Category: Surface

Last updated by at .

Surface Pen

Quick Windows Tip: Use the Surface Pen as remote for PowerPoint

As some of you may know, I am giving a lot of presentations using PowerPoint on my Surface Pro or my Surface Book.  And since I am using a Surface devices, I also added a Surface Pen to my setup. I can draw on my screen in meetings or to take notes. And the Surface Pen does to a great job inking, drawing and taking notes, especially when using Windows Ink on Windows 10.

A couple of weeks ago, I was presenting on the Microsoft Tech Summit Switzerland, and I realized that my USB clicker was empty. I could not find a battery replacement that quickly before my session started. Fortunately, I remember a new functionality Microsoft added a couple of weeks or months ago to PowerPoint and the Surface Pen. Since you can pair the Surface Pen with your computer to use some cool features in Windows 10, like starting apps by clicking the back of the Surface Pen, the Microsoft Office team took advantages of that.

Use the Surface Pen as a PowerPoint clicker

Surface Pen Bluetooth

To use the Surface Pen as a PowerPoint clicker, you just need to pair it using Bluetooth. When you are running Microsoft PowerPoint in Presenter Mode, you can simply start using the Surface Pen as a PowerPoint Remote. You can use your Pen as a clicker or as a remote for PowerPoint. If you are doing a presentation and you want to jump to the next slide just press the back of your pen once. If you want to jump back to the previous PowerPoint slide, just hold the button on the back of the Pen and PowerPoint will switch to the previous slide.

I know this is a pretty small feature, but it can turn out to be a very cool presentation saver!

If you want to know to set this up, just check the Microsoft Office support page: Use your digital pen as a slide-show clicker



Surface Book 2

My First Impressions of the Surface Book 2

Last week I got my early (or late) Christmas gift to myself. The Microsoft Surface Book 2 15-inch version was finally shipping to Switzerland. The 13-inch version of the Surface Book 2, was already available last year. I am a long time Surface user, since I got my first Surface and my first Surface Pro back in 2012. As you might remember I got a new Surface Pro 2017 as a new company device, back in July 2017. I picked the Surface Pro as a replacement for my Surface Book which I used quite a while and I am very happy with it. It is a light and mobile device, perfect when you are traveling. I think the new Surface Pro with LTE would even be better if you are on the road.

However, one thing I always knew, was that I am more productive with a larger screen. Even the 13” Surface Book, made a huge difference against the 12” Surface Pro. The thing is simple, it is mobility versus screen real estate. I am often working on the go, which means I like the mobility. On the other hand I am also working a couple of hours on the device with no extra screens. Having some extra space on the mobile device, makes me more productive.

Surface Book 2 and Surface Pro

When Microsoft announced the new Surface Book 2 13-inch and 15-inch, I knew I want a 15” version. It would give me more screen real estate, more productivity, paired with the Surface quality and design. The combination of a 15” screen in a 3:2 aspect ratio, together with a touch screen and pen support, will provide you with the best possible work setup.

The Surface Book 2 also comes with some performance improvements. With the higher end models, you get new 8th Gen Intel Core i7-8650U quad-core processor, and a Nvidia GeForce GTX 1060, which will provide you with the necessary performance. For me, these performance improvements are a nice addition, but not the reason I would upgrade. If you are a creator, designer, editor, you might highly benefit from the additional graphics performance. However, Microsoft also updated the disk to a faster NVMe SSD, and this you can see and feel in your day-to-day tasks.

Surface Book 2 – First Impressions

I haven’t used the Surface Book 2 long enough for a full review, but I want to share my first impressions.

