Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide.
These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful. If you have been a long-time reader, then you will find this series to be very similar to our prior series “Infrastructure + Security: Noteworthy News”.
From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!
Title: Introducing Azure Well-Architected Framework Assessments for Azure Stack Hub (Preview)
Source Tech Community: Azure Architecture Blog
Author: Neil Bird
Publication Date: July 15, 2022
Content excerpt:
Today we are announcing two pillars of the Well-Architected Framework are available in Preview for Azure Stack Hub on the Microsoft Assessment Platform. These are the Reliability and Operational Excellence pillars. If you are using Azure Stack Hub to deploy and operate workloads for key business systems, it is now possible to answers questions for these pillars within the assessments platform. After completing the assessments, you will be provided with a maturity or risk score, together with prescriptive guidance and knowledge links that suggest possible improvements you could make to your architecture design and score.
Title: Cost Optimisation In The Cloud – Practical Design Steps For Architects and Developers – Part 1
Source Tech Community: Azure Architecture Blog
Author: Shane Baldacchino
Publication Date: July 17, 2022
Content excerpt:
Cloud and cost. It can be quite a polarising topic. Do it right, and you can run super lean, drive down the cost to serve and ride the cloud innovation train. But inversely do it wrong, treat public cloud like a datacentre then your costs could be significantly larger than on-premises.
Title: Armchair Architects: Architecting Mission Critical Apps
Source Tech Community: Azure Architecture Blog
Author: Ben Brauer, Eric Charran, Uli Homann, David Blank-Edelman
Publication Date: July 22, 2022
Content excerpt:
In a new episode of the Azure Enablement Show, Uli, Eric, and David have a lively discussion about what architects need to consider when designing mission critical solutions such as emergency services that must always work.
Title: Introducing Azure Well-Architected Framework Assessments for Azure Stack Hub (Preview)
Source Tech Community: Azure Architecture Blog
Author: Neil Bird
Publication Date: July 15, 2022
Content excerpt:
Today we are announcing two pillars of the Well-Architected Framework are available in Preview for Azure Stack Hub on the Microsoft Assessment Platform. These are the Reliability and Operational Excellence pillars. If you are using Azure Stack Hub to deploy and operate workloads for key business systems, it is now possible to answers questions for these pillars within the assessments platform. After completing the assessments, you will be provided with a maturity or risk score, together with prescriptive guidance and knowledge links that suggest possible improvements you could make to your architecture design and score.
Title: Introducing Virtual Machine Restore Points – A Simpler Way to Protect Azure Workloads
Source Tech Community: Azure Storage Blog
Author: Dinesh Reddy Kethi Reddy
Publication Date: July 19, 2022
Content excerpt:
Azure today announces the launch of VM restore points, a new resource that stores VM configuration and a point-in-time snapshot of one or more managed disks attached to a VM. VM restore points captures a comprehensive backup solution as it supports both app consistent and crash consistent snapshots (in preview). This can then be used to restore disks and VMs in scenarios such as data loss, data corruption, disaster recovery, or mishaps during the maintenance of your infrastructure and workloads.
Title: GA: Azure Storage Updating Client-Side Encryption In SDK To Address Security Vulnerability
Source Tech Community: Azure Storage Blog
Author: Manu Yareshimi
Publication Date: July 11, 2022
Content excerpt:
Azure Storage .NET, Java, and Python SDKs support encryption on the client with a customer-managed key that is maintained in Azure Key Vault or another key store. Current release versions of the Azure Storage SDKs use cipher block chaining (CBC mode) for client-side encryption (referred to as “v1”). The current implementation of CBC block mode is vulnerable to a padding oracle attack, provided the attacker has write access to the blob and can observe decryption failures. The attacker would need to perform 128 attempts per byte of plain text to decrypt blob contents. We view putting this combination of qualifiers together for an attack to be rare. We encourage customers to assess the risk to their scenarios.
