Category: Surface

Last updated by at .

Microsoft Edge Windows Defender Application Guard

Enable Windows Defender Application Guard on Windows 10 using PowerShell

A couple of days back I saw a tweet form Stefan Stranger (Consultant at Microsoft) which reminded me of a feature called Windows Defender Application Guard, which is included in Windows 10 Enterprise since the Fall Creators Update (1709). If you have never heard of Application Guard, you might want to check out this blog post: Introducing Windows Defender Application Guard for Microsoft Edge

Basically Windows Defender Application Guard starts Microsoft Edge in a Hyper-V Container and uses Hyper-V isolation. So if a user browses on a malicious site, the site is separate from the host operating system.

Application Guard Hardware Isolation

What is Windows Defender Application Guard and how does it work?
Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.

If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can’t get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can’t get to your employee’s enterprise credentials.

Source: Windows Defender Application Guard overview

Usually Windows Defender Application Guard is configured using a Enterprise devices management tool like System Center Configuration Manager, Microsoft Intune or another third-party tool. But if you want to use this on your standalone Windows 10 PC you can also do this using PowerShell.

The only thing you need to run this is:

  • Windows 10 Enterprise 1709 (Fall Creators Update) or higher
  • A computer which supports Hyper-V
    • A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS)
    • Extended page tables, also called Second Level Address Translation (SLAT)
    • One of the following virtualization extensions for VBS:
      • Intel VT-x
      • AMD-V
    • Microsoft recommends 8GB RAM for optimal performance
    • 5 GB free space, solid state disk (SSD) recommended
    • Input/Output Memory Management Unit (IOMMU) support is strongly recommended
  •  Microsoft Edge and Internet Explorer

Enable Windows Defender Application Guard using PowerShell

You can simply install Application Guard using the following command:

New Application Guard Windows in Microsoft Edge

This will reboot your computer and after this you will be able to open a new Microsoft Edge windows in Application Guard.

Microsoft Edge Windows Defender Application Guard

This does added some extra security, however it does not really protect against like the Meltdown and Spectre attacks.

Application Guard Virtual Machine Worker Process

If you have a look at the processes running on your computer you can now see that there is a new Virtual Machine Worker Process which is used by the Application Guard.

This is a great example how the Hyper-V isolation can not only be used for Hyper-V Virtual Machines but also other features like Hyper-V Containers or for example on the Xbox One.



Windows SpeculationControl PowerShell

Microsoft Guidance to protect against speculative execution side-channel vulnerabilities on Windows, Windows Server and Azure (Meltdown & Spectre)

Microsoft very quickly responded to the speculative execution side-channel vulnerabilities also called Meltdown and Spectre which affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM. Microsoft released some guidance how you should protect your devices against these vulnerabilities. The Microsoft Security Defense Team also published an article with guidance and more details on this: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities

In this blog post I tried to quickly summarize the information and link it to the right websites.

Summary

Microsoft is aware of detailed information that has been published about a new class of vulnerabilities referred to as speculative execution side-channel attacks. This industry-wide attack method takes advantage of out-of-order execution on many modern microprocessors and is not restricted to a single chip, hardware manufacturer, or software vendor. To be fully protected, updates are required at many layers of the computing stack and include software and hardware/firmware updates. Microsoft has collaborated closely with industry partners to develop and test mitigations to help provide protections for our customers. At the time of publication, Microsoft had not received any information to indicate that these vulnerabilities have been used to attack our customers.

Note This issue also affects other operating systems, such as Android, Chrome, iOS, and MacOS.

Warning

Microsoft addressed protect against speculative execution side-channel vulnerabilities in the latest Windows Updates. However, customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, update is required. This should be available through your device manufacturer. Surface customers will receive a microcode update via Windows update.

Guidance for Windows Client

Customers should take the following actions to help protect against the vulnerabilities:

  1. Verify that you are running a supported antivirus application before you install OS or firmware updates. Contact the antivirus software vendor for compatibility information.
  2. Apply all available Windows operating system updates, including the January 2018 Windows security updates.
  3. Apply the applicable firmware update that is provided by the device manufacturer

Windows-based machines (physical or virtual) should install the Microsoft security updates that were released on January 3, 2018. See Microsoft Security Advisory ADV180002 for updates for the following versions of Windows.

