Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide. Apologies for the late post this month; its been a busy month!
These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful. If you have been a long-time reader, then you will find this series to be very similar to our prior series “Infrastructure + Security: Noteworthy News”.
From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!
Title: KRB_AP_ERR_BAD_INTEGRITY
Source: Ask the Directory Services Team
Author: Jesse Vurgason-Graham
Publication Date: 1/12/24
Content excerpt:
Most anyone who would be interested in reading an article like this has very likely encountered the error, KRB_AP_ERR_MODIFIED. This error tells us one thing: The account secret (aka password hash) that is being used to decipher the ticket cannot decipher the ticket.
The most common reasons are...
Title: Stop Worrying and Love the Outage, Vol I: Group Policy and Sharing Violations
Source: Ask the Directory Services Team
Author: Chris Cartwright
Publication Date: 1/26/24
Content excerpt:
Recently, we have seen an uptick in cases related to sharing violations when processing or editing group policies. Most of these issues are caused by locks on policy-related files within the SysVol share, from either security products or environmental conditions. Security product mitigations are already covered by exclusions and need not be repeated here. Our focus will be on the environmental conditions, latency and/or packet loss. Failure to follow this guidance may result in unexpected behaviors of both group policy processing and group policy editing. I can save you some time by making the following recommendation...
Title: Windows Server 2012/R2 Extended Security Updates Licensing and Billing
Source: Azure Arc
Author: Garima Singh
Publication Date: 1/17/24
Content excerpt:
While more and more organizations are moving towards cloud they are all using cloud in their own way depending on size and scale. Some have adopted cloud native model using Microsoft Azure, but some decided to use cloud services while still maintaining their on-premises footprint. The latter approach is known as Hybrid model. Hybrid also means having presence in more than one cloud provider.
Title: Public facing Azure Container Registry Reference Architecture
Source: Azure Architecture
Author: Kumar Ashwin Hubert
Publication Date: 1/23/24
Content excerpt:
This reference architecture describes the deployment of secured Azure Container Registry for consuming docker images and artifacts by customer applications over external (public internet) network.
This architecture builds on Microsoft's recommended security best practices to expose private applications for external access. It utilizes the ACR's token and scope map feature to provide granular access control to ACR's repositories. Also, ACR internally uses the Docker APIs, and it is recommended to be familiar with these concepts before deploying this architecture.
Title: Load Testing Azure Event Hubs services with restricted public access
Source: Azure Architecture
Author: Frédéric Le Coquil
Publication Date: 1/24/24
Content excerpt:
This article describes how to use Azure Load Testing to test a service based on Azure Event Hubs with a restricted public endpoint. The access to the Azure Event Hubs endpoint is restricted to specific client IP addresses. For instance, the service collects events from different on-premises events sources, analyzes those events and generates alerts as anomalies are detected.
Title: Using Azure Load Testing to test Multi-Tenant services
Source: Azure Architecture
Author: Frédéric Le Coquil
Publication Date: 1/24/24
Content excerpt:
This article describes how to use Azure Load Testing to test a multi-tenant service based on Azure App Service. It also describes how to run the Load Testing scenario from either...
Title: Take control of your cloud spend with Microsoft Cost Management
Source: Azure Governance and Management
Author: Antonio Ortoll
Publication Date: 1/8/24
Content excerpt:
Nobody wants a surprise when it comes to their cloud bill. To effectively manage your cloud investments, you need to know what you’re spending and where it’s being spent. We developed Microsoft Cost Management to provide visibility into your resource usage to help you better understand where you’re accruing costs in the cloud, identify and prevent inefficient spending patterns, and offer you the ability to optimize costs across different usage groups. By leveraging data on your resource usage, you can enforce cost-control measures and create reporting dashboards for your stakeholders across the organization.
Title: Rehosting On-Premises Process Automation when migrating to Azure
Source: Azure Governance and Management
Author: Swati Devgan
Publication Date: 1/23/24
Content excerpt:
Many enterprises seek to migrate on-premises IT infrastructure to cloud for cost optimization, scalability, and enhanced reliability. During modernization, key aspect is to transition automated processes from on-premises environments, where tasks are automated using scripts (PowerShell or Python) and tools like Windows Task Scheduler or System Center Service Management Automation (SMA).
This blog showcases successful transitions of customer automated processes to the cloud with Azure Automation, emphasizing script re-use and modernization through smart integrations with complementing Azure products. Using runbooks in PowerShell or Python, the platform supports PowerShell versions 5.1, and PowerShell 7.2.
Title: Azure Blob Storage Events: A event-driven solution for Blob Storage changes
Source: Azure Storage
Author: Nishant Ranjan
Publication Date: 1/10/24
Content excerpt:
Azure Blob Storage event, a powerful feature of Azure blob storage platform, has emerged as a game-changing solution that allows applications to react to changes in blob storage, providing a more efficient and cost-effective alternative to traditional methods.
