Category: Office365

Last updated by at .

Windows SpeculationControl PowerShell

Microsoft Guidance to protect against speculative execution side-channel vulnerabilities on Windows, Windows Server and Azure (Meltdown & Spectre)

Microsoft very quickly responded to the speculative execution side-channel vulnerabilities also called Meltdown and Spectre which affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM. Microsoft released some guidance how you should protect your devices against these vulnerabilities. The Microsoft Security Defense Team also published an article with guidance and more details on this: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities

In this blog post I tried to quickly summarize the information and link it to the right websites.

Summary

Microsoft is aware of detailed information that has been published about a new class of vulnerabilities referred to as speculative execution side-channel attacks. This industry-wide attack method takes advantage of out-of-order execution on many modern microprocessors and is not restricted to a single chip, hardware manufacturer, or software vendor. To be fully protected, updates are required at many layers of the computing stack and include software and hardware/firmware updates. Microsoft has collaborated closely with industry partners to develop and test mitigations to help provide protections for our customers. At the time of publication, Microsoft had not received any information to indicate that these vulnerabilities have been used to attack our customers.

Note This issue also affects other operating systems, such as Android, Chrome, iOS, and MacOS.

Warning

Microsoft addressed protect against speculative execution side-channel vulnerabilities in the latest Windows Updates. However, customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, update is required. This should be available through your device manufacturer. Surface customers will receive a microcode update via Windows update.

Guidance for Windows Client

Customers should take the following actions to help protect against the vulnerabilities:

  1. Verify that you are running a supported antivirus application before you install OS or firmware updates. Contact the antivirus software vendor for compatibility information.
  2. Apply all available Windows operating system updates, including the January 2018 Windows security updates.
  3. Apply the applicable firmware update that is provided by the device manufacturer

Windows-based machines (physical or virtual) should install the Microsoft security updates that were released on January 3, 2018. See Microsoft Security Advisory ADV180002 for updates for the following versions of Windows.

Read full guidance for Windows Client here: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Guidance for Windows Server

Customers should take the following actions to help protect against the vulnerabilities:

  1. Apply the Windows operating system update. For details on how to enable this update, see Microsoft Knowledge Base Article 4072699.
  2. Make necessary configuration changes to enable protection.
  3. Apply an applicable firmware update from the OEM device manufacturer.

Windows Servers-based machines (physical or virtual) should get the Windows security updates that were released on January 3, 2018, and are available from Windows Update.

  • Windows Server, version 1709 (Server Core Installation) KB4056892
  • Windows Server 2016 KB4056890
  • Windows Server 2012 R2 KB4056898
  • Windows Server 2012 Not available yet
  • Windows Server 2008 R2 KB4056897

Your server is at increased risk if it is in one of the following categories:

  • Hyper-V hosts
  • Remote Desktop Services Hosts (RDSH)
  • For physical hosts or virtual machines that are running untrusted code such as containers or untrusted extensions for database, untrusted web content or workloads that run code that is provided from external sources.

There for Microsoft posted some additional registry keys to mitigations on servers. Microsoft also added some extra registry keys if you are running older versions of Hyper-V.

Read the full guidance for Windows Server and the registry keys here: Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Guidance for Virtual Machines running on Hyper-V

In addition to this guidance, the following steps are required to ensure that your virtual machines are protected from CVE-2017-5715 (branch target injection):

  1. Ensure guest virtual machines have access to the updated firmware. By default, virtual machines with a VM version below 8.0 will not have access to updated firmware capabilities required to mitigate CVE-2017-5715. Because VM version 8.0 is only available starting with Windows Server 2016, users of Windows Server 2012 R2 or earlier must modify a specific registry value on all machines in their cluster.
  2. Perform a cold boot of guest virtual machines.Virtual machines will not see the updated firmware capabilities until they go through a cold boot. This means the running VMs must completely power off before starting again. Rebooting from inside the guest operating system is not sufficient.
  3. Update the guest operating system as required. See guidance for Windows Server.

