Active Directory (Anglais)

Improving experience for VPN profiles for ConfigMgr and Hybrid MDM

AD -

Starting in the System Center Configuration Manager 1709 Technical Preview, we’re making it easier to determine which VPN profile settings are supported on each platform – like the changes we’ve made to compliance policies and configuration items. When creating a new VPN profile, you’ll first choose the platform it applies to, and then all the settings in the following wizard pages will apply to the selected platform. This will make it much easier to avoid creating an invalid profile – which will in turn reduce the need to troubleshoot broken VPN profiles or to contact support.

We started down this path several releases ago when we split the Windows 10 VPN workflow from the all platforms workflow. Now, we’ve split up all the supported platforms so they’ll each have their own path.

In addition to splitting out the workflows by platform, we’ve also combined the Configuration Manager client and hybrid mobile device management (MDM) workflows for Windows 10, since both management methods now support the same settings. For Windows 8.1, we’ve clearly marked the settings supported by Configuration Manager only, and we’ve retained the import option.

Finally, we’ve removed the Automatic VPN page, since all the settings configured by this page were deprecated by their respective platforms, making this page obsolete.

In this blog post, we’d like to answer some questions you may have.

Why did you make this change?

The main driver for this change is to prevent customers from inadvertently creating invalid VPN profiles. Prior to this change, all VPN settings for all platforms supported by Configuration Manager were exposed in the all platforms workflow. Some settings were labeled by platform (specifically, per-app VPN for iOS), but beyond this it was to tell which settings applied to which platform; also, the Automatic VPN page was still there even after it had become obsolete.

Customers and support staff would then ask why a specific configuration wasn’t working correctly. In most cases, they had created a profile with settings that were not supported by the platform. Sometimes the setting was supported for one of the targeted platforms, but not another, and it was impossible to tell from the user experience. Finding out that the configuration the customer wanted to use wasn’t supported was disappointing and frustrating for everyone involved. These changes are designed to prevent these issues.

In earlier releases, we made similar changes in compliance policies and configuration items for the same reason. VPN is the first of the company resource access profiles to get this treatment, and while it was mainly designed to improve the experience for MDM profiles, the updates benefit devices managed by the Configuration Manager client as well – particularly because the Windows 8.1 settings are clearly set apart from all the mobile platforms now.

What about my existing profiles?

We understand that many of our customers use VPN profiles for multiple platforms, and by this point, you might be concerned. However, you don’t need to worry about your existing profiles; one of our goals was to ensure that all existing profiles continue to work as they did before the change. When you upgrade, you will still see the same properties pages, and no changes will be made to the profiles themselves. All new profiles will use the new experience, but all existing profiles will still use the previous experience.

Let us know what you think!

If you’re eager to have similar changes applied to other profile types, please leave a request on UserVoice:

If you still have questions, or are experiencing issues, reach out to your Microsoft contact or support team.

You can also find more information about this change here.



Tyler Castaldo

Program Manager, Enterprise Mobility

Update 1709 for Configuration Manager Technical Preview Branch – Available Now!

AD -

Hello everyone! We are happy to let you know that update 1709 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. This month’s new preview features include:

  • Co-management – Co-management is a solution where Windows 10 devices with Fall Creators Update can be concurrently managed by Configuration Manager and Intune, as well as joined to Active Directory (AD) and Azure Active Directory (Azure AD) to provide a way for you to modernize Windows 10 management over time. You can read more about co-management here.

This release also includes the following improvement for customers using System Center Configuration Manager connected with Microsoft Intune to manage mobile devices:

  • Improved VPN Profile Experience in Configuration Manager Console – VPN profile settings are now filtered according to platform. When you create new VPN profiles, each supported platform will contain only the settings appropriate for the platform. Existing VPN profiles are not affected. You can read more about this change here.

Update 1709 for Technical Preview Branch is available in the Configuration Manager console. For new installations please use the 1703 baseline version of Configuration Manager Technical Preview Branch available on TechNet Evaluation Center.

We would love to hear your thoughts about the latest Technical Preview! To provide feedback or report any issues with the functionality included in this Technical Preview, please use Connect. If there’s a new feature or enhancement you want us to consider for future updates, please use the Configuration Manager UserVoice site.


The System Center Configuration Manager team

Configuration Manager Resources:

Documentation for System Center Configuration Manager Technical Previews

Try the System Center Configuration Manager Technical Preview Branch

Documentation for System Center Configuration Manager

System Center Configuration Manager Forums

System Center Configuration Manager Support

Download the Configuration Manager Support Center

Improving access control with three new Azure AD public previews

AD -

Howdy folks,

It was great to get to meet so many of you at Ignite last week! Thanks a ton for stopping by the booth and making time to attend our sessions. If you were at Ignite or follow our blog, you know we announced a ton of new Azure AD capabilities last week. As a follow-up, we’re going to do a few posts that cover the new capabilities we turned on in more detail. First up, let’s take a look at some of the new access control features we’ve just put into public preview.

As customers increasingly adopt Azure AD, we’ve received a ton of request for features that help make sure the right people have access to the right resources, and that give enterprises control of and visibility into this access. In response to that feedback, we’re pushing three new and exciting features in Azure AD to public preview:

  1. Extending Azure AD Privileged Identity Management to include Azure RBAC roles.
  2. Automated, periodic access reviews
  3. Automated Terms of Use administration and reporting

Here’s a quick tour of each of these new public previews.

Privileged Identity Management – extended to managing in Azure

Azure AD Privileged Identity Management (PIM) is already generally available for managing Azure AD roles, which are used to administer Azure AD and other Microsoft online services. The top request we’ve seen in the feedback forum for Azure AD PIM is to bring just-in-time role activation, access reviews, and reports to Azure resources. We know these upgrades will help organizations address the challenges of large-scale IaaS administration, so we’ve added them and are now making them available in public preview.

This new preview shows up in the Azure portal as part of the Azure AD PIM UI alongside the recent approval workflows preview.

With this Azure AD PIM preview for Azure RBAC, you can now:

  • Ensure the right users are assigned to Azure subscriptions, by starting an access review of any role in the subscription and asking a resource owner or the users themselves to confirm they still need access
  • Control exposure of business-critical Azure assets by making users, either individually or via a group, eligible to activate a role to manage resources
  • Limit how long a user can be activated in a role, and set an expiration date for a user’s or group’s role membership
  • Get reports about users and groups with role assignments in Azure subscriptions, resource groups and resources, who activated their roles, and what users did in Azure while activated
  • Let users take charge of their own role activity and requiring them to provide a justification or requiring that they authenticate with multi-factor authentication prior to when they need to activate a role

For example, you can make a user, including a guest user, eligible for an Azure resource group’s role. Once you’ve done that, that user can activate the role when they need to make a change to the resource, and you can see a report of the changes the user made in Azure while they were activated.

If you’re already using Azure AD PIM, you’ll see “Azure resources” in the Manage section.

If you’re not already using PIM, take a look at the instructions to enable Privileged Identity Management for your directory to get started. Read more about this exciting new preview at PIM for Azure resources (Preview).

Note: Azure PIM is an Azure AD Premium 2 feature.

Access reviews for attestation

The second new feature in preview is access reviews of users in groups and assigned access to applications. We’ve already included access reviews for admins in directory roles in Azure AD PIM, and now we’re expanding how access reviews can be used for groups and application access.

There are quite a few ways to control application access in Azure AD. A lot of organizations use groups in AD or Azure AD to control access. Users can also request application access. And now, the new Office 365 groups feature allows more users across your organization to create their own groups and pick who they want in those groups. (We’ve added a preview of automatic expiration of Office 365 groups to ensure the number of groups doesn’t get overwhelming).

Of course, over time, group memberships and application access assignments can get stale people change jobs or no longer need access to a particular application. Maybe a guest who was given access isn’t affiliated with their original organization any longer. This staleness can cause a problem for protecting business-sensitive assets or applications subject to compliance. To avoid access getting out of hand, organizations can now schedule access reviews to make sure only the users they want to have access to their assets and applications are able to access those things.

An access review asks users to recertify (or “attest”) to access rights to an app or membership in a group. You can ask users to review their own rights or select reviewers to review everyone in a group or everyone assigned access to an app. You can also ask the group owners to review. And finally, for those organizations that have other processes in place to manage employee access, you can scope the review to include only guest members or guests who have access.

Reviewers will receive an email so they can see the reviews in the access panel. Azure AD includes access highlights and recommendations that help reduce how long it takes for a review to be completed.

The results are aggregated and then, based on those results, the admin can choose when to make changes and remove the denied users’ access.

This particular preview includes access reviews for:

  • Members of Office 365 groups
  • Members of security groups and DLs, including groups originating from on-premises AD
  • Users who have application access, including users who are members of groups assigned to enterprise applications

And we’ll be adding more features and scenarios in the future!

For even more information on access reviews, you can check out the access review overview and turn on the preview for your tenant at

Note: Access reviews are an Azure AD Premium 2 feature

Terms of use

Our third preview being announced today is a terms of use access control we’ve added to Conditional Access.

With terms of use, you can require a user to view and consent to your organization’s terms of use before they’re able access to an application. The terms can be any document relevant to your organization’s business or legal policies. Just start by uploading a PDF of that document to Azure AD, then, through conditional access policies, target the terms to be visible to groups of users or specific applications. If a user is in scope of this control, they’ll only receive access to the application if they’ve agreed to the terms presented.

You can see in the Azure AD audit reports who consented to each terms of use and when they consented.

You can also configure multiple conditional access policies, using different policies for different applications or groups of users. For example, you might want to have everyone who access to a privacy-sensitive application use multi-factor authentication to sign in and to agree to the terms of use for that application.

Read more about this feature at Azure Active Directory Terms of Use (Preview).

Note: Terms of Use is an Azure AD Premium 1 feature

Try them out!

I hope you’ll try out these new features and let us know what you think. If you’re interested in taking these new features for a test drive and you don’t have EMS yet, get a free trial of Enterprise Mobility + Security E5.

Please keep sharing your ideas on the Azure AD feedback forum. We want to hear from you!

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Azure Information Protection Status Update – September 2017

AD -

Hello again to our AIP community! In case you missed it, you can find last month’s posting here and of course, were listening to your feedback and feature requests. Speaking of which, its been a busy month with a HUGE set of updates to both the client and for admins!

Before we get into those details, please take a minute to look at all the announcements we made at Ignite this week. Office 365 Message Encryption (previously Secure Mail) is now GA. Attend this webinar to learn more about the feature. Integration with Conditional Access is in public preview and preview for MCAS integration and Scanner are coming this month!

AIP Client:

The current GA client is now!

