunities like this to learn from you, our customers and partner!

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Enabling a more strategic role for IT with Microsoft Enterprise Mobility + Security

AD -

Organizations are pushing forward in their digital transformations and we continue to see and hear more about what this shift means for IT. The scope of digital transformation goes beyond moving existing work to the cloud and enabling a more mobile workforce. It brings the opportunity to reimagine business from the ground up from product offerings, to customer engagement strategies, to how to drive innovation and differentiate vs. competition. As a result, today more than ever, CIOs are being asked by their boards and other executives to weigh in on a growing number of business decisions. Almost half (46%) of CIOs in the State of the CIO survey report directly to their CEO, 61% have direct interaction with the board, and 76% are interfacing directly with customers.

Making room for a broader IT impact

As CIOs are playing an extended role in the business, the function of IT is also flexing to become more strategic and business focused. To make room for this expanded responsibility, IT organizations are undergoing efforts to optimize traditional IT operations and serviceswith a focus on increasing agility, reducing costs, and maintaining security. Organizations are also looking to empower employees with a more connected and holistic approach to managing access while protecting corporate resources. This focus on greater agility and better experience for employees, while maintaining security and holding down costs, is one of the key drivers of Enterprise Mobility + Securitys (EMS) market success.

EMS has rapidly become a leading choice because it delivers what customers tell us they need most to transform their businesses – a comprehensive yet flexible born in the cloud service that meets a broad set of mobility and security needs in an integrated way. EMS led on bringing identity and access management together with mobile device and application management. EMS has kept pace with industry shifts and customer feedback by incorporating new security solutions such as advanced threat analytics and cloud access security. EMS has also shown it can reduces overhead by addressing customer needs in one place; avoiding the pain of integrating point solutions from many different vendors.

A new EMS experience delivers increased IT Pro productivity

Over the last few months, we have turned the dial further and introduced new administrator experiences for Azure Active Directory, Microsoft Intune, conditional access, and Azure Information Protection in the new Azure portal. This collective move delivers a unified admin experience for these core EMS services that boosts IT Pro productivity and helps you get more out of EMS. The new console simplifies the configuration and management of powerful cross product workflows, such as conditional access, allowing you to define complex access management policies across Azure AD and Intune within a single interface. It also delivers deep integration with Azure Active Directory groups, which can represent both users and devices as native, dynamically targeted groups that are fully federated with an organizations on-premises Active Directory.

Identity is at the core of mobility strategies and we often find our customers first workload to deploy is Azure AD. This new environment makes it easy for you to scale your Azure AD groups and policies to protect at deeper levels using Intune and Azure Information Protection. Lets say you defined a set of Azure AD and conditional access policies to protect your Office mobile apps, you can now easily find your way to Intune to set device and app protection policies to ensure your data remains protected even after its been accessed. From there, you click into Azure Information Protection to set encryption policies that protect your data no matter where it travels. You can even create a custom dashboard in Azure that allows you to monitor and control everything at a glance from any device.



Our goal with EMS has always been to empower IT with a holistic and innovative set of tools that protect at the user, device, app and data levels without compromising productivity streamlining management of mobility and security workflows in the process. This is the driving force behind our move to a unified EMS admin experience, and we are sure that your IT organization will reap the benefits.

Moving forward, well release all new features and enhancements for Azure AD, Intune and Azure Information Protection within the new experience on Azure. You can check out our new admin experience by logging into the Microsoft Azure portal today.

Azure Information Protection status update – June 2017

AD -

Hi Everyone, and welcome to the first post in what will be a regular series posting from the AIP team to ensure you always know what we are working on, whats in the current releases of AIP and any other information that we can include to help you stay current.

With that, I will hand over to Adam Hall who leads our Customer and Partner Engagement team.


Hello to all our AIP customers and partners out there! My name is Adam Hall, and as Dan mentions above, I lead the team of awesome people who engage with you as our customers and partners to help you with what AIP is, key scenarios, and we are also the people who take your feedback, feature requests and blockers and ensure they are included as part of our engineering investments.

