Check This Out! (CTO!) Guide (Mar 2025)
Hi everyone! Tyson Paul here with this month’s “Check This Out!” (CTO!) guide. Our goal with these posts is to guide you toward content that piques your interest, whether it's for learning, troubleshooting, or discovering new sources. Each month, we’ll give you a snapshot of intriguing blog content, provide direct links to the source material, and introduce you to other valuable blogs you might not know about yet. If you’re a long-time reader, you’ll notice this series is similar to our previous “Infrastructure + Security: Noteworthy News” series. We hope you find this new format just as helpful and engaging. Thank you for your continued support from all of us on the Core Infrastructure and Security Tech Community blog team! Title: Lab: Manage Virtual Networks at Scale with Azure Virtual Network Manager (AVNM) Team Blog: Azure Networking Author: andreamichael Publication Date: 03/05/2025 Article Summary: The article introduces a lab for learning Azure Virtual Network Manager (AVNM) focused on managing virtual networks at scale. The lab provides an overview of AVNM's capabilities, including setting up connectivity, security, and routing configurations for virtual networks. It guides users through deploying Azure Resource Manager (ARM) templates, creating network managers, grouping networks, and setting up hub-and-spoke topologies. The lab also covers IP address management, security rule implementation, and analysis with AVNM's virtual network verifier tool. Participants are advised to ensure proper permissions, deploy resources, and follow clean-up procedures after the lab. Title: What’s new in Microsoft Intune: February 2025 Team Blog: Microsoft Intune Author: ScottSawyer Publication Date: 02/27/2025 Article Summary: In February 2025, Microsoft Intune introduced several enhancements to balance productivity and security. Key updates include improvements to the Managed Home Screen for Android, featuring QR code authentication for sign-in and custom ringtone selection to reduce confusion in environments with shared devices. The release also includes a more detailed device information page to aid troubleshooting. Additionally, the Device query feature for Windows devices, now generally available, allows IT professionals to swiftly assess configurations and detect inconsistencies across multiple devices, improving efficiency and decision-making. These updates aim to enhance user empowerment while maintaining robust security protocols. Title: Azure File Sync: faster, more secure and Windows Server 2025 support Team Blog: Azure Storage Author: Vritika Publication Date: 02/21/2025 Article Summary: Azure File Sync has introduced several updates enhancing performance, security, and compatibility, including a 7x faster server onboarding and a 10x increase in sync performance. It now supports Windows Server 2025, enabling improved scalability, security, and cloud integration. The platform integrates with Azure's Copilot for AI-driven troubleshooting and has added managed identities for secure authentication. These advancements streamline server provisioning, boost sync efficiency, and offer centralized management through the Windows Admin Center. Together, these features enhance Azure File Sync's role in facilitating seamless data migration and efficient, secure cloud integration for businesses. Title: Announcing General Availability of Azure Dl/D/E v6 VMs powered by Intel EMR processor & Azure Boost Team Blog: Azure Compute Author: AndyJia_Azure Publication Date: 02/10/2025 Article Summary: Microsoft Azure has introduced the General Availability of its Dl/D/E v6 series Virtual Machines, powered by Intel's 5th Gen Xeon processors, offering enhanced performance for both General Purpose and Memory Optimized workloads. The VMs, available in multiple configurations, feature improved scalability, local and remote NVMe SSD support, and Azure Boost technology for enhanced storage and network capabilities. They deliver significant performance improvements, including up to 400k IOPS, 200 Gbps network bandwidth, and a 4x boost in AI workloads. These VMs are now available across multiple Azure regions, with more to follow. Title: Active Directory is 25 Years Old. Do You Still Manage It Like It's 1999? Team Blog: Core Infrastructure and Security Author: LizTesch Publication Date: 03/06/2025 Article Summary: The article, written by Liz Tesch, emphasizes the need for modern management practices for Microsoft's Active Directory, which is 25 years old. Despite its longevity, many organizations still manage AD as if it were the late 1990s, exposing themselves to security risks due to outdated practices such as location-based OU structures, over-privileged service accounts, flat support structures, and ineffective deprovisioning processes. To mitigate these risks, organizations should align their AD structure with current security models, review and limit privileges of service accounts, streamline access controls, and ensure robust deprovisioning processes for both human and service accounts. Title: Way to minimize the impact of Allocation Failure issue in Cloud Service Extended Support Team Blog: Azure PaaS Author: JerryZhangMS Publication Date: 02/21/2025 Article Summary: The article addresses mitigating the impact of Allocation Failure in Cloud Service Extended Support (CSES). While the common solutions like redeployment lead to downtime, the blog offers a strategy to minimize disruption by switching requests to a newly created service. This involves creating a new CSES with updated settings and redirecting traffic via domain name adjustments. For custom domains, this means updating CNAME or A records. For scenarios using FQDN, a brief downtime may occur due to DNS changes. The article asserts these methods can significantly reduce downtime, aiming for zero downtime with custom