Source Tech Community: Azure Network Security Blog
Author: Gustavo Modena, Shabaz Shaik
Publication Date: June 29, 2022
Content excerpt:
As your organization’s security requirements grow, it becomes difficult to manage all the perimeter security technologies. To simplify the management of cloud-based network security, we can use Azure Firewall Manager and its centralized management dashboard to gain visibility and centrally configure capabilities for Azure Firewall, Azure WAF and DDoS Protection technologies. In this blog we will specifically focus on using Azure Firewall Manager for WAF Policy Management and Distributed Denial of Service (DDoS) Protection plan management. For more details on Network Security Management with Azure Firewall Manager, please refer to this blog AZ-FWM-Blog.
Title: Azure Virtual Desktop is Moving Away from Storage Blob Image Type
Source Tech Community: Azure Virtual Desktop Blog
Author: Tom Hickling
Publication Date: July 18, 2022
Content excerpt:
Why is Azure Virtual Desktop moving away from Storage Blob image type?
- Storage Blob images are created from unmanaged disks that lack availability, scalability, and friction free experience that the currently supported custom image types (managed images from managed disks and Shared Image gallery images) offer.
- The option is still available on the portal but hidden to avoid its use and will be moving toward deprecation soon.
- Troubleshooting and maintaining platform and custom images are easier for customers.
Title: Announcing General Availability of Scheduled Agent Updates on Azure Virtual Desktop
Source Tech Community: Azure Virtual Desktop Blog
Author: Seneca Friend
Publication Date: July 21, 2022
Content excerpt:
This week at Microsoft Inspire we announced that Scheduled Agent Updates on Azure Virtual Desktop is now Generally Available!
This feature gives IT admins control over when the Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent get updated. You can specify the time of day you want to update the Azure Virtual Desktop agent. You can schedule agents to be deployed at convenient times such as outside peak business hours so that business critical work and end user productivity is not interrupted.
Title: Accessing Key Vault from Another Subscription Over Private Endpoint
Source Tech Community: Core Infrastructure and Security Blog
Author: Andrew Coughlin
Publication Date: July 25, 2022
Content excerpt:
Hello everyone, Andrew Coughlin here and I am a Cloud Solutions Architect at Microsoft focusing on Azure IaaS. I recently received questions from a few of my customers about access to a key vault from a different subscription. In this blog I will walk through the process of using a managed identity and access an Azure Key Vault from another subscription with private endpoint.
Title: Accessing Key Vault from Another Subscription Over Public Endpoint
Source Tech Community: Core Infrastructure and Security Blog
Author: Andrew Coughlin
Publication Date: July 4, 2022
Content excerpt:
Hello everyone, it has been a while, Andrew Coughlin here and I am a Cloud Solutions Architect at Microsoft focusing on Azure IaaS. I recently received questions from a few of my customers about access a key vault from a different subscription and from a different region in a different subscription. In this blog I will walk through the process of using a managed identity and access an Azure Key Vault from another subscription.
Title: Deprovisioning Cloud PCs in Windows 365
Source Tech Community: Core Infrastructure and Security Blog
Author: Jake Stoker
Publication Date: July 14, 2022
Content excerpt:
I am based out of the UK as a Senior Program Manager / Modern Work Architect Specialist (MWAS) within the Endpoint Management space. Today I am going to cover the hot topic which is Windows 365 and more specifically the deprovisioning process piece of the lifecycle.
Bringing Cloud PCs into the world is different from a typical VM or physical device, taking them out of the world is different too. Typically, you would “Wipe” a physical windows device from the MEM console to reset the device. With Windows 365 Cloud PCs, you must take a different route to achieve this.
Title: Azure DDoS Protection Standard Costs Estimation
Source Tech Community: Core Infrastructure and Security Blog
Author: Helder Pinto
Publication Date: June 13, 2022
Content excerpt:
If you are considering the activation of Azure DDoS Protection Standard – a great solution to better protect your Azure Virtual Network (VNet) resources from DDoS attacks – you may ask yourself: Which VNet(s) should you enable the service in? Or how many IPs can be covered by the base pricing? This sometimes isn’t trivial to find out, especially if you have a large or complex Azure infrastructure, made of multiple VNets and public resource types.