Read full guidance for Windows Client here: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Guidance for Windows Server

Customers should take the following actions to help protect against the vulnerabilities:

  1. Apply the Windows operating system update. For details on how to enable this update, see Microsoft Knowledge Base Article 4072699.
  2. Make necessary configuration changes to enable protection.
  3. Apply an applicable firmware update from the OEM device manufacturer.

Windows Servers-based machines (physical or virtual) should get the Windows security updates that were released on January 3, 2018, and are available from Windows Update.

  • Windows Server, version 1709 (Server Core Installation) KB4056892
  • Windows Server 2016 KB4056890
  • Windows Server 2012 R2 KB4056898
  • Windows Server 2012 Not available yet
  • Windows Server 2008 R2 KB4056897

Your server is at increased risk if it is in one of the following categories:

  • Hyper-V hosts
  • Remote Desktop Services Hosts (RDSH)
  • For physical hosts or virtual machines that are running untrusted code such as containers or untrusted extensions for database, untrusted web content or workloads that run code that is provided from external sources.

There for Microsoft posted some additional registry keys to mitigations on servers. Microsoft also added some extra registry keys if you are running older versions of Hyper-V.

Read the full guidance for Windows Server and the registry keys here: Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Guidance for Virtual Machines running on Hyper-V

In addition to this guidance, the following steps are required to ensure that your virtual machines are protected from CVE-2017-5715 (branch target injection):

  1. Ensure guest virtual machines have access to the updated firmware. By default, virtual machines with a VM version below 8.0 will not have access to updated firmware capabilities required to mitigate CVE-2017-5715. Because VM version 8.0 is only available starting with Windows Server 2016, users of Windows Server 2012 R2 or earlier must modify a specific registry value on all machines in their cluster.
  2. Perform a cold boot of guest virtual machines.Virtual machines will not see the updated firmware capabilities until they go through a cold boot. This means the running VMs must completely power off before starting again. Rebooting from inside the guest operating system is not sufficient.
  3. Update the guest operating system as required. See guidance for Windows Server.

Read the full guidance for Guest Virtual Machines here: Protecting guest virtual machines from CVE-2017-5715 (branch target injection)

Guidance for Surface Devices

Microsoft will provide UEFI updates for the following devices:

  • Surface Pro 3
  • Surface Pro 4
  • Surface Book
  • Surface Studio
  • Surface Pro Model 1796
  • Surface Laptop
  • Surface Pro with LTE Advanced
  • Surface Book 2

The updates will be available for the above devices running Windows 10 Creators Update (OS version 15063) and Windows 10 Fall Creators Update (OS version 16299). You will be able to receive these updates through Windows Update or by visiting the Microsoft Download Center.

Read full guidance for Surface Devices here: Surface Guidance for Customers and Partners: Protect your devices against the recent chip-related security vulnerability

Guidance for Azure

Microsoft has already deployed mitigations across the majority of our cloud services and is accelerating efforts to complete the remainder.

However, I always recommend that you also patch your operating systems and applications to be protected against other vulnerabilities.

Impact to Enterprise Cloud Services

Microsoft is not aware of any attacks on the Microsoft Cloud customers which leverage these types of vulnerabilities. Microsoft employs a variety of detection capabilities to quickly respond to any malicious activity in our enterprise cloud services.

Most of the Azure infrastructure has already received mitigations against this class of vulnerability. An accelerated reboot is occurring for any remaining hosts. Customers can check the Azure Portal for additional details.

All other enterprise cloud services such as Office 365, Dynamics 365, and Enterprise Mobility + Security have mitigations against these types of vulnerabilities. Microsoft engineering is continuing to perform analysis across the environments to confirm further protection.