  • Enjoy more than 80 pre-defined information types when configuring a label condition. All pre-defined information types are aligned with Office 365 DLP information types (more information here)
  • Introducing a new label action, set custom permission. When applied in Word, Excel, PowerPoint or via the classify and protect app, users are prompted to define the permission scope for this item i.e. which users/groups and protection settings.
  • Introducing a new vertical menu. Users can now label an item by clicking the protect button in Word, Excel, PowerPoint and Outlook. This is an alternative to the horizontal bar.
  • This client can display label names, descriptions and Policy Tips in a users local language. The additional languages are specified by the admin, and then the client displays based on the Windows and Office settings.
  • PowerShell commands improvements:
    • Introduce a new cmdlet: Set-AIPAuthentication and Clear-AIPAuthentication to support scenarios of running powershell cmdlets on an unattended server.
    • Introduce an option to label files on behalf of another user (-owner) and to preserve the file details such as last modified users and last modified time (PreserveFileDetails)
  • Plus as always a number of fixes and updates:
    • Support for generically protecting large files that previously could be corrupted if larger than 1 GB. The file size is now limited only by available hard disk space and available memory.
    • The Azure Information Protection client viewer opens protected PDF (.ppdf) files as view-only.
    • Support for Exchange online mode.
    • Support for labeling and protection of files stored on SharePoint Server.
    • Watermarks now support multiple lines. In addition, visual markings are now applied to a document on the first save only rather than every time a document is saved.
    • The Run Diagnostics option in the Help and Feedback dialog box is replaced with Reset Settings. The behavior for this action has changed to include signing out the user and deleting the Azure Information Protection policy.
    • Support for proxy servers that require authentication.
    • Email validation when users specify custom permissions. Also, multiple email addresses can now be specified by pressing Enter.
    • The parent label is not displayed when all its sub-labels are configured for protection and the client does not have an edition of Office that supports protection.

The latest Preview client now posted is which contains a number of new features and fixes.

  • Admins can set a different behavior of the default label in Outlook vs. in Word, Excel and PowerPoint. For example the policy can enforce one (or no) default label in Outlook while enforcing a different (or no) default label in the other applications. To experience this feature you can define a default label in Outlook that will override that default label that was set in the Admin UI.
  • On the custom permissions dialog, users can now find and select users by clicking the address book icon available in Word/Excel/PowerPoint as well as in the classify and protect app.
  • Support sharp graphics and text on dynamic dot per inch(DDPI) Monitors for the classify and protect app, viewer and Office 2016 Click-To-Run. When working with 2 monitors with different DPI resolution graphics and text will be displayed the same in both monitors.
  • Major bug fixes in this preview version:
    • Fix a set of specific Office crashes after AIP upgrade
    • Performance and memory consumption improvements in Office
    • User defined permissions in classify and protect app
    • Ability to apply ADRMS protection when working in a HYOK environment
For Admins:
  • Allow Information workers to hide the information protection bar in applications. This can be defined per scope.
  • Choose if the Do Not Forward button in Outlooks main ribbon is displayed or not.
  • Control if the set custom permission option in available or not.
  • Set which Font is used for content marking. If no specific Font is specified, the Calibri font is used.

These updates were heavily influenced by your great feedback, and allowed us to ship new features, verify bug fixes and generally improved our product. We thank you for this ongoing engagement!

Upcoming milestones: Other things to be aware of:
  • We’re adding a new feature to the new OneDrive sync client: the ability to sync IRM-protected SharePoint document libraries and OneDrive locations. Learn more about this Preview here.
  • The RMS Protection tool is moving to End Of Life on February 10 2018. This functionality is replaced by the AIP Client.
  • With regards to templates and labels, we have moved to protection being an attribute of labels, and not standalone templates as was the case with RMS. This means a few things:
    • Templates were initially designed to define sets of rights granted to groups and users. In most cases this was a technical implementation answering a need to protect data according to an information handing policy. Labels represent a business policy of how information should be managed, with optional protection of the data when specified enforced by the template.
    • In order to deliver on this, we need to maintain a one to one mapping between a label and its associated protection template. As you move from templates to labels, you can convert the template to a label, however if you want to apply the same permissions multiple times, you will need to create a new label for each additional use and specify the protection attributes.
  • A reminder that the Azure classic portal is going to be retired on Nov 30. For more info please see this blog. We also have a great set of migration guidance in our Docs.

As we let you know previously, we have adopted UserVoice as a platform for you to tell us what we should be working on, and I would ask and encourage you all to take a look and place your votes to help us understand the priorities you have.


Hopefully this helps you with your testing, planning and deployments, we welcome your commentary and feedback. We also know this can be a lot to absorb, and we are here to help! Engage with us on Yammer or Twitter and let us know whats important to you by voting on UserVoice!

It really is very easy to get started with AIP. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!

Thank you,

Adam Hall on behalf of the Azure Information Protection team.
Twitter: @adhall_msft
Useful links:

How Microsoft Advanced Threat Analytics detects golden ticket attacks

AD -

If youre in the business of threat detection, you are probably familiar with the term golden ticket. For those less familiar, a golden ticket is the name of a Kerberos ticket that is manually created by an attacker after gaining access to your environments encryption “master key”. A golden ticket allows an attacker to masquerade as any user or gain the permissions of any role at any time they want, giving them full control over your environment.

Being able to detect this kind of attack has historically been difficult, because the adversary is leveraging credentials with the same key your Active Directory uses.

What can you do about it? This article provides more detail, but in short, you can:

  1. Reduce privileged account exposure by lowering the number of privileged administrators while also implementing “Just Enough Admin” and “Just in Time” access for administrators.
  2. Implement Microsoft Advanced Threat Analytics (ATA), a detection solution that reveals when an adversary has compromised credentials, is using a golden ticket, and/or is moving laterally on your network, escalating privileges, and exerting domain dominance.
How Microsoft ATA can help

Microsoft ATA detects the malicious replication of directory services, which is a method an attacker uses to obtain the master key to your environment. Mimikatz’s DCSync and Impacket’s secretsdump are two tools that an adversary may use to replicate the Kerberos encryption master key (also known as a KRBTGT account) from a domain controller. Microsoft ATA detects the use of these tools and tactics.

ATA learns normal replication and ticket usage patterns to automatically detect and alert if an attacker steals the master key. More importantly, Microsoft ATA will alert you when an adversary begins using a golden ticket on your network.

ATA during a Golden Ticket attack

During a golden ticket attack, the ATA console can provide useful insight into a company’s defenders including:

  • Details about the counterfeit ticket (e.g., the account that the adversary is masquerading as)
  • What resources were used to access the counterfeit ticket
  • How long the counterfeit ticket was used

In the example below Microsoft ATA detected a golden ticket attack, noting the adversary used the counterfeit ticket for 51 hours:

With ATA, the Digital Forensics Incident Response (DFIR) team can actively detect this attack techniquean ability the DFIR previously did not havewhile also gaining insights into the adversary’s actions. In this case, the DFIR team investigated the alert and identified this incident to be the result of an advanced attacker leveraging a golden ticket in their environment.


Advanced Threat Analytics is part of the Microsoft Enterprise Mobility + Security Suite (E3) or the Microsoft Enterprise CAL Suite (ECAL). Start a trial or deploy it now by downloading an Advanced Threat Analytics 90-day evaluation.

Ask your questions and join the discussion with our team on the Microsoft Advanced Threat Analytics Tech Community site!

All the best,

Hayden Hainsworth (@cyberhayden)
Customer & Partner Experience Program Leader, Cybersecurity Engineering
Microsoft Cloud + Enterprise Division

Enterprise Mobility + Security @ Ignite 2017 – Wrap Up

AD -

Last week at Microsoft Ignite, more than 25,000 IT professionals converged in Orlando Florida to learn about Microsofts technology advancements, skill up across new products, and meet with Microsoft experts. For EMS we unveiled a wave of new capabilities, presented more than 45 sessions, and met with thousands of customers. I wanted to take a moment and package up all the great information we shared and things we learned from all of you.

We continued to hear from you about the tectonic shifts in IT, with the move towards mobility and use of the cloud for employees, against a backdrop of the rising number of cybersecurity attacks. We passionately believe and continued to observe throughout the whole week, that IT is uniquely positioned to be the champion of change for this new work experience and digital transformation.

Our vision is to empower you and your organization to achieve more in this digital transformation journey while helping you continue to protect your corporate resources. With Microsoft Enterprise Mobility + Security (EMS), we are committed to an integrated experience across identity, mobility, and security solutions that work across platforms, devices, operating systems, and SaaS apps. Id like to summarize the announcements we made last week:

Protect at the front door: raising the bar with conditional access

In June we announced the general availability of the new conditional access admin experience in the Azure portal. This new experience delivers powerful simplicity to support admins across EMS; including Azure Active Directory and Microsoft Intune. And conditional access is powered by the Microsoft Intelligent Security Graph which processes billions of signals to determine user sign-in risk levels. With the new conditional access console experience, you can now create policies that protect at the user, app, location, device, and risk level in minutes. Last week customers of all sizes told us its changing the game for them.

But what weve delivered to date is only the beginning. At Ignite we announced the expansion to secure a whole new wave of scenarios for our customers:

Controlling and limiting access to cloud apps

With Azure Active Directory Conditional Access, access context, continuous cybersecurity threat intelligence, and the risk signals are put to work to help you control access in real-time. Now, we are expanding conditional access capabilities to Microsoft Cloud App Security to provide better protection of your data in the cloud apps.

Watch the Ignite Session: Productivity and protection for your employees, partners, and customers with Azure Active Directory.

Uniquely integrated with Azure AD conditional access, Cloud App Security can help you to perform real-time monitoring and control over your cloud applications. The activities performed within the user sessions in SaaS apps can be limited and controlled based on the conditions such as user identity, location, device and detected sign-in risk level. For example, you can allow access to SaaS apps from an unfamiliar location or unmanaged device while blocking the download of the sensitive documents.

Watch the Ignite session: Bring visibility, data control and threat protection to cloud apps with Cloud App Security.

We also announced that our new conditional access for Azure Information Protection allows organizations to apply access policies to some of their most important data. Policy can be applied to require a user to MFA when accessing Azure Information Protection protected documents, or just when they are off the corporate network or they have been flagged as having an elevated risk. This allows all conditions and controls to be used, also providing the option to require a managed device when accessing protected content.

Watch the Ignite session: Discover whats new in Azure Information Protection and learn about the roadmap and strategy.

New conditions and custom controls

Last week we announced several new options for customers with time and regional fencing to give control over access based on two new conditional parameters. With time fencing you can restrict access to corporate data to specific hours. Regional fencing makes it easy to block access from specific countries and regions, based on automatic IP address checks. With our new custom controls, you can require acceptance of custom terms of use agreements (which you define) and integrate with selected third party MFA providers when challenging users to authenticate their identity.

Watch the Ignite session: Ensure users have the right access with Azure Active Directory.

Pass-through Authentication

Pass-through Authentication is now generally available as an Azure AD sign-in method – an alternative to Password Hash Sync. It is for organizations who cant (or dont want to) permit users’ passwords, even in hashed form, to leave their internal boundaries. It allows users to sign into both on-premises and cloud applications using the same passwords. This feature provides users a better experience, helps reduce IT helpdesk calls and protects user accounts with Conditional Access policies. It works by securely validating users passwords directly against Active Directory using a lightweight on-premises agent.

Watch this video: Azure AD Pass-through Authentication and Seamless Single Sign-on.