This is the first post in what will now be a monthly release where we will summarize where we are today, what we are working on, and how you should expect us to deliver updates. AIP, as a cloud service has a set of components that get updated on an ongoing basis, including the services, admin portal and clients. These updates are all in support of shipping features and scenarios that you can use, and typically they all get updated together and become available as a complete feature.

In the 9 months since we first released Azure Information Protection, we have shipped 4 GA updates, many service and admin portal updates and of course multiple Preview releases. Looking back, we have recently spent our time focusing on 2 key things:

  • Strong focus on stability and consistency in the user experiences
  • Unification of the admin portals, moving all admin functions to

These updates were heavily influenced by your great feedback, and allowed us to ship new features, verify bug fixes and generally improved our product. We thank you for this ongoing engagement!

As part of this engagement, we have heard many of you ask for a consistent and predictable release cycle for the AIP client, so you can plan, test, and roll out updates across your environments. You asked us to:

  • Help us understand what youre working on that is new or different in the next client version
  • Help us understand when to expect the next AIP client so we can test the preview and plan for deployment

Based on these (very fair) asks, and to deliver a better product with greater stability, we will be moving to a communicated release cycle as follows:

  1. We will provide you with more visibility for items that we are working on that are committed to be delivered. We will do this through this monthly series.
  2. We will release a preview version (in most cases monthly) to allow you to experiment with new features, test bug fixes and provide feedback on your experiences.
  3. We will announce a GA level client each quarter which aggregates the new features & bug fixes from the recent preview versions.

So, based on all of this, here are the upcoming milestones:

  • We are looking to release additional AIP Client Previews in July and August. You can download and test with the current Preview client ( at
  • Our next GA level client is planned to be released towards the end of September 2017. You can download and deploy the current GA client ( at

We are working on 3 key streams for this next GA client release:

  • Bug fixes and stability improvements (always!)
  • Enriching automation in the client (detection of more information types through alignment with the Office DLP rules) and improved condition matching engine.
  • Improving the Information Workers experiences (including a label action for user defined permissions and a new labeling experience via the protect menu for organizations that want to minimize the information protection bar)

Additionally, we have adopted UserVoice as a platform for you to tell us what we should be working on, and I would ask and encourage you all to take a look and place your votes to help us understand the priorities you have.


Hopefully this helps you with your testing, planning and deployments, we welcome your commentary and feedback. We also know this can be a lot to absorb, and we are here to help! Engage with us on Yammer or Twitter and let us know whats important to you by voting on UserVoice!

It really is very easy to get started with AIP. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!

Thank you,

Dan Plastina on behalf of our enthusiastic Azure IP team.
Twitter: @DanPlastina
Useful links: (PDF)

The Unbelievably Diverse Array of Devices Managed by Our Customers

AD -

Something I have come to really appreciate as weve built Intune and watched its usage scale to millions of devices is the unbelievably broad and diverse types of hardware our customers have to manage.

To put this challenge in perspective, check out the chart below.

In this chart, you can see the diversity of devices facing an Intune customer. Each box represents a specific device model (iPhone 6, Galaxy 6, etc.), and the size of the box indicates the percentage of that device in the overall population.

The customer (who will remain anonymous) shown in this example is managing more than 40k devices with Intune and they have a very open/broad BYOD policy. Its also interesting to note that they are currently using many of the Enterprise Mobility + Security capabilities in conjunction with Office 365 and the Office mobile apps on their devices.

The thing that I find most amazing about this graphic is the sheer amount of diversity in this single network. In particular, look at the long tail (all those tiny boxes!) of Android devices being used by employees!

The scale of this diversity is not at all uncommon for multi-national organizations with very liberal BYOD policies. As you might expect, these customers often struggle with questions like, How many of my Android devices can support device encryption? If you are dealing with a similar challenge, then you understand the immense challenge thats presented by lower-cost Android devices that do not support hardware encryption.

So what can you do?

The first question to ask is whether or not you can enforce a policy wherein only specific devices are supported for BYOD. If your organization looks anything like the graphic above, then you probably already have devices in your network that are carrying corporate data but cannot be easily encrypted at the device level. Thats the bad news.