  • Hardware and build quality are amazing as for all the Surface devices, no surprises here.
  • Performance improvements from the 8th Gen Intel Core i7-8650U quad-core processor, and the NVMe SSD are great. They are helping a lot if you are running Docker containers and Hyper-V on your machine. I can also imagine if you are doing graphic intensive work, you also benefit heavily from the Nvidia GeForce GTX 1060.
  • The amazing 15” PixelSense display with the 3:2 aspect ratio and a resolution of  3240 x 2160 is just stunning and really makes a difference if you need screen real estate. The quality of the display is also amazing and you can switch between “Enhanced Mode” and sRGB. And as always I am very happy with the Surface Pen support.
  • Yes you can still detach the screen from the keyboard to use it as a giant 15” tablet.
  • Microsoft now includes 2 x USB type-A (version 3.1 Gen 1), 1 x USB type-C (version 3.1 Gen 1 with USB Power Delivery revision 3.0), 3.5mm headphone jack, 2 x Surface Connect ports, Full-size SDXC card reader. The only thing missing is the Thunderbolt port, but to be honest I never missed it before, but of course it would be nice to have it.
  • Of course the Surface Book 2 15” version is huge if you compare it to the Surface Pro or the Surface Laptop. With 1.9kg also heavier, but with the performance improvements, battery life and the larger screen, what else can you expect. However, if you undock the screen from the keyboard, the tablet part is still very light.
  • It also provides you with the necessary modern Wi-Fi standards a/b/g/n/ac, Bluetooth Wireless 4.1 technology and built-in Xbox Wireless for the 15-inch version.
  • Since I am using it only since a couple of days, I cannot really talk about battery life. Microsoft claims up to 17 hours of video playback. To be honest the first Surface Book was already very good in terms of battery life. I think, with the Surface Book 2 I will make it trough a day.
  • Of course it also ships with a Windows Hello face authentication camera. A 5.0MP front-facing camera with 1080p HD video and a 8.0MP rear-facing autofocus camera with 1080p HD video.

Overall my first impression of the Surface Book 2 is amazing. The Surface Book 2 is the laptop I was waiting for, for a long time. I think this is the best notebook I have ever owned. Are you owning one, or thinking about buying one for yourself? Let me know in the comments.

 



What is in my bag for the Microsoft MVP Summit 2018

What is in my bag for the Microsoft MVP Summit 2018

Soon again I am on my way to the Microsoft MVP Summit 2018 in Redmond. The Microsoft MVP Summit is the yearly, multi-day event, which is hosted at the Microsoft headquarters in Redmond and in Bellevue. The event brings a large catalog of technical sessions and variety of networking opportunities. The Microsoft MVP Global Summit enables MVPs from around the world to connect with each other, build relationships with Microsoft product managers, learn about upcoming technology and products, and provide feedback on Microsoft products and services.

If I remember correctly this I my 7th MVP Summit, which I can attend. I am really looking forward as always and I am sure it is going to be great fun.

Obviously you need to pack some stuff, to make the best out of the week. Especially since you need to take a lot of notes, and also work on some projects remotely. Besides my clothes and my running shoes, I also pack my latest tech stuff.

What is in my bag for the Microsoft MVP Summit 2018

What is in my bag for the Microsoft MVP Summit 2018

  • Surface Pro – As my daily driver I will bring my Microsoft Surface Pro, which is a perfect travel companion, since it is a small and light devices. As you may know, I also love to take notes in OneNote using the Surface Pen. The battery life should bring me more less through a day of work at the event.
  • The Surface Pen  – The Surface Pen is one of my favorite Surface peripherals to take handwritten notes during sessions.
  • Samsung Galaxy Note 8 – After Microsoft really holds back on the Windows 10 Mobile investments. I decided to Switch to a Samsung Galaxy Note 8. The Note 8 looks beautiful, has a great camera, a Pen for OneNote. It also has enough battery life to bring me trough a long day.
  • Microsoft Arc Touch Mouse – The Microsoft Arc Touch Mouse is my absolut favorite travel mouse. I am using a Microsoft Arc mouse since the first version and I am happy with the integrations Microsoft made.
  • Bose Quiet Comfort 35 – The best travel Headphones I have ever owned. I like the new wireless capabilities and the noise canceling is perfect when you are stuck on a long flight.
  • Samsung Gear S3 Frontier – Around my wrist I am currently wearing a Samsung Gear S3 Frontier smartwatch, which helps me track my runs on Samsung health
  • Microsoft Surface Adapters – Of course I bring a bunch of Surface Pro adapters, since you never know if you need to connect your Surface to a big screen.
  • Microsoft Surface Power Adapter – This is a thing I really started to like. The Surface Power Adapter not only allows you to charge your Surface, but the extra USB port also allows you to charger your phone or another USB device at the same time.
  • Next to that, I will bring some cables, sunglasses, even I might not really need them in the Seattle area this time of the year, and a bunch of other stuff you need during an event.

Old Times

By the way it is funny to see, how the inside of my bag change over the years. I wrote a similar blog post for the Microsoft MVP Summit in 2013. When I was carrying a Lenovo Thinkpad X1 and a Lumia 920.

Bag for Microsoft MVP Summit



Microsoft Modern Keyboard

Mini Review of the Microsoft Modern Keyboard with Fingerprint ID

As you may know I am a big fan of the Microsoft peripherals like the Microsoft Arc Mouse, Surface Pen, Surface Precision Mouse, Surface Dial and the Surface Keyboard. The last one I have just upgraded to the Microsoft Modern Keyboard. The Microsoft Modern Keyboard almost looks the same when you compare it to the Surface Keyboard, except for some minor changes, like the on/off button, the USB charging port or the integrated Fingerprint reader.