Protect sensitive data anywhere

Employees are using more SaaS apps, creating more data, and working across multiple devices. While this has enabled people to do more, it has also increased the risk of data loss it is estimated that 58% of workers have accidentally shared sensitive data with the wrong person. At Microsoft Ignite we announced several new EMS capabilities to help protect your data throughout its lifecycle, from creation to deletion.

Discovering and identifying data is a critical first step. To help you detect the types and locations of your data Azure Information Protection scanner will now be able to scan on-premises repositories such as file servers and SharePoint servers to detect sensitive information and automatically classify, label, and protect it based on your company policies. We also announced that now we provide a new and enhanced Cloud App Discovery experience in Azure AD powered by Microsoft Cloud App Security. You can discover more than 15,000 cloud apps without any agents on user devices and get ongoing analytics. These capabilities are now available to all Azure AD P1 and EMS E3 customers.

Another critical capability customers need is a consistent and integrated classification, labeling, and protection approach across information protection technologies, enabling persistent protection of your data everywhere.

To provide you better and unified data protection in cloud apps, we are taking the integration between Microsoft Cloud App Security and Azure Information Protection to the next level. Leveraging Microsoft’s Information Protection capabilities, Microsoft Cloud App Security can scan, classify sensitive data stored in cloud apps and apply Azure Information Protection labels automatically for protection including encryption.

Finally, we announced the general availability of improvements to Office 365 message encryption, which makes it easier to share protected emails with anybody inside or outside of your organization. Recipients can view protected Office 365 emails on a variety of devices, using common email clients or even consumer email services such as Gmail and Watch this session to learn more about these enhancements – Protect and control your sensitive emails with new Office 365 Message Encryption capabilities

Watch the Ignite session: Protecting complete data lifecycle using Microsoft information protection capabilities.

Detect threats and recover from attacks

The nature of IT security has changed as the frequency and severity of the cybersecurity attacks have grown dramatically. These breaches also reflect a new approach targeted attacks by compromising credentials across cloud and on-premises, leveraging those credentials to access and steal data in your hybrid environment.

To help you detect these attacks we announced the limited preview of a brand-new service Azure Advanced Threat Protection for users that brings our on-premises identity threat detection capabilities to the cloud and integrates them with the Microsoft Intelligent Security Graph. Powered by the graph, our Advanced Threat Protection (ATP) products have a unified view of security event data so your security operations analysts can investigate an incident from endpoint to end-user to email.

Traditional security tools have a high rate of false positive identifications and sifting through them to locate the important and relevant alerts can be overwhelming. Azure ATP for users reduces false positives and provides clear attack information on a simple timeline for fast triaging with an end-to-end investigation experience. Leveraging the depth and breadth of Microsofts vast amount of security intelligence, Azure ATP for users help you protect your identities both on-premises and in the cloud.

Watch this session from Ignite: Learn about Microsoft Advanced Threat Analytics Futures.

Modernizing management of Windows 10

Digital transformation also requires organizations to modernize their IT infrastructure, policies and processes to lower costs, simplify device and app management, and provide a better experience for both users and IT Pros. We designed Microsoft 365 for this reason, and we are excited to announce new improvements to make it easier for customers to realize full benefits of Microsoft 365 by enhancing the ability to deploy and manage Windows 10 and Office 365 ProPlus from the cloud.

First, we are enabling a bridge to modern management for existing System Center Configuration Manager (ConfigMgr) customers with co-management that allows managing Windows 10 devices by both ConfigMgr agent and Intune MDM at the same time. For example, customers will be able to transition the management of VPN profiles, OS updates, and conditional access checks from ConfigMgr to Intune while continuing to use ConfigMgr for other workloads. Over time, customers will be able to move more workloads to Intune. This unique ability enables customers to start their journey to cloud-based management in small manageable steps with lower risk while maintaining the control they expect.

We are also excited to announce Intune Management Extension that provides additional Windows 10 management functionality in addition to what is currently available through the MDM channel. This new feature allows our customers to automate actions on the endpoint by having the ability to run PowerShell scripts from the cloud.

To round out our capabilities for managing the broad spectrum of devices our customers choose we announced integration between Jamf and Intune. Jamf is one of the most widely used solutions for macOS management. Jamf will integrate with Intunes device compliance engine to provide an automated compliance management solution for macOS devices accessing applications connected with Azure AD authentication.

Watch the Ignite Session: Microsoft 365: Modern management and deployment.

Thank you!

Microsoft Ignite was a huge week for us on the EMS team. We are thankful to be able to spend time with customers and very honored to be an important part of digital transformation for so many companies around the world. Thank you to all of you who could attend Microsoft Ignite in person or who have watched the recorded content so far.

Azure Information Protection Documentation Update for September 2017

AD -

Hi everybody

Our technical writer, Carol Bailey, is letting you know whats new and hot in the docs for September.

Reminders: Follow us on Twitter (Microsoft Mobility @MSFTMobility) and join in our peer community at

Gagan (on behalf of the Information Protection team)

The Documentation for Azure Information Protection has been updated on the web and the latest content has a September 2017 (or later) date at the top of the article.

The doc updates this month support recent releases, such as the much-awaited GA version of the Azure Information Protection client, as well as releases that were announced at the Ignite conference this week. Missed the announcements? Check out Whats new in Azure Information Protection @ Ignite 2017.

We value customer feedback and try to incorporate it whenever possible. If you have feedback about the documentation, you can contact us by emailing

Whats new in the documentation for Azure Information Protection, September 2017

What is Azure Information Protection?

  • Updated theResources section with a link to find the Microsoft Ignite 2017 sessions as they become available, and a link the blog that has a summary of announcements for Ignite.

RMS for individuals and Azure Information Protection

  • Updated to clarify the RMS for individuals subscription vs. sending a protected email with Office attachments when you use Office 365 Message Encryption with new capabilities.

How Office applications and services support Azure Rights Management

  • Updated theExchange Online section for information about the updated Office 365 Message Encryption. The SharePoint section is also updated to clarify that co-authoring is not supported with IRM-protected libraries, and that data loss prevention (DLP) is not supported on libraires that are not IRM-protected but the document is protected before uploading to SharePoint.

Comparing Azure Information Protection and AD RMS

  • Updated the comparison table with a new entry for send a protected email (with Office document attachments that are automatically protected) to users when no trust relationship exists by using federation with social providers or a one-time passcode and web browser for viewing. This feature is not available with AD RMS.

Client devices that support Azure Rights Management data protection

  • Updated the minimum supported version for iPhone and iPad to iOS 8.0.

Applications that support Azure Rights Management data protection

  • Updated thesupported application table to include the new scenarios for Office 365 Message Encryption with new capabilities. The table has also been redesigned for fewer footnotes. New limitation for Office 2010 that does not support overriding template protection with custom permissions that a user selects with the Azure Information Protection client,

FAQs about data protection in Azure Information Protection

Information and support for Azure Information Protection

  • Updated the “To do this …” table with the current top 5 documentation pages, a link to the User Voice site, and an update for our Twitter feedback to receive notifications.

Quick start tutorial for Azure Information Protection

  • Updated the wording and screenshots to match the latest UI updates for the service and client.

Planning and implementing your Azure Information Protection tenant key

  • Updated to remove the previous restriction of using BYOK with Exchange Online, and expanded the number of key options that you can now use for BYOK. This article also has a new section to help you choose your key vault location.

Preparing users and groups for Azure Information Protection

  • Updated for federated social identities and one-time passcode when you use the new Office 365 Message Encryption capabilities.

How to activate Azure Rights Management from the Azure portal

  • Updated for the new UI in the Azure portal that refers to Azure RMS as “protection”.

Office 365: Configuration for clients and online services to use the Azure Rights Management service

Configuring the Azure Information Protection policy

  • Updated the Subscription support section with guidance for admins who have a mix of licenses for their users. Also clarified that there is no technical limit to the number of labels that you can create, unless they include protection. A label that includes protection settings creates a template, and there is a maximum limit of 500 templates.

How to delete or reorder a label for Azure Information Protection

  • Updated to clarify the behavior if you delete a label that includes protection.

How to configure a label for Rights Management protection

  • Updated for the latest UI changes that include renamed options (such as changing “Azure RMS” to “Azure (cloud key)”.

Hold your own key (HYOK) requirements and restrictions for AD RMS protection

  • Updated the Additional limitations section for the latest GA version and preview version of the Azure Information Protection client.

How to configure a label for visual markings for Azure Information Protection

  • Updated for the new preview option that lets you customize the font. Also added a new section to help you set the customized font color.

How to configure conditions for automatic and recommended classification for Azure Information Protection

  • Updated to remove the information about the previous built-in conditions now that the GA version of the client supports the Office DLP sensitive information types. Also clarified that the information types you can select exclude any custom sensitive information types that you have defined and uploaded as a rule package to the Office 365 Security & Compliance Center.

Refreshing templates for users and services

  • Updated to remove the manual instructions for Exchange Online that are no longer necessary when you use the new Office 365 Message Encryption capabilities.

Tasks that you used to do with the Azure classic portal

  • New article for those of you who are used to creating and managing custom templates in the Azure classic portal. In case you haven’t heard, the old Azure portal is being retired November 30. After this date, you must manage any templates that you have in the new Azure portal. This article helps you with this transition, so that you can continue to manage your Azure Rights Management templates.

Deploying the Azure Rights Management connector

  • Updated the prerequisites informationto explain how the connector can support multiple AD forests.

Logging and analyzing usage of the Azure Rights Management service

  • Updated the introduction with a summary of all logging options for Azure Information Protection.

Azure Information Protection client: Version release history

Azure Information Protection client administrator guide

  • Updated throughout to remove the old preview information now that the client released as GA.

Custom configurations for the Azure Information Protection client

Classify and protect a file or email by using Azure Information Protection

  • Updated to include the new Outlook address book option for custom permissions from an Office app when you use the latest preview client. New section for safely sharing by email.


  • Updated for clarifications and included the error messages that you see if the key vault you specify has not been configured for Azure Information Protection.


  • Updated for the current preview client that has a new parameter, -IntegratedAuth, that supports server mode for AD RMS so that cmdlets can run non-interactively by using Windows integrated authentication for the computer account.

What’s new with Microsoft Intune and System Center Configuration Manager @ Ignite 2017

AD -

Organizations are continuing to experience an increasing number of devices and cloud services that are being used by their employees. While this allows people to achieve more at work, it also requires IT to enable and support new and more complex scenarios with the same budget and resources. Organizations are looking for a solution that allows them to manage their users, various device platforms, and different types of apps using an integrated, modern platform. We are excited to announce new features in Microsoft Intune to expand its unified endpoint management (UEM) capabilities. These improvements include conditional access enhancements across all platforms, integration with Jamf for macOS device compliance, a new and unique co-management capability with System Center Configuration Manager (ConfigMgr) for modern Windows 10 management, and more.

Microsoft 365

Microsoft 365 is designed to enable a modern workplace for employees and a new approach for IT to simplify management, improve security, and lower costs. You can read more about this new approach in Brad Andersons Microsoft 365 powered device blog post and our latest Mechanics video.

You can download this infographic here.