Read the full guidance for Guest Virtual Machines here: Protecting guest virtual machines from CVE-2017-5715 (branch target injection)

Guidance for Surface Devices

Microsoft will provide UEFI updates for the following devices:

  • Surface Pro 3
  • Surface Pro 4
  • Surface Book
  • Surface Studio
  • Surface Pro Model 1796
  • Surface Laptop
  • Surface Pro with LTE Advanced
  • Surface Book 2

The updates will be available for the above devices running Windows 10 Creators Update (OS version 15063) and Windows 10 Fall Creators Update (OS version 16299). You will be able to receive these updates through Windows Update or by visiting the Microsoft Download Center.

Read full guidance for Surface Devices here: Surface Guidance for Customers and Partners: Protect your devices against the recent chip-related security vulnerability

Guidance for Azure

Microsoft has already deployed mitigations across the majority of our cloud services and is accelerating efforts to complete the remainder.

However, I always recommend that you also patch your operating systems and applications to be protected against other vulnerabilities.

Impact to Enterprise Cloud Services

Microsoft is not aware of any attacks on the Microsoft Cloud customers which leverage these types of vulnerabilities. Microsoft employs a variety of detection capabilities to quickly respond to any malicious activity in our enterprise cloud services.

Most of the Azure infrastructure has already received mitigations against this class of vulnerability. An accelerated reboot is occurring for any remaining hosts. Customers can check the Azure Portal for additional details.

All other enterprise cloud services such as Office 365, Dynamics 365, and Enterprise Mobility + Security have mitigations against these types of vulnerabilities. Microsoft engineering is continuing to perform analysis across the environments to confirm further protection.

Read full guidance for Microsoft Azure here: Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities

Guidance for Azure Stack

Azure Stack customers should take the following actions to help protect the Azure Stack infrastructure against the vulnerabilities:

  1. Apply Azure Stack 1712 update. See the Azure Stack 1712 update release notes for instructions about how to apply this update to your Azure Stack integrated system.
  2. Install firmware updates from your Azure Stack OEM vendor after the Azure Stack 1712 update installation is completed. Refer to your OEM vendor website to download and apply the updates.
  3. Some variations of these vulnerabilities apply also to the virtual machines (VMs) that are running in the tenant space. Customers should continue to apply security best practices for their VM images, and apply all available operating system updates to the VM images that are running on Azure Stack. Contact the vendor of your operating systems for updates and instructions, as necessary. For Windows VM customers, guidance has now been published and is available in this Security Update Guide.

Read full guidance for Microsoft Azure Stack here: Azure Stack guidance to protect against the speculative execution side-channel vulnerabilities

Guidance for SQL Server

The following versions of Microsoft SQL Server are impacted by this issue when running on x86 and x64 processor systems:

  • SQL Server 2008
  • SQL Server 2008 R2
  • SQL Server 2012
  • SQL Server 2014
  • SQL Server 2016
  • SQL Server 2017

IA64-based versions of SQL Server 2008 are not believed to be affected.

Microsoft made a list of different SQL Server scenarios depending on the environment that SQL Server is running in and what functionality is being used. Microsoft recommends that you deploy fixes by using normal procedures to validate new binaries before deploying them to production environments.

You can finde the list for scenarios and recommendations here: SQL Server guidance to protect against speculative execution side-channel vulnerabilities

There is also a list of updates for SQL Server available:

 

  • 4057122 Description of the security update for SQL Server 2017 GDR: January 3, 2018
  • 4058562 Description of the security update for SQL Server 2017 CU3 RTM: January 3, 2018
  • 4058561 Description of the security update for SQL Server 2016 CU7 SP1: January 3, 2018
  • 4057118 Description of the security update for SQL Server 2016 GDR SP1: January 3, 2018
  • 4058559 Description of the security update for SQL Server 2016 CU: January 6, 2018
  • 4058560 Description of the security update for SQL Server 2016 GDR: January 6, 2018
  • 4057114 Description of the security update for SQL Server 2008 SP4 GDR: January 6, 2018
  • 4057113 Description of the security update for SQL Server 2008 SP3 R2 GDR: January 6, 2018

Read the full guidance for SQL Server here: SQL Server guidance to protect against speculative execution side-channel vulnerabilities

Verifying protections again speculative execution side-channel vulnerabilities

The Microsoft Security Response Center released a PowerShell Module on the PowerShell Gallery called SpeculationControl, which verifies if your system is protected or not.