Heres the good news:

To address this problem, add an Application Protection Policy to require data encryption for your mobile apps. You can easily set up this policy so that it will apply to all enrolled (MDM) and non-enrolled devices. This solution will enable a level of encryption via Intune Application Protection even on devices that cant support device (MDM) encryption or arent MDM enrolled.

To read more about Application Protection Policies, check out this great resource:

New Updates to the Azure AD Power BI content pack!

AD -

Howdy folks,

Those of you who follow the blog will remember that in January we announced the integration of Azure Active Directory APIs with Power BI. This integration makes it easy to download pre-built content packs that give you visibility into everything happening in your Azure Active Directory tenant.

This content pack has been super popular, and weve received a ton of requests for additional views and reports. So Im happy to let you know that weve just added the two views customers requested the most:

  • Device Logins: Get a view of the browsers and operating systems used by your organization. With this view, you can learn about the various device configurations used within your organization and make decisions based on the insights provided. You can also drill into specific details of login activity, including location and device info.

  • SSPR Funnel: The SSPR funnel report shares details of the various stages of the SSPR flow, along with additional information like how many password reset attempts were made and how many were successful. This information can help you with root cause analysis and determining next steps in increasing adoption of the SSPR tool.

Wrapping Up

Take a look at our step-by-step guide to download and set up your content pack. You can also refer to the troubleshooting guide as you get started.

We want this pack to be as useful to you as possible, so please continue sharing your feedback with us. We look forward to hearing from you!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

How Microsoft EMS can support you in your journey to EU GDPR compliance – Part 3

AD -

Granting and restricting access to data with Azure Active Directory

This blog post is the latest in our series about how EMS can support you in your journey to EU GDPR compliance. We last looked at how Azure Information Protection helps keep your data protected, whether its stored on-premises or in the cloud. Today, Im going to talk about how you can protect access to your data using Azure Active Directory, Microsofts Identity and Access Management solution.

Hackers work hard to steal credentials. Stealing credentials is the easiest way to sneak into a network undetected, which is why controlling and protecting identities needs to be your first line of defense. Considering the majority of cybersecurity attacks traced back to lost, weak or compromised user credentials, its clear you need more security than passwords will ever give you.

Below are some of the great features in Azure AD that put stronger locks on your front door so you only let in people you trust.

Set conditions to protect access

Protecting data starts with securing identities and controlling access and Azure Active Directory helps you protect your organization beginning at the front door. But one critical aspect of good security is that its nearly invisible to good users. Excessive friction inhibits productivity, and good users will find ways to work around things that block their productivity, creating risk. While you could challenge every user at every login with multi-factor authentication (MFA), ideally youd maximize productivity by allowing good users to get their work done with few interruptions, all while stopping the bad guys in their tracks.

Azure AD Conditional Access allows you to do just that. Previously, you mightve had to say, No access from off the corporate network or, No access from a personal device, but Azure AD Conditional Access allows you to basically say, Yes, but there are conditions.

The group that users belong to, the location from which theyre accessing corporate resources, the health of their device, the sign-in, and the user risk are conditions to consider when youre deciding whether youd like to block access, grant access, or challenge the user with MFA.


Evaluate risk before granting access

Azure AD Identity Protection lets you define conditional access policies based on risk calculation enhanced by Microsofts Intelligent Security Graph the cumulative intelligence we collect from our products, services, internal teams, and external sources. Based on this data, we calculate the risk of an individual user or a sign-in attempt. Azure AD Identity Protection will notify you if it detects suspicious behavior, help you investigate, and take automated action like blocking a sign-in or triggering a password reset.

Give people the right level of permissions, only when they need it

The higher the users privileges, the bigger the potential damage if their account gets compromised. Azure AD Privileged Identity Management helps you bring hygiene to your privileged accounts by providing visibility into admin accounts so you can monitor their activity. With this visibility you can revoke permanent privileged access from people who dont need it all the time and give just-in-time privileged access temporarily.

Define special controls for groups and their members

The Dynamic Groups feature automatically adds or removes members from a group based on user attributes that you define. You can use these groups to provide access to applications or cloud resources like SharePoint sites.