One of the key elements of Microsoft 365 powered device is the ability to modernize the deployment and management of Windows 10 and Office 365 ProPlus. We have been regularly adding new modern management features in Intune since the release of Windows 10. Some of recent improvements include the ability to deploy Office 365 ProPlus, BitLocker management, integration with Windows Update for Business, and more. We are also working on new features including the ability to run PowerShell scripts on Windows 10 devices using Intune Management Extension, new Windows 10 MDM settings, and enhanced support for Windows AutoPilot, Windows Defender ATP, Windows Store for Business, and Surface Hub.

While there are many benefits of modern management, most organizations are still using an on-premises Windows Server Active Directory (AD) and System Center Configuration Manager (ConfigMgr) to manage their Windows devices. Based on conversations with our customers, we heard that until now, it wasnt always easy to move to modern management. Some customer scenarios require the ConfigMgr agent, and there are also Windows 7 devices that need to be managed. Customers also use deeply integrated partner or homegrown solutions for ConfigMgr, and not to mention the complexity of planning and switching from traditional to modern management with existing IT systems, organizational structures, and processes. Many organizations were looking for a more simplified and manageable way to transition from ConfigMgr and AD to a modern management approach with Intune and Azure AD. We are excited to make this possible with a new and unique feature of ConfigMgr and Intune called co-management.

Co-management delivers a bridge that simplifies planning and reduces the risks as organizations transition the management of Windows 10 devices to cloud-based Intune and Azure AD. Co-management helps to streamline the journey to modern management in a controlled and iterative way. This allows IT to modernize some workloads of Windows 10 management (e.g. device compliance assessment for conditional access) while maintaining ConfigMgr for other workloads (e.g. Win32 app distribution) based on your needs and at your own pace with the end goal to fully transition to modern management.

With the Fall Creators Update, a Windows 10 device can be joined to on-premises Active Directory (AD) and cloud-based Azure AD at the same time. Co-management takes advantage of this improvement and enables the device to be managed by both ConfigMgr agent and Intune MDM. This allows organizations to move parts or workloads of their management to the cloud making the move in manageable chunks. For example, customers can transition device compliance check, resource access profile deployment, or Windows 10 update management from ConfigMgr to Intune while continuing to use ConfigMgr for other workloads such as software distribution and deep device security configuration. Overtime, it will be possible to transition more workloads through co-management.


Another common use case is the ability to modernize OS deployment where a traditional imaging process can be replaced with Windows AutoPilot integrated with Intune and Azure AD while the rest of provisioning and management is done through ConfigMgr.

You will be able to learn more about these improvements in the recordings of our Ignite sessions (search for BRK3057, BRK3075, BRK3076, and BRK2079 on after Ignite ends) as well as test it out in your lab in the upcoming ConfigMgr Technical Preview Branch release (version 1709). We are planning to make co-management generally available with the 1710 release of ConfigMgr Current Branch later this year.

Integration with Jamf for macOS device compliance

As a unified endpoint management (UEM) solution, we are always looking for ways to extend our platform through our partners to satisfy the unique needs of our customers. Today, we are excited to announce our integration with Jamf, a well-known solution for managing the Apple ecosystem. Jamf will integrate with Intunes device compliance engine to provide an automated compliance management solution for macOS devices accessing applications connected with Azure AD authentication.

Jamf will send macOS device state information to Intune which will then evaluate it for compliance with the policies defined in the Intune console. Based on the device compliance state as well as other conditions (such as location, user risk, etc), Conditional Access will allow, block, or enforce MFA for macOS devices accessing cloud and on-premises applications connected with Azure AD, including Office 365.

This integrated solution will be available in late 2017. For more information tune into the Jamf Nation User Conference Keynote livestream on Wednesday, October 25:

The next wave of conditional access

In June, we announced the general availability of the new conditional access admin experience in the Azure portal. This powerful, simplified new experience makes it easy to manage policies that bring together services across EMS, including Azure AD Premium, Microsoft Intune, and combines it with the insight from the Microsoft Intelligent Security Graph, which scans billions of signals to determine user risk levels.

Today, Microsoft announced a whole new wave of scenarios that expand our conditional access capabilities, including integration across EMS Azure Information Protection and Microsoft Cloud App Security services, as well as additional scenarios that leverage Intunes core MAM and MDM capabilities.

You can read about this next wave of conditional access capabilities in this post from Alex Simons that was published earlier today.

In case you missed it

As always, the last couple of months have been busy with the release of several product updates and new features. Here is a recap of some of these releases that were getting a positive customer feedback on.

  • iOS 11 and Android O support: In recent weeks, both Android and iOS announced updates to their operating systems. As you plan for both updates within your organizations, you can have the confidence that all existing Intune capabilities will continue to work as expected when users upgrade.
  • Enhanced macOS support: Over the last month, we added several improvements to our macOS management capabilities, including conditional access support and a new Company Portal for end users.
  • Intune Data Warehouse: The new Intune Data Warehouse takes our reporting capabilities a step further, giving you more powerful custom reporting around your environment over time. With a dataset spanning up to 90 days of historical data, you can connect the Intune Data Warehouse to Power BI, Excel or another analytics tool that supports OData feeds to view historical trends, get daily snapshots, and create other custom reports across multiple tables.
  • Mobile Threat Defense ecosystem: This past year, weve introduced integration with several leading Mobile Threat Defense (MTD) solutions, including Lookout, Skycure, and Check Point. This month, were excited to introduce our latest integration with Zimperium. This integration helps organizations defend against both known and unknown mobile threats and ensure that devices are risk-free and secure before users access corporate resources.

We are excited for you to try these new improvements! Please keep sending us your feedback.

Additional resources:

What’s new in Azure Information Protection @ Ignite 2017

AD -

Hi everyone!

Whether you are attending Microsoft Ignite in person or following the event on social media, we wanted to give you a summary of the latest and greatest information protection news we shared at Ignite. Well have more detailed blogs on some of these new capabilities in the following weeks so stay tuned! Were excited to share these milestones with you and welcome your feedback as always.

General availability of new and improved Office 365 Message Encryption capabilities

We are announcing the general availability of enhancements to Office 365 Message Encryption leveraging the protection capabilities of Azure Information Protection. These improvements make it easier to share protected emails with anybody inside or outside your organization. Recipients can view protected Office 365 emails on a variety of devices, using common email clients or even consumer email services such as Gmail,, and Read more about it in the Office 365 blog.

To address your compliance needs, were also enabling support for bring your own key (BYOK) for Exchange Online. Read more about it in our technical docs: Planning and implementing your Azure Information Protection tenant key.

Public Preview of Conditional Access for AIP protected files

To further enhance security at the file level, we’re introducing public preview of conditional access for sensitive files. With the integration of Azure Information Protection (AIP) and Azure Active Directory, conditional access can be setup to allow or block access to AIP protected documents or enforce additional security requirements such as MFA or device enrollment based on the device, location or risk score of users trying to access sensitive documents. Learn how to configure this feature: Conditional access in Azure Active Directory.

Public Preview of native labeling of Office files in Microsoft Cloud App Security

We are excited to announce that we’re deepening the integration of Microsoft Cloud App Security and Azure Information Protection. With the public preview of next phase of integration in Q4 CY 2017, youll be able to scan and classify files in the cloud apps, and automatically apply Azure Information Protection labels for protection. More information about this integration can be found in this Cloud App Security blog.

Public Preview of Azure Information Protection Scanner

To help you manage and protect significanton-premises data, were releasing the public preview of Azure Information Protection Scanner next month. The scanner can be configured to periodically scan your on premises repositories such as File Servers and on-premises SharePoint servers to discover, label and protect sensitive data based on company policies. This is particularly important in scenarios where youre planning data migration from on-premises to cloud storage or working towards meeting regulatory and compliance requirements such as GDPR. Stay tuned for more information about the scanner in coming weeks!

We hope this helps you with your testing, planning, and deployments and we welcome your commentary and feedback. We also know this can be a lot to absorb, and we are here to help! Engage with us on Yammer or Twitter and let us know whats important to you by voting on UserVoice!

It really is very easy to get started with AIP. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!

Thank you!
Gagan Gulati on behalf of our enthusiastic Azure Information Protection team

Introducing Azure Advanced Threat Protection

AD -

The recent years have witnessed a distinct and consistent escalation in cyberattacks scope, scale, and sophistication, impacting organizations across all verticals and locations. This escalation is manifested not only in increasing proliferation of threat-actor groups, but also in the diversity of the utilized attack Tools Techniques and Procedures (TTPs), ranging from zero-day exploits to weaponized antimalware and publicly available toolkits.

This threat landscape is driving a change in the common security paradigm, bringing security stakeholders to realize that a resourceful and determined attacker will at a certain point succeed in bypassing the traditional prevention and detection controls.

To proactively respond to these threats, there is a need for a security layer that operates following the successful bypass of these controls and is tasked with detecting the malicious activity consecutive to this bypass.

Introducing Azure Advanced Threat Protection for Users

We are excited to announce Azure Advanced Threat Protection (ATP) for Users, a new cloud service which empowers your Security Operations team to detect and investigate advanced attacks and insider threats across the entire scope of users and entities in your network. Leveraging cloud infrastructure and Azure scale, Azure ATP is built to support the most demanding workloads of security analytics for the modern enterprise.

Azure ATP fuses together unique machine learning algorithms, world-class security research, and the breadth and depth of the critical security data available to Microsoft as a major enterprise vendor. It will help protect from both known and unknown attack vectors, detecting threats early in the kill chain before they mature into actual damage.

Azure ATP brings the capabilities of our current on-premises behavioral analytics solution, Microsoft Advanced Threat Analytics (ATA), to the cloud. Building on the in-depth threat detection capabilities of ATA, Azure ATP will help our customers protect their identities across both their cloud and on-premises directories.



Powered by the Microsoft Intelligent Security Graph, Azure ATP detects malicious activity by aggregating and correlating multiple data sources, network traffic, event logs, VPN data, and others – to create a coherent behavioral profile for each user. Malicious activity will typically generate anomalous behavior, raising a security alert.

Complementing its granular anomaly detection capabilities, Azure ATP is shipped with a set of deterministic models that identify both common and newly discovered implementations of attacker techniques such as Pass-the-Hash, Overpass-the-Hash, Golden Ticket, and others.



Azure ATP shows the attack as a contextual alert timeline, where each individual alert includes both description of the malicious activity that triggered it, as well as the required onward remediation and response steps.

Once the alert is triaged and deemed worthy of investigation, Azure ATP provides your security team with the tools and event metadata that are needed to conduct a deeper investigation of the involved users and entities. Additionally, you can pivot to Windows Defender Advanced Threat Protection (ATP)which supplements the alert context with the operations performed on the involved endpoints.

Were opening registration for our limited preview today. Register here.

Well begin onboarding our first previewers by the end of October.

Looking forward to hearing your feedback!

Michael Dubinsky,
Principal PM Manager, Azure Advanced Threat Protection.

What’s new in Microsoft Cloud App Security @ Ignite 2017

AD -

A changing culture of work is driving a rapid increase in cloud app usage by employees. According to our own telemetry, the average organization has more than 25 different cloud storage apps and more than 40 collaboration apps routinely used by its employees. With this fast transition to cloud app usage, helping you protect your corporate data is a top priority for the Microsoft Cloud App Security team.