Read full guidance for Microsoft Azure here: Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities

Guidance for Azure Stack

Azure Stack customers should take the following actions to help protect the Azure Stack infrastructure against the vulnerabilities:

  1. Apply Azure Stack 1712 update. See the Azure Stack 1712 update release notes for instructions about how to apply this update to your Azure Stack integrated system.
  2. Install firmware updates from your Azure Stack OEM vendor after the Azure Stack 1712 update installation is completed. Refer to your OEM vendor website to download and apply the updates.
  3. Some variations of these vulnerabilities apply also to the virtual machines (VMs) that are running in the tenant space. Customers should continue to apply security best practices for their VM images, and apply all available operating system updates to the VM images that are running on Azure Stack. Contact the vendor of your operating systems for updates and instructions, as necessary. For Windows VM customers, guidance has now been published and is available in this Security Update Guide.

Read full guidance for Microsoft Azure Stack here: Azure Stack guidance to protect against the speculative execution side-channel vulnerabilities

Guidance for SQL Server

The following versions of Microsoft SQL Server are impacted by this issue when running on x86 and x64 processor systems:

  • SQL Server 2008
  • SQL Server 2008 R2
  • SQL Server 2012
  • SQL Server 2014
  • SQL Server 2016
  • SQL Server 2017

IA64-based versions of SQL Server 2008 are not believed to be affected.

Microsoft made a list of different SQL Server scenarios depending on the environment that SQL Server is running in and what functionality is being used. Microsoft recommends that you deploy fixes by using normal procedures to validate new binaries before deploying them to production environments.

You can finde the list for scenarios and recommendations here: SQL Server guidance to protect against speculative execution side-channel vulnerabilities

There is also a list of updates for SQL Server available:

 

  • 4057122 Description of the security update for SQL Server 2017 GDR: January 3, 2018
  • 4058562 Description of the security update for SQL Server 2017 CU3 RTM: January 3, 2018
  • 4058561 Description of the security update for SQL Server 2016 CU7 SP1: January 3, 2018
  • 4057118 Description of the security update for SQL Server 2016 GDR SP1: January 3, 2018
  • 4058559 Description of the security update for SQL Server 2016 CU: January 6, 2018
  • 4058560 Description of the security update for SQL Server 2016 GDR: January 6, 2018
  • 4057114 Description of the security update for SQL Server 2008 SP4 GDR: January 6, 2018
  • 4057113 Description of the security update for SQL Server 2008 SP3 R2 GDR: January 6, 2018

Read the full guidance for SQL Server here: SQL Server guidance to protect against speculative execution side-channel vulnerabilities

Verifying protections again speculative execution side-channel vulnerabilities

The Microsoft Security Response Center released a PowerShell Module on the PowerShell Gallery called SpeculationControl, which verifies if your system is protected or not.

You can find more here: Use PowerShell to verifying protections again peculative execution side-channel vulnerabilities CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre)

 

More information on how to mitigate speculative execution side-channel vulnerabilities can be found here: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities



Windows SpeculationControl PowerShell

Use PowerShell to verifying protections again speculative execution side-channel vulnerabilities CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre)

As you might have seen in the last couple of days, there are huge news about some security bugs in CPUs from different vendors (not just intel). The Microsoft Security Response Center released a PowerShell Module on the PowerShell Gallery called SpeculationControl, which verifies if your system is protected or not.

Microsoft is aware of a new publicly disclosed class of vulnerabilities that are referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM.

Note This issue also affects other systems, such as Android, Chrome, iOS, and MacOS, so we advise customers to seek guidance from those vendors.

Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more information.

Microsoft has not yet received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software as well.

Enabled protections will show in the output as “True” like in this screenshot here

Windows SpeculationControl PowerShell

So make sure you patch your systems, for Windows and Windows Server are already patches available and the Surface Familiy already got some firmware updates.

Also check out Mike F Robbins (Microsoft MVP) how he explains how to use the SpeculationControl PowerShell module on remote machines.



Surface Precisiaon Mouse Box

Microsoft Surface Precision Mouse Review

Last week I got the Microsoft Surface Precision Mouse delivered. The Surface Precision Mouse will become the replacement mouse for my Microsoft Sculpt Mouse, which I used for the last couple of years. Now I want to give you some impressions about the Surface Precision Mouse, since I am very happy and very surprised about the feature set.

Surface Precision Mouse

First of all the Microsoft Surface Precision Mouse feels awesome, very high quality and it is very comfortable in your hand. It feels very precise and you get very quickly used to it.