Title: DNS over TLS available to Windows Insiders
Source Tech Community: Networking Blog
Author: Tommy Jensen
Publication Date: July 13, 2022
Content excerpt:
DNS over TLS (DoT) is an alternative encrypted DNS protocol to DNS over HTTPS (DoH). Where DoH treats DNS traffic as one more HTTPS data stream over port 443, DoT dedicates port 853 to encrypted DNS traffic and runs directly over a TLS tunnel without HTTP layering underneath. This may result in a small performance improvement depending on the network environment at the cost of the flexibility HTTPS-based protocols can provide.
Client support for DoH was shipped in Windows 11 and Windows Server 2022. Starting today, the latest Windows Insider builds also offer client support for DoT.
Title: How Microsoft Defender for Identity Protects Against DFSCoerce
Source Tech Community: Security, Compliance, and Identity Blog
Author: Daniel Naim
Publication Date: July 1, 2022
Content excerpt:
Almost a year has passed since the “PetitPotam” attack vector was initially discovered. Shortly after, Microsoft Defender for Identity provided detection capabilities for this vulnerability. Earlier this month, a new attack vector that was inspired by PetitPotam was published by Filip Dragovic. The attack, which was later dubbed “DFSCoerce” can exploit the DFS-NM protocol to coerce the Domain Controller to authenticate against any server to create NTLM Relay attack. This has the potential to allow a non-privileged user in the domain to become a domain admin.
Title: Announcing the Sunset of Windows Information Protection (WIP)
Source Tech Community: Windows IT Pro Blog
Author: Rafal Sosnowski
Publication Date: July 21, 2022
Content excerpt:
Certain capabilities within the solution known as Windows Information Protection (WIP), previously referred to as Enterprise Data Protection (EDP) will be discontinued over time. As a result, we recommend that you explore Microsoft Purview Information Protection and Data Loss Prevention for your multi-cloud and multi-platform data protection needs.
Title: Windows 11 Onboarding and Demo Lab Test Kits
Source Tech Community: Windows IT Pro Blog
Author: Harjit Dhaliwal
Publication Date: July 22, 2022
Content excerpt:
To make it easier for you to plan for, test, and validate Windows 11 in your environment—and prepare your end users and management teams for a familiar, but fresh user experience—we’ve created two robust and downloadable kits.
The updated Windows 11 and Office 365 Deployment Lab Kit contains a complete lab environment including evaluation versions of Windows 11 Enterprise, Windows Server 2022, and a collection of tools which allow you to test and conduct a proof of concept for Windows 11 deployment. The Windows 11 Onboarding Kit provides a collection of materials that you can use to help prepare your users and ensure that they get the most out of Windows 11.
Windows 11 brings many new features to IT professionals and knowledge workers. And as with anything new, there are also new things for IT administrators to learn.
Previous CTO! Guides:
Additional resources:
- Azure documentation
- Azure pricing calculator (VERY handy!)
- Microsoft Azure Well-Architected Framework
- Microsoft Cloud Adoption Framework
- Windows Server documentation
- Windows client documentation for IT Pros
- PowerShell documentation
- Core Infrastructure and Security blog
- Microsoft Tech Community blogs
- Microsoft technical documentation (Microsoft Docs)
- Sysinternals blog
- Microsoft Learn
- Microsoft Support (Knowledge Base)
- Microsoft Archived Content (MSDN/TechNet blogs, MSDN Magazine, MSDN Newsletter, TechNet Newsletter)
Updated Nov 21, 2022
Version 3.0BrandonWilson
Microsoft
Joined April 24, 2018
Core Infrastructure and Security Blog
Follow this blog board to get notified when there's new activity