You can find more here: Use PowerShell to verifying protections again peculative execution side-channel vulnerabilities CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre)

 

More information on how to mitigate speculative execution side-channel vulnerabilities can be found here: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities



Experts Live and Thomas Maurer

Win an Experts Live Europe 2017 Conference Pass

UPDATE: Thanks for all the people who joined the raffle, the raffle is closed now and the lucky winner will have a mail in the inbox

As mentioned, I am proud to speak at this year’s Experts Live Europe 2017 in Berlin, Germany. Today is your lucky day. If you want to join me at this amazing conference and you do not yet have a Conference Pass, you have the chance to win one today. The full 3-day conference pass is worth €761.60 and gives you access to all sessions, the expo hall, the attendee networking party and the closing party.

About Experts Live Europe 2017

ExpertsLive Europe

The Experts Live Europe 2017 conference takes place August 23-25 in the Berlin Congress Center

Experts Live Europe is one of Europe’s largest community conferences with a focus on Microsoft cloud, datacenter and workplace management. Top experts from around the world present discussion panels, ask-the-experts sessions and breakout sessions and cover the latest products, technologies and solutions. It’s the time of the year to learn, network, share and make valuable connections.

  • 3 conference days
  • 100 sessions
  • 6 parallel tracks
  • Private side meetings
  • Top experts from around the world
  • More than 20 MVPs on site
  • Exhibition area with 3rd party vendors
  • Networking party
  • Ask the experts area
  • Quality food & beverages
  • Conference closing party
  • Good connected city in Europe
  • Modern location with easy-to-reach rooms

How to win a free Conference Pass

If this is reason enough for you to join, you can win a conference pass here by doing the following steps:

  1. Share this post on Twitter or/and Facebook or/and Linkedin using the hashtag #ExpertsLive
  2. Leave a comment on this post with a great reason why you want to attend until August 9 23.59 (UTC +1).

Under all comments I will raffle one regular conference pass. The winner will be contacted by email.

 

Good Luck! And for those who didn’t win, you still have the chance to buy a ticket!

  • Only included is the regular conference pass (travel cost and hotel is not included)
  • No refund of existing tickets
  • The ticket cannot be paid out
  • The ticket is not for resale
  • and the usual 😉

 



Microsoft Certified Trainer MCT

MCT Microsoft Certified Trainer

I am proud to announce that I am now a Microsoft Certified Trainer. I got the official certification a couple of months ago, but I didn’t have time to share it yet. A Microsoft Certified Trainer (MCT) is a professional trainer, who has been certified by Microsoft as an expert in terms of professional knowledge and with the ability to properly impart this knowledge to others. MCTs are considered as the premier instructional and technical experts in all Microsoft technologies and they have the sole authority to deliver training for other Microsoft Certifications. It is great to be finally part of this community and I am looking forward to meet other MCTs.

 



Veeam Backup for Microsoft Office 365

Veeam Backup for Microsoft Office 365

Some weeks ago Veeam announced Veeam Backup for Microsoft Office 365 and now you can finally download the Beta of it. To be honest with you the installation is brutally boring and simple, so I will only show you how you quickly can create a new backup job.

First create a new job

Veeam Backup for Microsoft Office 365 New Backup Job

Select a which mailboxes you want to backup

Veeam Backup for Microsoft Office 365 New Backup Job Select Mailboxes

configure schedule and retention and you are ready to go

Veeam Backup for Microsoft Office 365 New Backup Job Schedule

And guest what, with the Veeam Explorer for Microsoft Exchange, you can also restore mails from your Office 365 mailboxes.

Veeam Explorer for Microsoft Exchange

Check out the Veeam Backup for Microsoft Office 365 here.



Microsoft MVP 2014

Microsoft MVP 2016 Cloud and Datacenter Management

I am proud to announce that I just received my 5th Microsoft MVP Award for my focus in Cloud & Datacenter Management.

Microsoft MVP Award 2016

Congratulations! We are pleased to present you with the 2016 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Cloud and Datacenter Management technical communities during the past year. Also in this email:

  • About your MVP Award Gift
  • How to claim your award benefits
  • Your MVP Identification Number
  • MVP Award Program Code of Conduct

The Microsoft MVP Award provides us the unique opportunity to celebrate and honor your significant contributions and say “Thank you for your technical leadership.”