Now let me write about some extra features you might didn’t know about. You first get a button to configure the scroll wheel in two different speeds, one feels very light and fast and the other one is slower and is more resistant, so you can choose what you like more and switch between them, depending on your task.

Microsoft Surface Percision Mouse Settings

Of course you get some extra buttons which you can customize with different shortcuts, for example to open the Windows 10 Tasks View or other applications. You can also customize the buttons depending on the application you are working with.

Surface Precision Mouse Bottom

By already having the perfect mouse, in terms of feeling, comfort, precision and customizability, you get a really cool extra feature. The Surface Precision Mouse gives you more multi-tasking power by allowing you to work seamlessly across up to three computers, supports both Bluetooth and wired USB connections. You can pair your Surface Precision Mouse with three different devices and you can manually switch between them with the button on the bottom of the mouse, or you can use something called Smart Switch.

Microsoft Surface Percision Mouse Smart Switch

Smart Switch on the Surface Precision Mouse can be enabled by using the Microsoft Mouse and Keyboard Center. It allows you to setup the workplace layout in the app and now you can move the cursor to the border of the screen and the mouse will seamlessly switch to the other device. So if you are working on your desktop and you have your notebook right next to it, you can easily move the mouse from one device to the other.

Overall I am super happy with the new device!

 

Tech Specs

The mouse also works with Windows 7, Windows 10, Windows 8.1 and macOS devices as long as they support Bluetooth 4.0 or higher.

 
Interface USB 2.1, Bluetooth® Low Energy 4.0/4.1/4.2 Dimensions 4.8 x 3.05 x 1.7 (122.6 mm x 77.6 mm x 43.3 mm)
Wireless Frequency 2.4GHz frequency range Weight 4.76 ounces (135 grams) including rechargeable batteries
Buttons 6 buttons, including right and left click and scroll wheel button Battery Rechargeable lithium ion battery (included)
Design Ergonomic design with side grips Battery Life Up to 3 months
Scrolling Smooth or magnetic detent customizable horizontal and vertical scrolling1 Color Gray


Surface Pro Storage Spaces Boot

Boot from Storage Spaces Virtual Disk in Windows 10

A couple of weeks ago I got my new Microsoft Surface Pro, I decided to go with the 1TB version to have enough space.

Surface Pro Storage

After the first minutes of setup I quickly wanted to run disk optimization, which for SSDs usually does quick trim operations. In my case this was running way longer then on my Surface Book, so I checked what was going on, and I realized that it was running Optimization on a Storage Spaces Virtual Disk, which is kind of strange.

Surface Pro PowerShell Storage Spaces Boot

I checked the disk configuration and really, my Surface Pro (2017) does have a Storage Spaces Virtual Disk which it boots from. The Storage Spaces Pool does include two physical 512GB NVMe drives with one Virtual Disk on top configured as simple (striped) volume. Right now I don’t know how they did it, but it seems now possible to boot Windows from a Storage Spaces Virtual Disk with the Windows 10 Creators Update or some Surface team magic. Then when Storage Spaces was introduced with Windows 8, boot from Storage Spaces was not possible.

 



What is in my Bag for Microsoft Ignite 2017

What’s in my bag for Microsoft Ignite 2017

In a couple of hours I will catch my flight to Orlando FL to the Microsoft Ignite 2017 conference. I am happy to join the itnetX team and be able to speak at the largest Microsoft Conference this year. I am really looking forward to it and meet other enthusiast around Microsoft Cloud solutions and of course meeting with members of the Microsoft Product Group.

I am already preparing and packing stuff for my two weeks trip to the United States. After Microsoft Ignite I will spend another week on the Microsoft Campus in Redmond (Okay, actually it is in Bellevue at the Azure Cloud Architect Bootcamp) so I have to pack enough stuff so I can pre productive for these two weeks and especially Microsoft Ignite.