Earlier this week at Ignite, Microsoft announced new Microsoft 365 Security capabilities including important enhancements to and new integrations with Microsoft Cloud App Security. In this blog, I will provide you a more detailed understanding of these capabilities.

Control and limit access to cloud apps with proxy

With the rising number of cybersecurity attacks, our first objective is to protect your organization right at the front door. Our approach in Microsoft Enterprise Mobility + Security (EMS) starts with providing you a strong conditional access and modern authentication strategy. With Azure Active Directory conditional access, criteria such as user identity, device health, location and sign in risk driven from Microsofts Intelligent Security Graph, are applied to help you secure access.

As showcased at Ignite keynote sessions, were extending these conditional access capabilities to monitor user sessions and control content access and downloads directly inside SaaS apps through a unique integration between Microsoft Cloud App Security and Azure AD conditional access. So, what does this mean? As explained in the Microsoft defense in-depth whitepaper, Cloud App Security will act like a security escort between cloud apps and users. For example, you can allow access to browser-based cloud apps from unmanaged devices or an unfamiliar location while blocking the download of sensitive documents from within the application.

This exciting new capability will be released for Public Preview in October 2017.

How does this work?

Controlling and limiting access to cloud apps ties together the capabilities of Azure AD conditional access with the Cloud App Security proxy. In-session controls are created through the integration of conditional access policies and the Cloud App Security proxy session policies. When a conditional access control is triggered, Azure AD will redirect the user to the Cloud App Security proxy. At this point, the proxy session policies are evaluated, and a users session is monitored or controlled. Lets explore each step of the process.

Step 1. To control and limit access to cloud apps, we start with an Azure AD conditional access policy. These policies employ both conditions and controls. Conditions define the who, what, and how a policy is applied. Based on a set of conditions, policies will trigger access controls. Session controls (as seen in the screenshot below) help you control and limit access to applications.


Azure Active Directory conditional access policy

What happens after this conditional access policy is built? For every sign-in, Azure AD identifies if there is a conditional access policy in place. When proxy restrictions for cloud apps is checked within a policy, Azure AD sends the specific user and context information to the Cloud App Security proxy.

Step 2. Azure AD conditional access policies and the Cloud App Security proxy session policies work together to perform real-time monitoring and control. The proxy does another evaluation of the user against session policies set in the Cloud App Security portal where conditions such as device state or user location can be evaluated. If there is a relevant policy, the user session will be routed through the Cloud App Security proxy where each user action can be monitored and controlled. At this point, Cloud App Security can block the download of a sensitive document or scan, label, and enforce protection on a file even it was not protected in the first place. User actions and session analytics can then be reviewed in the Cloud App Security activity log and discovery dashboard.

Microsoft Cloud App Security proxy – session policy settings

The integration between Azure AD conditional access and the Cloud App Security proxy showcases our commitment to providing a holistic solution that allows users to be productive while protecting against data breaches and leaks in real time. This compliments the existing conditional access integration between Azure AD and SharePoint and is another building block in the journey to secure productivity.

Enhanced information protection capabilities in Microsoft Cloud App Security

After safeguarding your resources at the front door, the next step is to protect data anywhere and prevent data loss. Today, data travels through many locations – across devices, apps, cloud services, and on-premises. It is important to build the protection into the file, so this protection stays with the data itself.

As Microsofts Information Protection solutions expand and develop, we take great strides in ensuring Cloud App Security integrates these advancements into our existing services.

Azure Information Protection (AIP) provides persistent data protection by classifying, labelling, and protecting sensitive files and emails. Labels are used to apply the classification to a document or email, such as General or Confidential. Additionally, AIP allows for encryption and authorization, ensuring users must successfully authenticate to access the material.

At Ignite 2016, we showcased how Cloud App Security can read files classified by AIP and set policies based on the file labels. Now, were integrating these solutions even more to enhance the protection of your data as it travels to cloud applications. Cloud App Security will scan and classify sensitive files in the cloud apps and automatically apply AIP labels for protection.

How does this work?

In the Cloud App Security portal, you can configure a file policy using:

  • Filters to select conditions such as access level, classification label, specific collaborators, and parent folders
  • Governance actions to automatically apply an AIP label with protection


Microsoft Cloud App Security file policy apply classification label

These labels are configured in the Azure Information Protection portal and protection will be applied to any file that is supported by native protection. This means that Word, PowerPoint, or Excel files protected by Cloud App Security using AIP will open in Office apps on all platforms without requiring a plug-in or any additional settings. This capability will roll out in October 2017.

Applying AIP classification labels directly to files from Cloud App Security is an important step in the continuous evolution of Microsofts Information Protection capabilities. This helps you create policies seamlessly and enforce data protection across your security solutions.

The new and enhanced Cloud App Discovery experience in Azure AD

Shadow IT application use is an important security concern. Lack of Shadow IT visibility, knowledge, and control can increase your attack surface and leave you vulnerable. Visibility is the first key step for data protection if you cannot see it, you cannot prevent it. For that reason, we developed a new and enhanced Azure AD Cloud App Discovery experience to provide deeper visibility into cloud app usage in your organization. This experience is powered by Microsoft Cloud App Security Discovery and is now available to all Azure AD Premium P1 and EMS E3 customers.

New and enhanced Azure AD Cloud App Discovery

How is the new Azure AD Cloud App Discovery different?
  • Provides deeper visibility into cloud app usage: the new Cloud App Discovery in Azure AD discovers more than 15,000 cloud apps, leveraging the Microsoft Cloud App Security cloud app catalog.
  • No agents required: This analysis does not require agents to be installed on user devices. Instead, discovery is performed based on log files imported from your firewalls and proxies. You can discover apps across all organizational network traffic, regardless of the device or operating system.
  • Ongoing analytics and alerts: the new Cloud App Discovery in Azure AD provides detailed and ongoing analysis, as well as alerts when there is a new app in use. You can now gain more in-depth knowledge of cloud app usage in your organization, such as information on inbound and outbound traffic, and top users for discovered apps.

You can get started today by logging in to the new enhanced experience with your Azure AD credentials.


Detailed technical documentation for the conditional access with the Cloud App Security proxy integration and the enhanced Azure Information Protection integration will be available at our documentation site at public preview. If you have any suggestions, questions or comments, please visit and provide us feedback at Tech Community page.

What’s new with Azure Active Directory @ Ignite 2017

AD -

Howdy folks!

What an amazing week! Its the third day of Ignite and its been awesome getting to meet so many of you in person, especially when we have so much news to share!

Leading up to the conference, the team worked hard to turn on important new Azure AD capabilities and Im excited to share a quick recap of everything we announced.

The next wave of conditional access starts now

In June we announced the general availability of the new conditional access admin experience in the Azure portal. This powerful new experience makes it easy to manage policies that bring together services across EMS, including Azure Active Directory, Microsoft Intune. Conditional access also takes advantage of the Microsoft Intelligent Security Graph, which scans billions of signals to determine user risk levels.

Now, were bringing to life a new wave of scenarios that expand our conditional access capabilities, including integration across EMS Azure Information Protection and Microsoft Cloud App Security services. Weve grouped the new features into three broad categories:

  • Devices and apps
  • Session control and information protection
  • New conditions and custom controls

Below are highlights from each feature category weve previewed at Ignite.

Devices and apps

We recently announced device-based conditional access support for macOS, and now were introducing new application-based conditional access capabilities. With this new level of control you can restrict access to services so that only client applications that support Intune app protection policies can use them. And you can combine app-based conditional access policies with device-based policies to protect data for both personal and corporate devices.

Additionally, our conditional access policies now allow you to protect VPN connectivity in your Windows 10 device. So, any users with Windows 10 devices can connect automatically to your VPN only if they’re compliant with device policies.

One more exciting feature were introducing is the ability to manage device identities in the Azure portal. With this new feature, you can manage device attributes, retrieve BitLocker keys for devices, see device authentication-related audit logs, and find support resources related to devices, all in the Azure portal.

Session control and information protection

The EMS team has also been making some incredible headway improving session control and data protection.

Session controls allow you to limit access to resources. Weve had support for SharePoint restricted mode, one of our session control technologies, in public preview . Today, Im happy to let you know that were expanding our session controls in Azure AD Conditional Access to integrate with Microsoft Cloud App Security.

Microsoft Cloud App Security performs real-time monitoring and helps IT gain control over both authorized and unauthorized cloud application usage. This capability is currently in private preview. It will be available in public preview soon and will give you the ability to limit and control the actions your users take in SaaS applications using conditional access policy. For example, you will be able to let users access SaaS apps from an unfamiliar location or unmanaged device, but prevent them from downloading sensitive documents.

And our new conditional access integration with Azure Information Protection (currently in public preview) allows you to apply access polices to protected files. Now, you can set a policy that prompts a user to complete a MFA challenge before accessing a protected document. You can even have the policy serve up a MFA challenge when users are off the corporate network or are flagged as an elevated risk by Identity Protection.

New Conditions & Custom Controls

Weve just turned on a public preview of country/region-defined IP range conditions. These new conditions make it easy to block access from specific countries and regions based on automatic IP address checks.

Weve also unveiled custom Terms of Use (ToU) as a control in conditional access. With ToU, you can require a user to consent to your organization’s terms of use before they get access to an application. The terms can be any document relevant to your organization’s business or legal policies. When you combine ToU with access reviews, you can collaborate across companies confidently, knowing the right level of information protection is in place.

Finally, we’ve integrated two-step authentication solutions from Duo, RSA, and Trusona. So, if you’re using one of these providers to support two-step authentication, you can easily use them within the Azure AD conditional access engine.

Continuing to enable customers journey to the cloud

Weve heard stories from numerous customers that prove how important it is for their users passwords stay firmly within internal boundaries. So, we developed pass-through authentication! This authentication method allows you to use Azure AD for single sign-on without compromising any of your security requirements.

Today, I’m happy to tell you pass-through authentication is now generally available!

Pass-through authentication is an Azure AD sign-in options (along with password hash sync and federation). Its most appropriate for organizations who cant or dont want to permit users’ passwords, even in hashed form, to leave their internal boundaries. Pass-through authentication allows users to sign into both on-premises and cloud applications using the same passwords, and works by securely validating users passwords directly against on-premises Active Directory using a lightweight on-premises agent.

To ensure a smooth user experience, were also extending seamless single sign-on to pass-through authentication and password sync. Hybrid customers will only need to sign into their device once. They will not be prompted again for another login, regardless of which authentication method they use, to access Azure AD-integrated applications on their AD-joined devices within their corporate network.

For more details on this great functionality watch our Microsoft Mechanics show.

Casting a light on shadow IT

More than 80 percent of employees admit to using non-approved SaaS applications for work, and discovering which apps theyre using is the first step to managing shadow IT. To that end, were upgrading the Cloud App Discovery tool to an enhanced experience powered by Microsoft Cloud App Security.

With this upgrade, IT admins can now discover more than 15,000 apps without needing on-premises agents to do so. They can also receive detailed on-going risk analysis and alerts for new apps in use, get inbound and outbound traffic information, and uncover the top users of discovered apps all important pieces in gaining a greater understanding of cloud app usage across an organization.