Azure Blob Storage events provide an event-driven architecture to track changes in your blob storage in near real-time, such as the creation, tier-change, and deletion of blobs. Traditionally, achieving this level of monitoring and responsiveness required complex code or expensive and inefficient polling services.
Title: TLS 1.0 and 1.1 support will be removed for new & existing Azure storage accounts starting Nov 2024
Source: Azure Storage
Author: Srikumar Vaitinadin
Publication Date: 1/10/24
Content excerpt:
To meet evolving technology and regulatory needs and align with security best practices, we are removing support for Transport Layer Security (TLS) 1.0 and 1.1 for both existing and new storage accounts in all clouds. TLS 1.2 will be the minimum supported TLS version for Azure Storage starting Nov 1, 2024.
Title: Protecting Azure VM against Zonal/Regional outages using Azure Site Recovery and Azure Backup
Source: Azure Storage
Author: Srinath Vasireddy
Publication Date: 1/18/24
Content excerpt:
Disaster Recovery (DR) and Backup are two ways to recover from outages. To ensure that you have the necessary controls to protect your data even when relying on native tools included by your provider, you must get familiar with the platform features, weigh in the cost and benefits, and formulate a data protection strategy that best works for your business. The following provides a summary of choices provided by Azure Backup and Azure Site Recovery...
Title: Prepare for upcoming TLS 1.3 support for Azure Storage
Source: Azure Storage
Author: Srikumar Vaitinadin
Publication Date: 1/18/24
Content excerpt:
Azure Storage has started to enable TLS 1.3 support on public HTTPS endpoints across its platform globally to align with security best practices. Azure Storage currently supports TLS 1.0, 1.1 (scheduled for deprecation by November 2024), and TLS 1.2 on public HTTPS endpoints. This blog provides additional guidance on how to prepare for upcoming support for TLS 1.3 for Azure Storage.
Title: Announcing the general availability of NFS Azure file share snapshots
Source: Azure Storage
Author: Subhash Athri N
Publication Date: 1/29/24
Content excerpt:
Azure Files is offered as a fully managed file share service in Azure cloud. Azure file shares can be mounted via SMB (Server Message Block) and NFS (Network file System) protocols on clients running either on-premises or in the cloud.
We first made snapshot support available for SMB Azure file shares, and since then we’ve seen many of our customers and partners reaping the benefits of having point-in-time copies of their production data. In late 2023, we announced the Public preview of snapshot support for NFS Azure file shares. With this blog, I’m excited to announce General availability (GA) of snapshot support for NFS Azure file shares.
Title: Announcing Public Preview of Confidential VMs with Intel TDX in Azure Virtual Desktop
Source: Azure Virtual Desktop
Author: Derek Su
Publication Date: 1/12/24
Content excerpt:
We are excited to announce that Azure Virtual Desktop now supports the public preview of DCesv5 and ECesv5-series confidential VMs. These confidential VMs are powered by 4th Gen Intel® Xeon® Scalable processors with Intel® Trust Domain Extensions (Intel® TDX) and enable organizations to bring confidential workloads to the cloud without code changes to applications. Through the gated preview, we continued to enhance performance with our Intel partnership. These new virtual machines are up to 20% faster than 3rd Gen Intel Xeon virtual machines, and we expect performance for I/O intensive workloads to continue to improve as the technology matures.
Title: Modernize ASP.NET web apps with Azure Migrate on Azure Kubernetes Service
Source: Containers
Author: Anirudh Raghunath
Publication Date: 1/31/24
Content excerpt:
In this blog, we’ll go over how you can modernize a legacy ASP.NET web app using Azure Migrate and run in on Windows containers on Azure Kubernetes Service. You’ll walk away with an understanding of how to...
Title: Onboarding Intune Managed iOS User Enrollment Devices to Microsoft Defender for Endpoint
Source: Core Infrastructure and Security
Author: Arnab Mitra
Publication Date: 1/3/24
Content excerpt:
Microsoft Defender for Endpoint is a unified endpoint security platform that provides protection, detection, investigation, and response capabilities. To use Microsoft Defender for Endpoint on iOS devices, you need to onboard them to the service and assign licenses to users.
This blog post explains the onboarding process of the recently announced support of Microsoft Defender for Endpoint on Intune managed iOS/iPadOS devices enrolled with Apple User Enrollment mode. This enrollment method was introduced with iOS 13 that allows users to enroll their personal devices in a way that protects their privacy and separates work data (stored on a separate volume) from personal data. User Enrollment devices are managed by Intune with a limited set of policies and configurations.