Get information on users, groups, and managed applications

Azure AD reporting gives you insight into the detailed activities happening in your environment. View sign-in activities for individual users and understand which applications people are using and whos using them. Audit logs will show you a list of privileged actions, such as role creation, password resets, and changes to groups, as well as show you applications that have been added, updated, or removed.

We encourage you to:

In the next blog post of this series, well be digging into how to protect data in cloud apps with Microsoft Cloud App Security.

Thank you for attention and support!

Enterprise Mobility + Security Marketing Team

Update 1706 for Configuration Manager Technical Preview Branch – Available Now!

AD -

Hello everyone! We are happy to let you know that update 1706 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. This month’s new preview features include:

  • Include trust for specific file paths in Device Guard policies – Optionally, include trust for a specific local file or folder path on clients running a Device Guard policy. Any binaries at the locations specified in the policy can run on targeted clients when enforcement is enabled in the policy.
  • Register Windows 10 devices with Azure Active Directory – A new client setting (in Cloud Services group) is enabled by default to automatically register new Windows 10 domain joined devices with Azure AD.
Application Lifecycle and Content
  • Specify a different install content location and uninstall content location for a deployment type – You can now specify a different install content location and uninstall content location for a deployment type. Additionally, you can also leave the uninstall content location empty.
  • Improvements for Software Update Points in Boundary Groups – Boundary groups now support configuring the time for fallback for software update points.
Operating System Deployment
  • PXE network boot support for IPv6 – In an IPv6-only network, boot a device via PXE to start a task sequence OS deployment.
  • Hide task sequence progress – Easily toggle when the task sequence progress is or is not displayed to the end user, on a granular step-by-step basis.
Conditional Access
  • Device Health Attestation assessment for compliance policies for conditional access – Use Device Health Attestation status as a compliance policy rule for conditional access to company resources.
Software Updates
  • Manage Microsoft Surface driver updates – You can now use Configuration Manager to manage Microsoft Surface driver updates.
  • Windows Update for Business policy setting configuration – Use configuration items to configure deferral settings for Windows Update for Business.
Core Infrastructure
  • Site Server Role High Availability – You can now add a primary site server in ‘passive mode’ to your standalone site to increase availability.
  • Create and run scripts – Create and run scripts from Configuration Manager.
  • Upgrade Readiness added to Azure Services Wizard – You can now use Azure Services Wizard to connect ConfigMgr to Upgrade Readiness in Windows Analytics to synchronize data to assess device compatibility with Windows 10.
  • Accessibility improvements in the Configuration Manager console – This preview introduces several improvements to the accessibility features in the Configuration Manager console.

This release also includes the following improvement for customers using System Center Configuration Manager connected with Microsoft Intune to manage mobile devices:

  • Android and iOS Enrollment Restrictions – Admins can now specify that users cannot enroll personal Android or iOS devices in their hybrid environment, limiting enrollment to predeclared company-owned devices or DEP-enrolled devices only.
  • New options for compliance policies – You can now configure new options for compliance policies that were previously only available in Intune standalone.
  • New compliance policy actions – You can now configure actions for compliance policies. These actions include setting a grace period for devices that are noncompliant before they lose access to company resources, and creating emails to be sent to users with noncompliant devices.
  • New settings for Windows configuration items – You can now configure new Windows configuration item settings that were previously only available in Intune standalone.
  • Cisco (IPsec) support for iOS VPN Profiles – Admins can now use Cisco (IPsec) as a connection type for VPN profiles for iOS.
  • App Protection settings to block printing and contact sync – Additional settings have been added to block printing and contact sync on Intune-enlightened applications.
  • PFX certificate creation and distribution and S/MIME support – Admins can create and deploy PFX certificates to users utilizing an Entrust certification authority. These certificates can then be used for S/MIME encryption, decryption, and authentication by devices that the user has enrolled.

Update 1706 for Technical Preview Branch is available in the Configuration Manager console. For new installations please use the 1703 baseline version of Configuration Manager Technical Preview Branch available on TechNet Evaluation Center.

We would love to hear your thoughts about the latest Technical Preview! To provide feedback or report any issues with the functionality included in this Technical Preview, please use Connect. If theres a new feature or enhancement you want us to consider for future updates, please use the Configuration Manager UserVoice site.