More Governance and Compliance options for Azure AD customers

In addition to Sailpoint, were expanding our partnerships in advanced governance with the integration of Omada and Saviynt, two leaders in identity governance. Now you can seamlessly integrate their solutions with Azure Active Directory Premium which gives you rich governance capabilities like Access Requests, Policy based workflows and approvals, enhanced auditing and reporting and fine-grained lifcycle provisioning. If your looking for a great governance solution for Azure AD, you can’t go wrong with any of these partner solutions.

Azure Active Directory is also adding more granular control functionality so enterprises can determine who has access to what across their hybrid deployments and cloud services. These new features, currently in public preview, enable customers to:

  • ask group owners or group members to attest to their need for continued group membership, by starting an access review of that group.
  • ask users with access to an enterprise application, or others in the organization, to recertify their need for continued application access.

Weve made the Azure AD access review experience more user-friendly by just showing access highlights, including whether the user being reviewed has signed into the application recently.

Azure AD Privileged Identity Management (PIM) is also being extended to manage Azure subscriptions and resources, further governing who can manage resources in Azure. The new Azure AD PIM preview includes just in time and time-limited membership of Azure RBAC roles alongside its existing controls of Azure AD and Microsoft Online Services roles.

Wrapping Up

Theres so much to share, and in the weeks to come well be posting more detailed blog posts that get into the meat of many of these new features. Please continue to watch us online or visit us throughout the rest of Ignite, and keep an eye on this blog for more information. We want to hear from you and look forward to connecting!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

System Center Updates Publisher September 2017 Preview is now available

AD -

System Center Updates Publisher (SCUP) Preview 2 is now available. If this is your first time looking at the SCUP Preview check out the announcement for Preview 1 here.

In SCUP Preview 2, the update catalog format has been enhanced to provide a better experience for users when consuming large update catalogs. Improvement include:

  • Indexing for quicker imports of previously imported catalogs – Catalog producers can now index their catalogs. This will allow users to import large catalogs containing few new updates more quickly.
  • Inclusion of signing certificates within updates catalogs – Catalog producers can now include signing certificates with their updates catalogs. This enables users to add the certificates to the trusted publishers list during import so that approval prompts will not block publish operations.

Note: While old catalog formats are still supported, catalog producers will need to add information to their existing catalogs to take advantage of these improvements.

  • Signature Timestamp – Updates published to a WSUS server will by default have the signature time-stamped. Note, this functionality requires internet access. If you have upgraded from preview 1 this will not be automatically enabled. To enable or disable the signature timestamp or configure the timestamp server that is used see the Advanced page under Options.

Preview 2 also includes fixes for issues based on feedback submitted during the first preview.

Joining the preview

We are excited to have you join our preview! To get started:

  1. Download the SCUP Preview here.
  2. Run UpdatesPublisher.msi on a computer that meets the prerequisites.
  3. Configure the options for SCUP.
  4. Start using the features of SCUP.

For a walkthrough of these steps please read our System Center Updates Publisher documentation.

We would love to hear your feedback. If you have a feature request, share your ideas with us on the Configuration Manager UserVoice site. You can report issues with SCUP on Connect or reach out to us directly at

ConfigMgr @ 25

AD -

Late last week, I wrote about the remarkable quarter-century milestone reached by ConfigMgr, and today I wanted to dive even deeper into the backstory of this incredible product, share a couple announcements, and debut an awesome new documentary (lookout Sundance!) which offers an in-depth look at the genesis and growth of the product that created the PC Management industry.

[insert video]

Next, the ConfigMgr announcement:

And with this present-day milestone in mind, heres a story you may not have heard before:

How It All Began

Late last week, I took the opportunity to re-read the original vision document or spec for Project Hermes. I hadnt seen this doc in several years, and it was amazing to see how true ConfigMgr has stayed to that original vision. The fundamental building blocks outlined in that doc are still used today and are still part of its foundation.

In 1992, the original mission of Microsoft (aka, a PC in every home and on every desktop) was just hitting critical mass. Organizations were aggressively moving from terminal emulation to the x86 distributed computing model, and there was no solution to manage the PCs at scale. The team knew that Project Hermes had to be impactful.

The original SMS team was two full time developers and an intern named Ken Pan. When I joined the team in 2003, Ken the Intern was leading the entire dev team of about 150 engineers. Ken has led the engineering efforts on SCCM and Intune for me ever since!

Fun fact: The very first build of Systems Management Server (SMS) was 245. Why not 1? Well… Windows was on build 300 at that time and the team didnt want to seem too far behind but they knew that picking something too close to 300 would raise suspicion. So they picked 245!

SMS officially launched on November 7, 1994. That first release took a little over two years today we release new insiders builds every month!

A big moment from that launch was an e-mail sent by Bill Gates to every Microsoft employee explaining that SMS was being deployed across the company. Ever the engineer, Bill pointed out in that e-mail how to remove SMS software from your machine if you were so inclined. (:

If you want to read that e-mail, Ive included it at the bottom of this post.

Pushing the Architecture Forward

SMS 1.0, 1.1 and 1.2 were all released pretty quickly, and a new market was subsequently born. Without delay, the team then started working on SMS 2.0.

Thats when things got… complicated.

And, honestly, we made some poor decisions. A big part of the growth mindset is the ability to learn rapidly this has been core in the SMS team from the beginning.

So much had changed in the architecture of how client-server applications were built since 1992 that the team essentially re-wrote the SMS server infrastructure in 1997 and 1998 to bring the scale and performance of SMS forward, and they also integrated with the upcoming capabilities of Windows Server 2000. This was the first time that the SMS architecture was rewritten to ensure it was the state-of-the-art for that time.

SMS 2.0 was released in January 1999, and the adoption and usage accelerated. At the time, I was working at SMSs largest competitor, Novell, leading the Novell ZENworks team. I couldnt possibly count the number of hours I spent meeting with SMS customers talking about the differentiators of ZENworks that were based in focusing on users (identities) with deep Directory integration!

While writing this post I was reminded that SMS 2.0 had an Easter egg in it. The Easter egg was a video showing the names and pictures of people who worked on the product, and, when I look another look at it this week, one name stood out:

Yup, Terry Myerson my boss and the Executive Vice President of Microsoft. I guess all the greats really have passed through SMS at one point in their career. (:

I joined the SMS team just as efforts were ramping up for what would become SMS 2003.

In SMS 2003, there were significant portions of the product that were, again, re-written. A big milestone at the time was getting SMS aligned on WSUS for patching. This aligned the Microsoft patching from cloud (Windows Update) to consumers and the Enterprise. WSUS is essentially the same bits that are used for Windows Update except running in your datacenter.

Windows Update is one of the worlds largest Cloud services updating more than 1B devices every month. Think about this for a minute: One of Microsofts key differentiators in the public cloud today are our hybrid capabilities and the ability for you to essentially run our public cloud in your datacenter. Running Windows Update in your data center (WSUS) was really a pioneer and perhaps the earliest example of being cloud connected and hybrid. This was also the point in time when laptop usage had really accelerated, and we needed to build a new client that functioned in a disconnected or loosely connected model.

As we neared the release of SMS 2003, we would meet each Friday morning with a group from across the company to evaluate the status of the project. One of the key groups invited to that meeting was the Microsoft IT department (MSIT). In a move that had no precedent in the company, I granted the IT team veto authority over the decision to ship SMS 2003 if they did not feel it was ready. Ever since then, MSIT has been our first and best customer as well as one of our best sources of feedback on early builds.

Today, we manage over 500,000 PCs and mobile devices here at Microsoft (this number is not included in the 1000M MAD) through a single ConfigMgr deployment. We are constantly deploying new bits across Microsoft as we are building each monthly release. We definitely eat our own dogfood. Another fun cat: My team actually oversees the internal deployment of ConfigMgr. There is no better way to learn than by than doing!

Between 2003 and 2007, we released two Feature Packs. We didnt want to wait for an entire new product to deliver new functionality, so we innovated this new way to release capabilities. The first Feature Pack finished up the work of aligning on WSUS for our patching. The second Feature Pack was when we released OS Deployment.

One of my favorite memories of this time was a demo we set up at an event in Europe in November 2003 to show-off the new OS Deployment capabilities. Bill Gates was delivering the keynote, and, during his section of What Is New with SMS, we live upgraded 100 PCs on a wall behind Bill. We called this demo the Wall of Fire.

Heres a picture we took of Bill when he turned around to watch the demo execute:

Heres a picture of the brave SMS team members that staged the demo:

Making an Impact

In the fall of 2004, Bill and Steve hosted an offsite meeting with a few of the senior leaders from across the company and the final session of the day was open Q&A with Bill and Steve. Someone asked Bill what he thought was, The most significant thing that has happened for Microsoft in the last year. Bill responded: We got SMS and Active Directory right and they will be tremendous assets for us going forward.

To this day, that is one of the best days of my professional career!

In 2007, we changed the name from SMS to ConfigMgr, in order to align it with the System Center brand. Desired State Configuration (DSC) was the newest innovative scenario that customers were requesting, so, once again, we evolved the architecture to really enable DSC to work the way it should. We also completely rewrote the administrative experience.

In Feb 2011, mid-way through the engineering of SCCM 2012, Satya took over the Server and Tools Business (STB), renamed it the Cloud and Enterprise (C+E), and became my boss. For our first 1:1 meeting, Satya came to my office and spent the bulk of the time really getting to know me better as a person. It was an incredible experience to work directly for Satya for several years and learn from his incredible, inquisitive nature, his growth mindset, and his humble-servant approach to leadership. Satya had a tremendous impact on the future and architecture of ConfigMgr during this release.

In ConfigMgr 2012 we essentially turned the architecture on its head by focusing the architecture and experience on users not just devices.

Customers were telling us that mobility was going to be key in the future, and we understood that mobility was about the mobility of humans not just devices. In response to this information, we dramatically flattened the architecture to require less hardware, and we massively increased the scale limits. This is where our journey to the cloud really, really got serious; we connected ConfigMgr to Microsoft Intune, and Intune essentially became the edge of ConfigMgr.

This hybrid configuration became the model that allowed us to innovate in the cloud, and then deliver new value to on-prem ConfigMgr via that hybrid deployment. We believed that the cloud would enable scenarios that would have been impossible in the past, and Satya could see the potential impact of the cloud for device management and he really pushed us to innovate and experiment here.

ConfigMgr Heads to the Cloud

The next architectural evolution was the most challenging by far.

When we learned that Windows 10 would be delivered as-a-service with multiple updates delivered each year, we knew that ConfigMgr needed to follow suit and move to the cloud.

The challenge here was daunting.

Historically, ConfigMgr had released on a 2-3 year cadence. I remember looking at the first all-up plan for SCCM 2007 and seeing 16 months of stabilization and beta between the time we declared code-complete and the release. 16 months! It was clear we needed to SaaS-ify ConfigMgr so we could maintain a multiple-times-per-year release cadence.