Title: Intune iOS/iPadOS Management In a Nutshell
Source: Core Infrastructure and Security
Author: Jonas Ohmsen
Publication Date: 1/8/24
Content excerpt:
I’m a Microsoft Cloud Solution Architect and this blog post should give a brief overview of how to manage iOS and iPadOS devices with Microsoft Intune and how to get started.
If you are planning to migrate to Intune, I highly recommend the following link to a migration guide some colleagues wrote: https://aka.ms/intunemigrationguide.
Title: ConfigMgr CMG Least Privilege Setup Approach
Source: Core Infrastructure and Security
Author: Jonas Ohmsen
Publication Date: 1/15/24
Content excerpt:
I’m a Microsoft Cloud Solution Architect and this blog post is meant as a guide to setup a ConfigMgr Cloud Management Gateway (CMG) without the need for a Global Admin to use the ConfigMgr console.
I will also briefly explain what a CMG is and how the setup looks like in Azure. This part is a mix of the official documentation and of my own view on the product.
Title: Zero Touch Enrollment of MDE on iOS/iPadOS devices managed by Intune
Source: Core Infrastructure and Security
Author: Arnab Mitra
Publication Date: 1/18/24
Content excerpt:
Microsoft Defender for Endpoint (MDE) is a unified endpoint security platform that helps protect your devices from advanced threats. MDE on iOS/iPadOS devices provides protection against phishing and unsafe network connections. To use MDE on iOS devices, you need to enroll them in Microsoft Intune, a cloud-based service that helps you manage and secure your mobile devices.
This blog post helps you prepare your environment for zero-touch aka silent enrollment of MDE on your Intune managed iOS/iPadOS devices. Zero Touch enrollment is not available for all scenarios, below is a matrix for reference...
Title: Intune, Event, Azure Monitor Agent
Source: Core Infrastructure and Security
Author: Bindusar Kushwaha
Publication Date: 1/23/24
Content excerpt:
Hello everyone, I am Bindusar (CSA) working with Intune. I have received multiple requests from customers asking to collect specific event IDs from internet-based client machines with either Microsoft Entra ID or Hybrid Joined and upload to Log Analytics Workspace for further use cases. There are several options available like...
Title: Migrating from the Azure MMA to AMA Agent
Source: Core Infrastructure and Security
Author: Paul Bergson
Publication Date: 1/29/24
Content excerpt:
I have another conversation about the sunset of the Microsoft Monitoring Agent (MMA). Back on November 13, 2023 I posted and article on how to do a bulk removal of the Azure MMA agent, but before you can remove the MMA agent you need to have the AMA agent ready to take over the work. Below are details to assist in this endeavor.
Title: The Case of the Rogue Azure Arc Connected Machine Agent
Source: FastTrack for Azure
Author: Laura Hutchcroft
Publication Date: 1/9/24
Content excerpt:
My customer needed a way to manage their on-premises Windows and Linux servers as well as some non-Azure servers in the Azure Portal. This customer needed to be able to monitor server performance, update servers, manage compliance and many other Azure Management capabilities all in one place; not on premises but manage them all in the cloud. This customer selected to use the Azure Arc capabilities in Azure for these requirements.
In a nutshell, Azure Arc is a centralized way to manage your existing non-Azure and/or on-premises resources in Azure Resource Manager. If you want an easy way to manage Windows servers, Linux servers, Kubernetes clusters, VMware servers, AWS servers, GCP servers, Azure Arc can provide the way. In this article, we are going to specifically discuss Azure Arc-enabled servers and a specific troubleshooting case with the Azure Arc Connected Machine Agent.
Title: Monitor your Virtual Machines and Arc servers' workloads with Azure Monitor
Source: FastTrack for Azure
Author: Jose Fehse
Publication Date: 1/12/24
Content excerpt:
Azure Monitor is an amazing suite of technologies that lets you collect, visualize, and act on data from your Azure resources. You can use metrics and logs to monitor the health and performance of any Azure resource. Microsoft offers tailored experiences for specific workloads, such as Virtual Machine Insights. Some of these experiences also include alerts and modern dashboards (Grafana) to help you act and troubleshoot issues. However, for server-based workloads, such as IIS, Print Servers, DNS, and others, there was no native cloud solution for monitoring. Until now.
The Azure Monitor Starter Packs (or “MonStar” packs) is a set of pre-configured components that provide monitoring configuration for multiple Azure resources without the need to create rules, alerts or dashboards. The monitoring features will be ready for assignment and consumption as soon as deployed.
Each pack will contain the required rules to collect the pertinent information (DCRs), the Alert Rules to inform about observations (alerts) and Dashboards (Grafana) to visualize the data.