What is in my Bag for Microsoft Ignite 2017

  • My main devices is of course my new Microsoft Surface Pro which I use as my 3-in-1 device, replacing my notebook, tablet and desktop using the Surface Docking Station. Of course it is running the latest Microsoft Windows 10 Insider Preview. Battery life I get is around 8 hours depending on what I am doing I get even some more. I will leave my Surface Book, which I was using for over a year and was my daily driver for a long time, back home. The Surface Pro is lighter much more portable, and especially at a huge conference like Microsoft Ignite, it helps to have a light devices to carry around.
  • The Surface Pen, well especially for conferences, workshops and trainings, I like to take handwritten notes or draw things to discuss ideas and solutions with people. The Surface Pen and OneNote are a must have for such events! (Quick Tip: Check out my blog post about Why OneNote is Awesome to learn some new OneNote skills)
  • As my day to day phone I use the Microsoft Lumia 950 XL (Yes sometimes I still use a Windows Phone) and the Samsung Galaxy S8+, which are the perfect devices for me with great cameras to take picture from the place I travel to and listen to music.
  • Even I like the track pad of the new Surface Pro Signature Type Cover I think I am more productive using a mouse. For that I got the new Microsoft Arc Mouse, Microsoft delivered together with the new 2017 Surface Pro. It follows the same line of design as the Microsoft Arc Touch Mouse and others, which are perfect for traveling. If you don’t need them, you can just click them, to turn the off.
  • The Bose Quiet Comfort 35 Audio Headphones and their Noise Cancelling feature are some real life savers. I like them especially when I travel and have some long flights. But I also like that they now support bluetooth, so I can connect wirelessly. I also use them for Skype and Skype for Business calls.
  • To get some extra power if needed, I also carry a Microsoft DC-34 portable power charger with a 9000 mAh battery
  • I am also carrying the Garmin Forerunner 325 which helps me tracks the steps I walk during Microsoft Ignite and the limited sleep I get during this event. Trust me, you will definitely walk a lot during that conference.
  • For presentations I got a Microsoft Mini-DisplayPort to HDMI and VGA adapter as well as the Microsoft Wireless Display Adapter which acts as a Miracast Receiver and is great for presentations.
  • I also carry a USB 3.0 drive, since you never know when you need to share some files, which might be to larger to share over the conference WiFi.
  •  I just use power adapter of the Microsoft Surface Pro which also has a USB port for charging the phone, speaker and other stuff.
  • Next to that, I will bring some cables, sunglasses and a bunch of other stuff you need during a conference.

Some other tips for the conference:

You are going to talk a lot, and the days will be back with a lot of information and discussions, so make sure you pack something light to carry your devices around or a comfortable backpack. Also make sure you stay hydrated during the day, not just during the evening events 😉

By the way, check out my video interview with Marcel Zehner about my sessions at Microsoft Ignite during one of the itnetX X-Talk videos:

With that, hopefully see you at Microsoft Ignite 2017 in Orlando, and if you are there, contact me if you want to grab a coke, coffee or beer.



Surface Pro

First impressions on the Surface Pro 2017

I am one of the lucky persons owning an brand new Microsoft Surface Pro as a new device for work. This is the my devices I used for the last couple of days and weeks as my daily driver and this allows me to write a quick review about my first impressions about the Surface Pro.

After using the Surface Pro, the Surface Pro 2, the Surface Pro 3, the Surface Book became my daily driver. And I had to say that it is a great notebook. But after using the Surface Pro for awhile, I really got used to the form factor. The 2-in-1 form factor and the small and light design, made the Surface Pro a really great travel companion and this was the reason I decided to go with a Surface Pro again.

Surface Pro 2017

My first impression when I took the Surface Pro out of the box was: “wow, this feels premium”. Even the Surface Pro and the Surface Book always felt really great, Microsoft improved it even more. The amazing premium sound of the kickstand,  the new rounded edges and the display of the Surface Pro making it even more premium and as mentioned the build quality is amazing.

The second thing I realized while using it, is the resume form standby is incredible fast. You basically press the on button and you can start working. And this while battery life is still great, I get around a whole working day out of it with a single charge.

Surface Pro 2017 Desk

Unfortunately I couldn’t really test the new Surface Pro Signature Type Cover, because it was not available at launch. But I will included it in my final review of the Surface Pro 2017, after I have used it for a couple of weeks.