The System Center Configuration Manager team

Configuration Manager Resources:

Documentation for System Center Configuration Manager Technical Previews

Try the System Center Configuration Manager Technical Preview Branch

Documentation for System Center Configuration Manager

System Center Configuration Manager Forums

System Center Configuration Manager Support

Download the Configuration Manager Support Center

Disaster recovery for Remote Desktop Services: New resources available

AD -

This post is authored byHaley Rowland, Program Manager, Remote Desktop Services.

We’ve published new documentation on how to protect the resources running in your RDS deployment and enable disaster recovery through a geo-redundant RDS deployment.

When you deploy Remote Desktop Services into your environment, it becomes a critical part of your infrastructure, particularly the apps and resources that you share with users. If the RDS deployment goes down due to anything from a network failure to a natural disaster, users can’t access those apps and resources, and your business is negatively impacted. To avoid this, you can configure a disaster recovery solution that allows you to failover your deployment – if your RDS deployment is unavailable, for whatever reason, there is a backup available to automatically take over.

To keep your RDS deployment running in the case of a single component or machine going down, we recommend configuring your RDS deployment for high availability. You can do this by setting up an RDSH farm and ensuring your Connection Brokers are clustered for high availability.

The disaster recovery solutions we recommend are to protect your deployment from catastrophic disaster, something that takes down your entire RDS deployment (including redundant roles configured for high availability). If such a disaster hits, having a disaster recovery solution built into your deployment will allow you to failover the entire deployment and quickly get apps and resources up and running for your users.

Use the following information to deploy disaster recovery solutions in RDS:

Leverage multiple Azure data centers to ensure users can access your RDS deployment, even if one Azure data center goes down (geo-redundancy)

Deploy Azure Site Recovery to provide failover for RDS components in site-to-site or site-to-Azure failovers

Azure Information Protection “Do not track” feature now in Preview

AD -

Hi everyone, and welcome to an important post for those of you who have been using the document tracking and revocation feature. We received feedback from some of you around privacy and compliance when using this feature and weve tried to address that with this release.

We are excited to release in preview the new Do not track feature which gives organizations flexibility to configure a group of users within their company who should not be tracked because of privacy or compliance reasons.

You can now configure Do not track for users by adding them to a mail enabled group email address from Azure AD (can be a cloud native or sync group). Once configured, you will no longer be able to track activities of users of this group. Admins can configure the feature for specific groups by running new PowerShell commands added to the admin tool.

Lets take a deeper look

In your organization due to privacy and/or compliance reasons if you have users who should not have document tracking activities tracked, add them to a group that is stored in Azure AD, and specify this group with the Set-AadrmDoNotTrackUserGroup cmdlet.

For the members of this group, activities related to documents that others have shared with them is not logged to the document tracking site. In addition, no email notifications are sent to the user who protected and shared the documents.

As you can see in example below, Bob is member of the AIPDonotTrack group.

We have a document shared with both Bob and Tim:

Bob and Tim both viewed the document but we can only see Tims document tracking activities, because Bob is in the AIPDonotTrack group.

A few questions you may have

I have added users to the Do not track group and yet I see their previous document tracking activity in the portal. Why?
This is expected behavior. You will see the users previous (prior to them getting added to Do not track group) document tracking activities in the portal in Timeline, Map pages. The List page on the other hand shows only most recent activity per user so that will not contain the Do not track users activity.

Will admins still be able to track Do not track users document tracking activities?
Yes, but that will be supported soon. Until then no user (including global admins) can view document tracking activities of Do not track users.

Can Do not track users still track and revoke their protected documents?
Absolutely. When you use this configuration in your company, all users including the Do not track user group can still use the document tracking site and revoke access to documents that they have protected.

We know this can be a lot to absorb, and we are here to help! Engage with us on Yammer, Twitter or send us an e-mail to

It really is very easy to get started with AIP. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!

Thank you,

Dan Plastina on behalf of our enthusiastic Azure IP team.
Twitter: @DanPlastina
Useful links: (PDF)


S'abonner à Philippe BARTH agrégateur - Active Directory (Anglais)