Title: Reducing costs for Windows workloads on Azure Kubernetes Service with Azure Hybrid Benefits
Source: ITOps Talk
Author: Vinicius Apolinario
Publication Date: 1/10/24
Content excerpt:
Happy new year everyone! What better way to get the year started than saving some money, right? Last year, as customers continued to move their Windows workloads to Azure Kubernetes Service (AKS) and evolve these deployments, they started to explore cost saving strategies. Granted, there are many ways to save costs when running in the cloud and especially when it comes to AKS as you can scale up or down and in or out, reduce the size of your deployment, replicas, node size, and more. However, for Windows workloads, one of the simplest ways to save is by leveraging the Azure Hybrid Benefit.
Title: Wired for Hybrid - What's New in Azure Networking - January 2024 edition
Source: ITOps Talk
Author: Pierre Roman
Publication Date: 1/24/24
Content excerpt:
Azure Networking is the foundation of your infrastructure in Azure. Each month we bring you an update on What’s new in Azure Networking.
In this blog post, we’ll cover what's new with Azure Networking in January 2024. In this blog post, we will cover the following announcements and how they can help you.
Title: Why Azure Image Builder - Getting Started
Source: ITOps Talk
Author: Amy Colyer
Publication Date: 1/31/24
Content excerpt:
You might be familiar with building golden images or templates for use on-premises. Back in the olden days we used to "ghost" machines and now you may use a VM template with sysprep. Azure offers the managed service Azure Image Builder so you can configure your image as a template for reuse within your cloud. Golden or base images are usually built upon governance, standards and best practices within your organization. These images especially come into play if you have immutable infrastructure, servers or virtual machines that will not be modified after deployment. To ensure consistency and speed up deployment, you can create golden images or templates.
Title: Addressing Data Exfiltration: Token Theft Talk
Source: Microsoft Entra (Azure AD)
Author: Anna Barhudarian
Publication Date: 1/2/24
Content excerpt:
Let’s continue our discussion on preventing data exfiltration. In previous blogs, we shared Microsoft’s approach to securing authentication sessions with Continuous Access Evaluation (CAE) and discussed securing cross-tenant access with Tenant Restrictions v2. Today our topic is stolen authentication artifacts.
Stolen authentication artifacts – tokens and cookies – can be used to impersonate the victim and gain access to everything the victim had access to. Up until a few years ago, token theft was a rare attack and was most often exercised by corporate Red Teams. Why? Because it’s simpler to steal a password than a cookie. However, with multifactor authentication (MFA) becoming more prevalent, we’re seeing real-life attacks involving artifact theft and replay.
Before diving into details, it’s important to note that Microsoft recommends that the first line of defense against token theft is protecting your devices by deploying endpoint protections, device management, phishing-resistant MFA, and antimalware, as described in Token tactics: How to prevent, detect, and respond to cloud token theft | Microsoft Security Blog.
Title: Introducing More Granular Certificate-Based Authentication Configuration in Conditional Access
Source: Microsoft Entra (Azure AD)
Author: Alex Weinert
Publication Date: 1/30/24
Content excerpt:
I’m thrilled to announce the public preview of advanced certificate-based authentication (CBA) options in Conditional Access, which provides the ability to allow access to specific resources based on the certificate Issuer or Policy Object Identifiers (OIDs) properties.
Title: Enable your key business needs within Microsoft Sentinel with step-by-step guidance
Source: Security, Compliance, and Identity
Author: Shirleyse Haley
Publication Date: 1/31/24
Content excerpt:
Modernize your security operations center (SOC) with Microsoft Sentinel. Uncover sophisticated threats and respond decisively with an intelligent, comprehensive security information and event management (SIEM) solution for proactive threat detection, investigation, and response.
This lightweight guide quickly walks you through business needs related to modernizing your SOC. It helps you make the most of Microsoft security solutions by pointing you to specific training and technical documentation...
Title: Windows Server Insider Preview 26040 is out - and so is the new name
Source: Storage at Microsoft
Author: Ned Pyle
Publication Date: 1/26/24
Content excerpt:
Heya folks, Ned here again. We've resumed the Windows Server Insider program after our winter break and there's a new build, new features, and - finally - the official branding: Windows Server 2025.
Previous CTO! Guides:
Additional resources:
- Azure documentation
- Azure pricing calculator (VERY handy!)
- Microsoft Azure Well-Architected Framework
- Microsoft Cloud Adoption Framework
- Windows Server documentation
- Windows client documentation for IT Pros
- PowerShell documentation
- Core Infrastructure and Security blog
- Microsoft Tech Community blogs
- Microsoft technical documentation (Microsoft Docs)
- Sysinternals blog
- Microsoft Learn
- Microsoft Support (Knowledge Base)
- Microsoft Archived Content (MSDN/TechNet blogs, MSDN Magazine, MSDN Newsletter, TechNet Newsletter)