As like the Surface Keyboard, the Microsoft Modern Keyboard feels extremely comfortable to type on, and in my opinion also looks perfect on your desk. It is thin and light and matches the style of the other Surface products. Microsoft Modern Keyboard with Fingerprint ID’s aluminum frame makes it not only of the highest quality, but heavy and virtually indestructible. The keyboard not only supports Bluetooth Low Energy  4.0 / 4.1 / 4.2, it also supports USB as a wired connection, which allows it to be a great choice even at work.

Microsoft Modern Keyboard Fingerprint Reader

One of the main new advantages of the Microsoft Modern Keyboard is the new integrated Fingerprint reader. This allows you to use it together with Windows Hello, to easily login to your computer, without the need of a password.

Microsoft Modern Keyboard On Off Button

You also get a on off switch for they keyboard, which is really handy, especially when you are traveling and storing the keyboard in your bag.

Microsoft Modern Keyboard USB Charger

The Surface Keyboard came with batteries which you needed to replaces after a while. The Microsoft Modern Keyboard brings a rechargeable battery, which can be easily recharged using the included USB cable, which also lets you connect the keyboard not only using Bluetooth, but also using the wired USB connection. Microsoft promises up to 4 months battery life on full charge.

After using the Surface Keyboard and before the Microsoft Designer Bluetooth Desktop since 2015, the Microsoft Modern Keyboard with Fingerprint ID is a great successor.



Microsoft Edge Windows Defender Application Guard

Enable Windows Defender Application Guard on Windows 10 using PowerShell

A couple of days back I saw a tweet form Stefan Stranger (Consultant at Microsoft) which reminded me of a feature called Windows Defender Application Guard, which is included in Windows 10 Enterprise since the Fall Creators Update (1709). If you have never heard of Application Guard, you might want to check out this blog post: Introducing Windows Defender Application Guard for Microsoft Edge

Basically Windows Defender Application Guard starts Microsoft Edge in a Hyper-V Container and uses Hyper-V isolation. So if a user browses on a malicious site, the site is separate from the host operating system.

Application Guard Hardware Isolation

What is Windows Defender Application Guard and how does it work?
Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.

If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can’t get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can’t get to your employee’s enterprise credentials.

Source: Windows Defender Application Guard overview

Usually Windows Defender Application Guard is configured using a Enterprise devices management tool like System Center Configuration Manager, Microsoft Intune or another third-party tool. But if you want to use this on your standalone Windows 10 PC you can also do this using PowerShell.

The only thing you need to run this is:

  • Windows 10 Enterprise 1709 (Fall Creators Update) or higher
  • A computer which supports Hyper-V
    • A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS)
    • Extended page tables, also called Second Level Address Translation (SLAT)
    • One of the following virtualization extensions for VBS:
      • Intel VT-x
      • AMD-V
    • Microsoft recommends 8GB RAM for optimal performance
    • 5 GB free space, solid state disk (SSD) recommended
    • Input/Output Memory Management Unit (IOMMU) support is strongly recommended
  •  Microsoft Edge and Internet Explorer

Enable Windows Defender Application Guard using PowerShell

You can simply install Application Guard using the following command:

New Application Guard Windows in Microsoft Edge

This will reboot your computer and after this you will be able to open a new Microsoft Edge windows in Application Guard.

Microsoft Edge Windows Defender Application Guard

This does added some extra security, however it does not really protect against like the Meltdown and Spectre attacks.

Application Guard Virtual Machine Worker Process

If you have a look at the processes running on your computer you can now see that there is a new Virtual Machine Worker Process which is used by the Application Guard.

This is a great example how the Hyper-V isolation can not only be used for Hyper-V Virtual Machines but also other features like Hyper-V Containers or for example on the Xbox One.



Windows SpeculationControl PowerShell

Microsoft Guidance to protect against speculative execution side-channel vulnerabilities on Windows, Windows Server and Azure (Meltdown and Spectre)

Microsoft very quickly responded to the speculative execution side-channel vulnerabilities also called Meltdown and Spectre which affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM. Microsoft released some guidance how you should protect your devices against these vulnerabilities. The Microsoft Security Defense Team also published an article with guidance and more details on this: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities

In this blog post I tried to quickly summarize the information and link it to the right websites.