With such a daunting task ahead, we set about hand-picking a small team of engineers and program managers who knew ConfigMgr deeply, had a growth mindset, and a shared a passion for this customer base. Our belief was the only way we could pull this off was for a small and focused team to overhaul the entire architecture and create a cloud-delivered service from the ground cloud up.

When I looked at our timetable for this overhaul, I will admit to having a bit of skepticism mixed in with my normal abundance of optimism. Getting things done this quickly was an unbelievable undertaking.

The outcome, now, is obvious: This hyper-focused engineering team exceeded every single benchmark and delivered a new cloud-based approach to PC management that allowed us to move to a monthly release cycle. To keep track of these updates, we did away with the traditional version numbers (e.g. 2003, 2007, 2012) and instead started naming them with a year/month convention; thus, the first release was versioned 1511 because we released it in the 11th month of 2015.

Since then, we have released a new insiders version of ConfigMgr every month, and major CurrentBranch releases every ~4 months.

This is without question one of the most incredible engineering efforts I have ever been a part of.

The customer response to this new cloud-delivered model has been incredible.

Check out this graphic:

Just over half of the ConfigMgr base has already upgraded to the new current branch model, and there are now more than 100M devices being actively managed and sending back telemetry.

Holy cow 100M!!!!

To my knowledge there are only 3 enterprise services in the world that have >100M monthly active users or devices under management and sending back telemetry: Office 365, Azure Active Directory, and ConfigMgr. What do these three things have in common? All are part of the integrated Microsoft 365 offer.

This chart shows the adoption of the major releases of ConfigMgr Current Branch since the 1511 release. We have a dashboard that shows us this data in real time, and we send out this chart to our entire team every Sunday morning at 8:30.

Believe me when I tell you that 8:30 on Sunday mornings is one of my favorite moments of every week.

This has been the fastest all-time upgrade for ConfigMgr, and you can see that with each release the rate of adoption (the slope of the line from left-to-right) gets faster and steeper. At first, we were a little nervous about how the ConfigMgr community would react to such fast releases and we have been both amazed and grateful for your trust and confidence in us.

There has never been more interest in and passion for Project Hermes than there is right now.

Whats Next

We began the journey to the cloud with the 1511 release of ConfigMgr Current Branch in November 2015, and, at the time, it was clear to us that this was a major step towards where we needed to get. It was also clear to us that there was a lot more work to do.

The pace of innovation since 1511 has only accelerated. Organizations are rapidly moving to a world of cloud services connected to mobile devices, and, in order for us to deliver what you need in this accelerating environment, the ConfigMgr infrastructure has taken the big steps toward being a true cloud service. It is now a service that is continually updated with new capabilities, it utilizes the AI capabilities of the cloud to adjust to your needs and deliver the protection you require, and it is available to you as a cloud-based service that is able to scale to 100s of millions of devices around the globe.

All of this reminds me of the most common thing I hear from IT leaders all over the world: They are frustrated with the complexity they and their teams have to deal with in order to get work done. Organizations are looking for ways to simplify what they have deployed and they want a unified way to enable their users on all devices that also delivers the management and security they need. This is why we have built Microsoft 365. M365 delivers the modern, secure workspace and integrated cloud services that enable users to achieve more. It has been engineered to enable IT to deliver that rich and empowering work environment that is Loved by User and Trusted by IT.

This is the next evolution of all of the products from Microsoft that youve been using for years Windows, Office, Active Directory, ConfigMgr and weve moved them all to the cloud with Microsoft 365. Enterprise customers around the globe are migrating to the cloud (consuming Windows 10 as-a-Service, Office 365, and the EMS services) and this is the natural next evolution of the ConfigMgr architecture.

Just about every enterprise and commercial organization on the planet is starting from an on-premises model today where they are using Active Directory, Group Policy, and ConfigMgr as their management tools. The desire to move to a simpler and more modern model is high, but getting to that new modern model hasnt been easy. An organization cant just snap their fingers and move users/devices from AD/GP/ConfigMgr to AAD/Intune. What youve needed from us is a bridge that makes this move simpler, faster and removes risk. This is an area where we learned a lot by watching organizations move from on-prem Exchange to Exchange Online.

Today, we are excited to announce Co-management, a new set of capabilities and the bridge that will help accelerate the move to modern management from the cloud. With the Fall Creators Update, a Windows 10 device can be joined to on-premises Active Directory (AD) and Azure AD at the same time.

Co-management takes advantage of this improvement and enables the device to be managed by both ConfigMgr agent and Intune MDM. The move to modern management is no longer a cliff where you have to jump. With co-management you can take your own journey, step-by-step, to the cloud in a way and at a pace that makes sense for your organization.

Weve made it simple to work within the ConfigMgr console to take the devices under management and enroll them for management with Intune. You can then select the first workload you want to move to the cloud (it is literally a slider bar that you move over from ConfigMgr to Intune) and that workload is moved to the cloud.

One of the unique capabilities of Microsoft 365 in this co-managed scenario is that ConfigMgr and Intune are in constant communication. As workloads are moved, we understand who the authoritative source (Intune or ConfigMgr) is for every attribute on users and devices and this avoids conflicting policies from being applied.

This will dramatically accelerate the move to Windows 10 and modern management from the cloud.

* * * * *

Writing this has been an incredible walk down memory lane for me. SMS/ConfigMgr/Intune has had a profound impact on my life, the life of my family, the lives of 1,000s of engineers that have worked on the projects, and the lives of millions of IT Pros who have used and continue to use it today. I love this product and I love this community.

I have also really enjoyed seeing todays documentary about the history of ConfigMgr come together but it is only Part 1. And Part 2 is much more important. Thats because Part 2 is going to be created by you.

If youre at Ignite, stop by the management and security section of the Microsoft booth and tell your story. Simple directions are here.

If youre not at Ignite, taking part is still very easy. Tell your story by uploading your memories and your stories about ConfigMgr here Here are some basic instructions.

Well use these submissions to create Part 2 a video wed like to call:

The Peoples History of ConfigMgr.

I cant wait to see it.




Maximizing IT’s Impact with Microsoft 365 Powered Devices

AD -

The modern workplace has introduced an explosion of cloud services and devices that have dramatically changed the scenarios IT has to manage and support. And, of course, IT has to manage these countless new challenges with same budget and resources.

Our focus on customer experience and customer usage has made us very aware of these challenges, so weve been working exceptionally hard cross-company to support the work you do in this new world.

This is why Im so excited about Microsoft 365.

Microsoft 365 is a complete, integrated solution that you can use to intelligently empower your workforce. I love it because of how it delivers creativity and teamwork for your organization but it combines this with security, simplicity, and an empowering work experience across multiple device platforms and the cloud.

A Microsoft 365 powered device delivers the best way to experience these massive benefits.

What is a Microsoft 365 powered device? Its a device running Windows 10, with Office 365 ProPlus deployed, and managed by Enterprise Mobility + Security (EMS).

Check out this Mechanics video covering how these scenarios come together:

Easy to deploy and manage

Historically, new devices have been shipped to IT, then they are imaged and prepared, and finally they are shipped it to users. All of this delays users getting their new devices, and it comes with a variety of unnecessary complexity and costs. A Microsoft 365 powered device fundamentally changes the way new devices are deployed within an enterprise.

With Microsoft 365, a new Windows 10 device can be shipped directly to the end user, and that end user has the incredible experience of taking the new desktop/laptop out of the box (there is something incredibly exciting about this to me) and get to work immediately. They simply turn on the PC and answer few simple questions, and then Windows Autopilot (integrated with Azure AD Premium and Intune) automatically configures the new PC as a new Microsoft 365 powered device based on unique corporate IT and user needs. Immediately the end users e-mail, files, apps, and preferences are automatically deployed and ITs security policy is enforced.

What used to take days to prepare and deploy, now takes minutes.

Proactive Insights

Technology is moving faster than ever, and I dont think Im going to startle anyone by saying that things will never slow back down. This means that the expectations being heap upon IT are always going to be increasing. As someone who started his technology career doing tech support, my desire to help you solve this problem comes from a very personal place. I want you to know that Microsoft has committed itself to ensuring IT continues being a hero. I want you to use Microsoft 365 to get the proactive insights you need to continuously improve the end-user experience and enables help your workforce achieve more. Everything we are learning in the cloud is being put back to use for our Microsoft 365 customers so that they can prioritize their efforts and be more productive with confidence!

These proactive insights are what IT can use to focus their efforts towards the areas where they can have the biggest impact. For example, Windows Analytics can point out the applications and drivers that IT should focus on to unblock 10% and then 80% of an organizations devices to be upgraded to Windows 10. As this prioritized list of apps and drivers is addressed and Windows Analytics is confident that the devices can be upgraded to Windows 10, those devices can be automatically targeted with System Center Configuration Manager (ConfigMgr) for upgrades.

Other proactive insights provided by Microsoft 365 powered devices include the most commonly used Office add-ins, a view into the drivers in use and the drivers that are causing Windows devices to crash, etc.

This depth of data and level of insight is unique to Microsoft 365 customers. This is how IT can be more productive, offer its users higher satisfaction, and make their organization more secure.

Always Up-to-Date

A Microsoft 365 powered device is (by definition!) always up-to-date. A reality about todays workforce is that your users come to work with an expectation of the same rich, connected, and empowering experiences they have in their personal lives. One of the major benefits of cloud services is that we are able to continuously deliver new value to users and IT as we to continuously update the services. This means the user experience is rich and polished and keeps getting better over time.

Another huge benefit of a continually updated cloud service is the long list of security benefits. Put simply: It is an absolute business imperative that you keep your devices up-to-date; your users will have the best experience and your organization will be more secure.

To see this principle in action, just consider our experience updating more than 1B PCs each month with Windows Update, as well as the 100M+ devices that are updated through ConfigMgr, and then combine that in the cloud with Microsoft 365 to continually deliver you the new capabilities and updates through Microsoft Intune and Windows Update for Business. Wow.

Right now, world-class organizations already deploy new feature updates to their devices within 3-4 days of release and now this kind of technical rigor and scheduling is possible for everyone.

Intelligent, Built-in Security

The level of sophistication behind modern cyber attacks, as well as the meticulous way they are engineered, is scary and getting scarier. The sophistication has reached a point where humans simply cannot keep up alone. Keeping our organizations secure now requires the power of the cloud + the power of unique data + AI in the cloud to assist you in protecting your organization.

This is a place where a Microsoft 365 powered device truly is unique.

Windows 10 is the most secure operating system Microsoft has ever built. Built-in Windows 10 capabilities such as Windows Hello, Credential Guard, BitLocker, Exploit Guard, and Windows Defender enable Windows 10 to protect itself and help organizations move away from passwords. The Microsoft 365 services are all constantly sending back telemetry that works to help protect your organization. Windows Defender ATP sends data that helps us see attacks on a Windows 10 device. Office 365 ATP sends back data on attacks that are being seen across the Office 365 productivity services. Every use of an Office 365 service (or any app managed by Azure AD) sends back data on the identity and how it is being used. Intune is constantly sending back data on the configuration and use of devices and corporate apps. All of this data is brought together in the Microsoft Intelligent Security Graph that can also identify attacks and then work across Microsoft to take action to block and remediate breaches. This continuously helps to protect your organization.