 

Patrick Malone
Director
Community & Advocacy Programs
Microsoft

 

This is the 5th Microsoft MVP award in a row since 2012, 2013, 2014 and 2015. The Microsoft MVP award and the included opportunities add a huge benefit like the Microsoft MVP summit where you have the chance to talk to the Microsoft Product Groups, learn and place feedback. But of course the Microsoft MVP award also adds some other great advantages. In the past years I had the chance to travel all over the world and speak in different countries and events, and I met a lot of great people, which also became great friends.

Of course there are a lot of people I have to thank, but I want to keep the list as short as possible. I would like to thank my employer itnetX which is supporting me in the best possible way year over year, my current and former colleagues, the Microsoft MVP community and of course Microsoft employees in Redmond and all over the world.

Get more information about the Microsoft MVP award: Microsoft MVP Award Website

 



FindTime for Outlook – Doodle for Business

Scheduling meetings can be a real pain you have to do calls, ask people and check calendars which can be a huge time effort. Lucky there are solutions like Doodle to schedule meetings and a lot of us are using Doodle in our personal life which is great, but it could be a lot better, especially if you are using it for business meetings. Microsoft released a Outlook solution for this a couple of months ago called FindTime for Outlook. But since not a lot of people seem to know about FindTime I decided to write a quick blog post about it.

FindTime is a Office Plugin for Outlook which allows you to schedule and plan meetings. To use FindTime just do the following steps:

  1. Install FindTime
  2. Restart Outlook and the Plugin will automatically appear (btw. Works with Outlook 2013, Outlook 2016, Outlook for Mac and Outlook on the Web)
  3. Compose a new email or reply to an existing email
  4. Click “New Meeting Poll” in the Message tab of the email. This will open a new poll and will automatically check if people in your organization are available or not, depending on there calendar. External people will just show up in grey.
    FindTime New Meeting Availability
  5. You also have different options from Online Meetings (using Skype for Business) or meetings in different locations. People will then get the link to vote for the meeting date. You also have different options like Notifications when someone votes, Auto scheduling of the meeting if everyone required has voted and more.
    FindTime Send Invite
  6. People can now vote on the FindTime website. People can also use preferred dates and can see how others have voted. You can schedule the meeting manual or you can set the option to auto schedule, this will automatically send the invites after everyone required for the meetings has voted.
    FindTime Meeting Voting

For me FindTime for Outlook is a huge time saver if you have to schedule meetings and appointments with other attendees. So make sure you have a look at it, the only thing your organization needs, is a Office 365 subscription.



Surface Hub Skype Meeting

My Microsoft Surface Hub Review

Last week we finally go our Microsoft Surface Hub for our itnetX office in Bern and I had the chance to do some testing. The Surface Hub is an interactive whiteboard developed by Microsoft ideally for business meetings. Before I get started let me show you the specs for the Surface Hub devices. Microsoft offers two models right now, a 84-inch model and a 55-inch model.

Microsoft Surface Hub

The Surface Hub 84” model is ideal for medium and large conference room and it allows three people to comfortably interact with the screen simultaneously. The 84” version has also a 4K resolution, an Intel i7 processor, 128GB SSD, 8GB of RAM and a NVIDIA Quadra K2200 graphics card. The Surface Hub 55” model is perfect for smaller conference rooms and in work environments where you’ll move your Surface Hub into different spaces. The 55” model comes with a Full HD resolution, an Intel i5 processor, 128GB SSD, 8GB of RAM and integrated Intel graphics.

Surface Hub Keyboard Surface Hub Pen

Both model feature a 100-point multi-touch display, 2 passive Infrared Presence Sensors, Ambient Light Sensors, 2 front-facing stereo speakers, 2 wide angle HD cameras, active pen support, Windows 10 and a wireless keyboard. To see the full specs of both devices check out the Microsoft Surface Hub website.

My first impression of the Surface Hub

Surface Hub Welcome Screen

My first impression was the Surface Hub looks great, it is perfect for every meeting room and it is very easy to use. The quality of the devices is, as usual for Microsoft Surface devices, really great and feels like a high quality premium device. When you come in come in the conference room use first see the big screen and showing the time, the next scheduled meetings and the most important apps like the whiteboard, wireless screen sharing.