Summary

Microsoft is aware of detailed information that has been published about a new class of vulnerabilities referred to as speculative execution side-channel attacks. This industry-wide attack method takes advantage of out-of-order execution on many modern microprocessors and is not restricted to a single chip, hardware manufacturer, or software vendor. To be fully protected, updates are required at many layers of the computing stack and include software and hardware/firmware updates. Microsoft has collaborated closely with industry partners to develop and test mitigations to help provide protections for our customers. At the time of publication, Microsoft had not received any information to indicate that these vulnerabilities have been used to attack our customers.

Note This issue also affects other operating systems, such as Android, Chrome, iOS, and MacOS.

Warning

Microsoft addressed protect against speculative execution side-channel vulnerabilities in the latest Windows Updates. However, customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, update is required. This should be available through your device manufacturer. Surface customers will receive a microcode update via Windows update.

Guidance for Windows Client

Customers should take the following actions to help protect against the vulnerabilities:

  1. Verify that you are running a supported antivirus application before you install OS or firmware updates. Contact the antivirus software vendor for compatibility information.
  2. Apply all available Windows operating system updates, including the January 2018 Windows security updates.
  3. Apply the applicable firmware update that is provided by the device manufacturer

Windows-based machines (physical or virtual) should install the Microsoft security updates that were released on January 3, 2018. See Microsoft Security Advisory ADV180002 for updates for the following versions of Windows.

Read full guidance for Windows Client here: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Guidance for Windows Server

Customers should take the following actions to help protect against the vulnerabilities:

  1. Apply the Windows operating system update. For details on how to enable this update, see Microsoft Knowledge Base Article 4072699.
  2. Make necessary configuration changes to enable protection.
  3. Apply an applicable firmware update from the OEM device manufacturer.

Windows Servers-based machines (physical or virtual) should get the Windows security updates that were released on January 3, 2018, and are available from Windows Update.

  • Windows Server, version 1709 (Server Core Installation) KB4056892
  • Windows Server 2016 KB4056890
  • Windows Server 2012 R2 KB4056898
  • Windows Server 2012 Not available yet
  • Windows Server 2008 R2 KB4056897

Your server is at increased risk if it is in one of the following categories:

  • Hyper-V hosts
  • Remote Desktop Services Hosts (RDSH)
  • For physical hosts or virtual machines that are running untrusted code such as containers or untrusted extensions for database, untrusted web content or workloads that run code that is provided from external sources.

There for Microsoft posted some additional registry keys to mitigations on servers. Microsoft also added some extra registry keys if you are running older versions of Hyper-V.

Read the full guidance for Windows Server and the registry keys here: Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Guidance for Virtual Machines running on Hyper-V

In addition to this guidance, the following steps are required to ensure that your virtual machines are protected from CVE-2017-5715 (branch target injection):

  1. Ensure guest virtual machines have access to the updated firmware. By default, virtual machines with a VM version below 8.0 will not have access to updated firmware capabilities required to mitigate CVE-2017-5715. Because VM version 8.0 is only available starting with Windows Server 2016, users of Windows Server 2012 R2 or earlier must modify a specific registry value on all machines in their cluster.
  2. Perform a cold boot of guest virtual machines.Virtual machines will not see the updated firmware capabilities until they go through a cold boot. This means the running VMs must completely power off before starting again. Rebooting from inside the guest operating system is not sufficient.
  3. Update the guest operating system as required. See guidance for Windows Server.

Read the full guidance for Guest Virtual Machines here: Protecting guest virtual machines from CVE-2017-5715 (branch target injection)

Guidance for Surface Devices

Microsoft will provide UEFI updates for the following devices:

  • Surface Pro 3
  • Surface Pro 4
  • Surface Book
  • Surface Studio
  • Surface Pro Model 1796
  • Surface Laptop
  • Surface Pro with LTE Advanced
  • Surface Book 2

The updates will be available for the above devices running Windows 10 Creators Update (OS version 15063) and Windows 10 Fall Creators Update (OS version 16299). You will be able to receive these updates through Windows Update or by visiting the Microsoft Download Center.

Read full guidance for Surface Devices here: Surface Guidance for Customers and Partners: Protect your devices against the recent chip-related security vulnerability

Guidance for Azure

Microsoft has already deployed mitigations across the majority of our cloud services and is accelerating efforts to complete the remainder.

However, I always recommend that you also patch your operating systems and applications to be protected against other vulnerabilities.