This is the power of the cloud working every second of every day to help protect you; this provides a level of security that is not possible without the cloud.

Transitioning to Microsoft 365 and Modern Management

Microsoft 365 powered devices help organizations provide an improved experience for end-users, take advantage of built-in modern security, simplify management, and lower costs. However, the majority of customers today are in an on-premises model, i.e. using Active Directory, Group Policy, and ConfigMgr as their management tools. We heard from our customers that they would like to have an easier and more manageable way to transition to modern management. Today, we are excited to announce co-management, a new set of capabilities in ConfigMgr and Intune that will help accelerate the move to modern management from the cloud. Co-management delivers a bridge that simplifies and reduces the risks as organizations transition the management of Windows 10 devices to cloud-based Intune.

With the Fall Creators Update, a Windows 10 device can now be joined to on-premises Active Directory (AD) and Azure AD at the same time. Co-management takes advantage of this improvement and enables the device to be managed by both ConfigMgr agent and Intune MDM. This allows organizations to move parts or workloads of their management to the cloud thus making the move to the cloud in manageable chunks. For example, customers can transition device compliance check, resource access profile deployment, or update management from ConfigMgr to Intune while continuing to use ConfigMgr for other workloads such as software distribution and deep device security configuration.

One of the unique capabilities of Microsoft 365 in this co-managed scenario is that ConfigMgr and Intune are in constant communication. As workloads are moved, Microsoft 365 understands who the authoritative source (Intune or ConfigMgr) is for every attribute on users and devices avoiding conflicting policies from being applied.

A Microsoft 365 Powered Device the Best Way to Experience Microsoft 365

Microsoft 365 is an integrated solution that delivers a complete, intelligent way to empower employees and a Microsoft 365 powered device is the best way to experience Microsoft 365. This is truly a revolutionary approach to delivering the modern workspace, and it builds on the foundation of what Microsoft has delivered for years (Windows, Office, Active Directory, and ConfigMgr) in a way that helps organizations move to modern versions delivered from the Cloud. Windows 10, Office 365, and Enterprise Mobility + Security have been deeply integrated to deliver the best experience for users and IT.

ConfigMgr Reaches 25 Years

AD -

Twenty-five years ago, in the summer of 1992, planning for a new product began and that point in time has had a tremendous impact on my life and the lives of millions of IT Pros and it has enabled us all to support 100s of millions of workers around the globe.

Check out this preview of ConfigMgr @ 25:


We are celebrating the 25th anniversary of a vision document outlining a new project named Hermes, and the coding that began a few weeks later with two engineers and an intern using a Gateway 486 with a 500 MB hard drive.

That project became a product, and that product created an industry we now call PC management.

Between then and now, System Center Configuration Manager (ConfigMgr) has had a couple different names, but it has, nonetheless grown to be the worlds most commonly used solution for managing enterprise PCs. From the time that first line codewas written and checked-in 25 years ago, it has grown to more than 8 million lines of code but, as we have continually re-architected and refreshed ConfigMgr, we have retired many more lines than that.


Three facts consistently amaze me about ConfigMgr and the incredible community of users:

  1. ConfigMgr manages more than 75% of all Enterprise PCs.
  2. Its usage continues to grow.
  3. The number of monthly active users of ConfigMgr continues to grow by over 1M devices every week.

The data is clear: The world is moving to Windows 10 and ConfigMgr is the tool thats used by enterprises to make this move happen.

There has never, ever been more interest in ConfigMgr than there is today!

As I have reflected on the history of ConfigMgr (and as I watched an advance screening of the upcoming ConfigMgr documentary), I kept thinking about how the ConfigMgr user base is among the very strongest technical communities on the planet.

One of the most impressive things to me about this community is how the team has consistently pushed the architecture and capabilities forward and this has enabled ConfigMgr to not only remain relevant, but also establish itself as a critical agent of evolving the infrastructure in just about every Enterprise organization.

As we reach marquee milestones like 25th anniversaries, I wanted to reflect with the community on the history of ConfigMgr, its impact, and, perhaps most importantly, talk about its very bright future.

Now We Want to Tell Your Story

Those millions of IT Pros are the real story and the real heroes of this story. Thats why we would love to hear your story. How has SMS/ConfigMgr/Intune impacted your lives or your organizations.

Tell us your story by writing or uploading videos to

As much as I love the documentary previewed above, is only Part 1 of a very important story that has 2 parts. Part 2 is up to you.

Record your own memories and stories about ConfigMgr and post them at If you’re going to be at Microsoft Ignite, you can also record your stories at our mini-studio next to the Microsoft booth.

Well use your video submissions (both via the site above, or at our video booth next to the Microsoft booth at Ignite) to create an entirely crowd-sourced video well call The Peoples History of ConfigMgr.

One last note: If you have a spare minute during lunch on Tuesday at Ignite, come film a Lunch Break episode with me!

Many of you have probably seen the Brad Andersons Lunch Break series we publish on YouTube, and from 11am to 2pm on Tuesday Ill be in a golf cart in front of the conference center and anyone can hop in for a quick lap around the bus loop and you can ask me anything.

Well have cameras all over the golf cart and well post a special Lunch Break @ Ignite! episode the following week.

See you there!

“Lunch Break” @ Microsoft Ignite!

AD -

Everyone here in Redmond is wildly busy gearing up for Ignite next week — and I can’t remember a time I’ve been more excited to attend a tech conference.

One of the reasons I’m so excited is that I have three hours set aside to do something that’s been on my to-do list for a very long time.

On Tuesday (Sept. 26) at Ignite, everyone at Ignite is invited to come take a ride with me from 11am to 2pm.

You can ask me absolutely anything, and I’ll post this special episode early the following week.

Can’t wait to see you there!

First look at updates coming to Remote Desktop Services

AD -

Remote Desktop Services (RDS) allows you to access a remotely-hosted Windows desktop environment or application from almost any device. Were extending the capabilities of RDS to offer more security, flexibility to run Windows apps on any device, and cloud-readiness with upcoming additions to the RDS platform.

This week, I join Simon May to explain and demonstrate the updates to RDS architecture and services. The RDS team has innovated in three key areas:

  1. Security:RDS-hosted environments can use authentication with Azure Active Directory see how you get advantages like Conditional Access policies, Multifactor Authentication, Integrated authentication with other SaaS Apps using Azure AD, and the ability to get security signals from the Intelligent Security Graph. Moreover, by isolating the infrastructure roles (Gateway, Web, connection broker and others) from the desktop and app deployment hosts, we add another layer to separation for higher security of your virtualized environments.
  2. Cloud readiness: There are updates coming to infrastructure roles with innovations in the existing RD infrastructure roles Web, Gateway, Connection Broker, Licensing see how to take advantage of the elasticity and scale capabilities of Azure. Get a first look at the new Diagnostics role that helps you monitor your deployment effectively.
  3. Windows apps on ANY device: RDS has long had the flexibility to run on cross-platform desktop and mobile operating systems using apps, but we are now building support for HTML5 browser-delivered experiences. Of course, RDS works with Windows even Windows 10 S offering even more flexibility for how your apps and desktops are accessed.

To see these new capabilities for yourself, along with new cloud-integrated architectural options explained, check out the show.

-Scott Manchester
Principal Group Program Manager, Remote Desktop Services

EMS and Zimperium integration ensures risk free devices before accessing corporate resources

AD -

Today were excited to announce the general availability of our integration with Zimperium, a leader in the mobile threat defense space. The integration between Zimperium and Microsoft Enterprise Mobility + Security helps organizations defend against both known and unknown mobile threats and ensure that devices are risk-free and secure before users access corporate resources.

Enhancing device-based conditional access with Zimperium

Zimperium Mobile Threat Defense works in real-time to proactively protect the whole device against malware, network-based risks, and OS and app vulnerability risks helping you remediate these risks before they become a problem.

This new integration makes it easy to apply Zimperiums threat defense technology as an additional input into Intunes device compliance settings. When a threat is detected, Zimperium immediately applies on-device protections and notifies Intune to mark the device as uncompliant and trigger the appropriate conditional access controls, ensuring that corporate data stays protected. Once the threat is mitigated the device compliance status is updated and access is reinstated.

Making sure that only risk-free, compliant devices have access to your data and resources.

Check it out!

The integration is live and can be turned on in the device compliance blade within the new Intune admin experience on Azure today.

Visit our documentation site for more details on how to deploy and use Zimperium with Intune. And visit the Zimperium site for a deeper dive on how they protect against mobile threats.

Please note, any necessary licenses for Zimperium products must be purchased separately from EMS/Intune licenses.

Fewer login prompts: The new “Keep me signed in” experience for Azure AD is in preview

AD -

Howdy folks,

A common request we get from our customers is to reduce the number of times users are prompted to sign into Azure AD. One way to reduce the frequency of prompts is to check the “Keep me signed in” checkbox on the sign-in flow, but our telemetry shows that usage of that checkbox is very low. But we know from talking to customers, that cutting down on the number of signin prompts is REALLY important. Nobody wants to have to signin to an app multiple times!

So today I’m happy to share that we’re improving how “Keep me signed in” option is shown to users. We’re also adding intelligence to ensure users are prompted to remain signed in only when it’s safe to do so.

First, as a quick refresher, here’s what the existing “Keep me signed in” experience is like. As you might guess, most users cruise right past the check box and never think twice.

What’s changing

We’re replacing the “Keep me signed in” checkbox with a prompt that displays after the user successfully signs in. This prompt asks the user if they’d like to remain signed in. If a user responds “Yes” to this prompt, the service gives them a persistent refresh token. This is the same behavior that currently occurs when a user checks the “Keep me signed in” checkbox. For federated tenants, this prompt will show after the user successfully authenticates with the federated identity service.

And for those of you who are security minded, you be happy to know that we’ve built a lot of smarts into this flow and the “Stay signed in?” option won’t display if our machine learning system detects a high risk signin or a signin from a shared device.

Some things to know
  • During the public preview period of the new sign-in experience, the updated “Keep me signed in” prompt will only show when users opt into the new sign-in experience. Users using the old experience will continue to see the checkbox and will not get the prompt.
  • Admins can choose to hide this new prompt for users by using the “Show option to remain signed in” setting in company branding.

    (Note: Existing configurations of this setting will carry forward, so if you previously chose to hide the “Keep me signed in” checkbox in your tenant, we won’t show the new prompt to users in your tenant.)

  • This change won’t affect any token lifetime settings you have configured.
An additional note about security

Because “Keep me signed in” drops a persistent refresh token, some members of the IT community have asked if this might alter the security posture of their organization. We’ve done a significant amount of analysis on this topic and have concluded that increasing refresh token lifetime improves the user experience without reducing security posture. For more on that topic, please see our recent blog post on changes to default refresh token lifetimes.

Let us know what you think!

Look for this new “Keep me signed in” prompt to start rolling out on the new sign-in experience in early October.

Let us know if you have any questions, and head on over to the Azure Active Directory community to share your feedback and suggestions with us we look forward to hearing from you!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division


S'abonner à Philippe BARTH agrégateur - Active Directory (Anglais)