Different Meeting Options

Surface Hub Startscreen

The Microsoft Surface Hub offers different meeting options. You can use it for in person meetings in the meeting room as a beamer replacement or wireless display for your notebook, as a whiteboard or use other apps like Office (Word, Excel, PowerPoint), Maps app or many more to come. The other thing the Surface Hub does very well is video conferencing using Skype for Business using the same apps and features.

The Surface Hub works perfectly with different deployment types

Perfect for in-person meetings

Surface Hub Whiteboard

If you are using the meeting room for a meeting with persons in the room, the multi touch screen and the apps are great. I really like the whiteboard app which allows you to draw diagrams and other stuff. A nice feature is that when you take on of the pens out of the holder it automatically open ups the whiteboard app and you can immediately start drawing. You can also use the screen as a display for your notebook as beamer replacement.

Surface Hub Screen Sharing

You can use the screen as a wireless display using Windows 10, Windows 8 or Windows 10 Mobile and of course the display also features cable input for DisplayPort, HDMI or VGA. If you use the wireless display connection in Windows 10 you can also allow input from the Surface Hub screen back to your Windows 10 computer. For example you project your screen to the Surface Hub to show a PowerPoint slide deck for example, you can stand up and touch the screen for the next slide or draw on the slide it self. By the way, connecting wirelessly is very fast, I used several different devices to connect with my Windows 10 devices using Miracast, like the Xbox One or the Microsoft Wireless Adapter, but none of the devices connected as fast as to the Surface Hub.

 

And of course this also works with other devices supporting Miracast like Windows 10 Mobile (especially cool with the Windows Continuum feature) and for example Android smartphones.

Skype for Business Video Conferencing

Surface Hub Skype for Business

The other great scenario is using the Microsoft Surface Hub for conference calls. You can join Skype for Business Meeting adding the Surface Hub device as a resource and it will automatically show the Skype for Business Meeting and you can join the meeting. You can also just invite other people using sending Skype for Business invites or using phone numbers to call them. You can also add the Surface Hub to an existing Skype for Business meeting or call your Surface Hub using a phone number. The two wide angle Full HD video cameras are great and show the whole meeting room. If there is a single attendee in the room the camera also focus on him and follows him instead of showing the whole room.

Surface Hub Wireless Display 1

The great thing here is that you again can use the same features and apps like the whiteboard, screen sharing and the apps. For example one scenario can be that several people sitting in the meeting room and one of the shares the screen to the Surface Hub, the Surface Hub is joined to a Skype for Business meeting with some remote attendees. The screen of the Surface Hub, showing the screen of the notebook of attendee in the meeting room is also shared with the Skype for Business remote attendees. Or you can see the screen sharing or presentation of remote attendees.

Surface Hub Call Skype User

The most important thing here is, that is very easy and simple to use and it just works as expected. It looks like we are getting now more Surface Hubs for all the different office locations, so we can do meetings between the office in Bern and Zürich.

Cleaning up a meeting

Surface Hub Cleanup

Now setting up a meeting or joining a meeting is really simple, and basically everything is possible. But what after the meeting is finished? You can very simple clean up your workspace and everything is gone, and no one can access your data.

Apps for the Surface Hub

Surface Hub Apps

As mentioned the Surface Hub comes with different apps like the whiteboard which lets you also do drawings, Office which lets you to use office documents like Word, Excel or PowerPoint and you also have the Maps app and the Microsoft Edge browser available. The Apps for the Surface Hub seem to be limited right now, but my guess is that Microsoft will soon enable the Windows Store to let you download and install apps on the Surface Hub. Microsoft has some example of apps on there Surface Hub website.

You can open Office documents from SharePoint, OneDrive, OneDrive for Business or SharePoint Online using Office 365 or connected USB devices directly from the Surface Hub, or you can share them from your notebook using screen sharing.

Overall Impression

The Surface Hub is an amazing device and we are very happy with the it, the device is great, works very easy and simple and it adds a lot of value to your meetings. If you ever have done a meeting using the Surface Hub you really want to have one for your self. If you have more question about the Surface Hub and his features and functionality just leave a comment.