Impact to Enterprise Cloud Services

Microsoft is not aware of any attacks on the Microsoft Cloud customers which leverage these types of vulnerabilities. Microsoft employs a variety of detection capabilities to quickly respond to any malicious activity in our enterprise cloud services.

Most of the Azure infrastructure has already received mitigations against this class of vulnerability. An accelerated reboot is occurring for any remaining hosts. Customers can check the Azure Portal for additional details.

All other enterprise cloud services such as Office 365, Dynamics 365, and Enterprise Mobility + Security have mitigations against these types of vulnerabilities. Microsoft engineering is continuing to perform analysis across the environments to confirm further protection.

Read full guidance for Microsoft Azure here: Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities

Guidance for Azure Stack

Azure Stack customers should take the following actions to help protect the Azure Stack infrastructure against the vulnerabilities:

  1. Apply Azure Stack 1712 update. See the Azure Stack 1712 update release notes for instructions about how to apply this update to your Azure Stack integrated system.
  2. Install firmware updates from your Azure Stack OEM vendor after the Azure Stack 1712 update installation is completed. Refer to your OEM vendor website to download and apply the updates.
  3. Some variations of these vulnerabilities apply also to the virtual machines (VMs) that are running in the tenant space. Customers should continue to apply security best practices for their VM images, and apply all available operating system updates to the VM images that are running on Azure Stack. Contact the vendor of your operating systems for updates and instructions, as necessary. For Windows VM customers, guidance has now been published and is available in this Security Update Guide.

Read full guidance for Microsoft Azure Stack here: Azure Stack guidance to protect against the speculative execution side-channel vulnerabilities

Guidance for SQL Server

The following versions of Microsoft SQL Server are impacted by this issue when running on x86 and x64 processor systems:

  • SQL Server 2008
  • SQL Server 2008 R2
  • SQL Server 2012
  • SQL Server 2014
  • SQL Server 2016
  • SQL Server 2017

IA64-based versions of SQL Server 2008 are not believed to be affected.

Microsoft made a list of different SQL Server scenarios depending on the environment that SQL Server is running in and what functionality is being used. Microsoft recommends that you deploy fixes by using normal procedures to validate new binaries before deploying them to production environments.

You can finde the list for scenarios and recommendations here: SQL Server guidance to protect against speculative execution side-channel vulnerabilities

There is also a list of updates for SQL Server available:

 

  • 4057122 Description of the security update for SQL Server 2017 GDR: January 3, 2018
  • 4058562 Description of the security update for SQL Server 2017 CU3 RTM: January 3, 2018
  • 4058561 Description of the security update for SQL Server 2016 CU7 SP1: January 3, 2018
  • 4057118 Description of the security update for SQL Server 2016 GDR SP1: January 3, 2018
  • 4058559 Description of the security update for SQL Server 2016 CU: January 6, 2018
  • 4058560 Description of the security update for SQL Server 2016 GDR: January 6, 2018
  • 4057114 Description of the security update for SQL Server 2008 SP4 GDR: January 6, 2018
  • 4057113 Description of the security update for SQL Server 2008 SP3 R2 GDR: January 6, 2018

Read the full guidance for SQL Server here: SQL Server guidance to protect against speculative execution side-channel vulnerabilities

Verifying protections again speculative execution side-channel vulnerabilities

The Microsoft Security Response Center released a PowerShell Module on the PowerShell Gallery called SpeculationControl, which verifies if your system is protected or not.

You can find more here: Use PowerShell to verifying protections again peculative execution side-channel vulnerabilities CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre)

 

More information on how to mitigate speculative execution side-channel vulnerabilities can be found here: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities



Windows SpeculationControl PowerShell

Use PowerShell to verifying protections again speculative execution side-channel vulnerabilities CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre)

As you might have seen in the last couple of days, there are huge news about some security bugs in CPUs from different vendors (not just intel). The Microsoft Security Response Center released a PowerShell Module on the PowerShell Gallery called SpeculationControl, which verifies if your system is protected or not.

Microsoft is aware of a new publicly disclosed class of vulnerabilities that are referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM.

Note This issue also affects other systems, such as Android, Chrome, iOS, and MacOS, so we advise customers to seek guidance from those vendors.

Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more information.

Microsoft has not yet received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software as well.

Enabled protections will show in the output as “True” like in this screenshot here

Windows SpeculationControl PowerShell

So make sure you patch your systems, for Windows and Windows Server are already patches available and the Surface Familiy already got some firmware updates.

Also check out Mike F Robbins (Microsoft MVP) how he explains how to use the SpeculationControl PowerShell module on remote machines.