domains and under one minute for FQDN scenarios. Title: 5 years of Arc Jumpstart with a refreshed website Team Blog: Azure Arc Author: liorkamrat Publication Date: 02/24/2025 Article Summary: In February 2025, Arc Jumpstart celebrates five years by launching a redesigned website, enhancing user experience with features like dark/light mode, improved accessibility, responsive design, and streamlined navigation. The update aligns with the mission to support the Microsoft Adaptive Cloud approach, focusing on automation, scalability, and open-source collaboration. New features like Jumpstart Gems and Badges aim to enrich user engagement and cloud proficiency. Enhanced GitHub issue templates facilitate feedback and maintenance. Arc Jumpstart evolves to unify distributed systems, integrate AI, and enable operations across hybrid, multicloud, edge, and IoT environments. Title: We're moving! Team Blog: Azure Stack Author: Cosmos_Darwin Publication Date: 11/25/2024 Article Summary: Microsoft has announced Azure Local as a new chapter for adaptive cloud infrastructure, replacing Azure Stack HCI and offering features like lower-cost edge devices and disconnected operations, with seamless transition for existing users. All related content will move to the Azure Arc blog as part of a unification process. This change was introduced at Microsoft Ignite 2024, and the team expresses gratitude for user engagement over the years. Azure Local, powered by Azure Arc, promises continued innovation and encourages followers to stay updated on the Azure Arc blog. Title: Securely Integrating Azure API Management with Azure OpenAI via Application Gateway Team Blog: Azure Architecture Author: Sabyasachi-Samaddar Publication Date: 02/25/2025 Article Summary: The article outlines a technical guide for securely integrating Azure OpenAI with Azure API Management (APIM) using Azure Application Gateway. It addresses the need for enterprises to secure Azure OpenAI, which can be exposed over the public internet, by implementing a solution that confines traffic within an Azure Virtual Network (VNET) using Private Endpoints. The strategy involves deploying APIM within an internal VNET as a secure proxy, utilizing Application Gateway for secure external access with Web Application Firewall (WAF) rules and SSL termination. The guide details the configuration of VNETs, subnets, and Network Security Groups (NSGs) to ensure network segmentation and security. This scalable architecture protects OpenAI from direct internet exposure while permitting controlled API access, leveraging managed identity authentication and enforcing granular network control. Title: New survey - Windows Server application survey! Team Blog: Containers Author: ViniciusApolinario Publication Date: 01/21/2025 Article Summary: Microsoft has launched a new survey aimed at gathering insights on how customers approach Windows Server application modernization. The survey seeks to understand challenges, modernization processes, and triggers from customers to help Microsoft align its goals and prioritize work for future developments. The company values customer feedback to enhance their products and is encouraging participation in the survey to shape its plans for the upcoming years. Participants can access the survey at https://aka.ms/WSAppModSurvey and are encouraged to share the link with others. Title: SMB security hardening in Windows Server 2025 & Windows 11 Team Blog: Storage at Microsoft Author: NedPyle Publication Date: 08/23/2024 Article Summary: Microsoft’s Secure Future Initiative (SFI) has introduced enhanced SMB security features in Windows 11 24H2 and Windows Server 2025. Key updates include mandatory SMB signing by default, NTLM blocking to enforce Kerberos authentication, and an authentication rate limiter to mitigate brute force attacks. Other enhancements include disabling insecure guest authentication, enforcing SMB protocol version management, and supporting SMB client encryption and SMB over QUIC across all Windows Server 2025 editions. These updates aim to bolster security by minimizing vulnerabilities in SMB, a crucial protocol for remote file and data access. Users can preview these OS updates now. Title: Azure Private Endpoint vs. Service Endpoint: A Comprehensive Guide Team Blog: FastTrack for Azure Author: SriniThumala Publication Date: 01/06/2025 Article Summary: The article compares Azure Private Endpoints and Service Endpoints as methods for enhancing security and connectivity for applications hosted on Microsoft Azure. Service Endpoints provide secure connections using public IPs routed through Azure's network, suitable for basic security needs with Network Security Group integration. Private Endpoints offer higher security by using private IPs, ensuring traffic remains internal for sensitive workloads or regulatory compliance. Use Service Endpoints for simpler security setups and reduced latency; choose Private Endpoints for full network isolation and strict security. The article advises selecting based on application security needs and performance requirements. Title: Optimizing your Hyper-V hosts Team Blog: Windows OS Platform Author: Steven Ekren Publication Date: 02/12/2025 Article Summary: The article provides insights on optimizing Hyper-V hosts by leveraging CPU scheduling and live migration settings. It discusses the relationship between physical CPUs, cores, and logical processors, detailing how virtual processors (VPs) are managed. Key optimization strategies include dedicating CPUs to the host via MinRoot to minimize resource contention, setting appropriate limits for live migrations to balance speed and system impact, and utilizing network configurations like RDMA for efficient data transfers. The article highlights tools and commands, such as Performance Monitor and PowerShell, to evaluate and implement these optimizations effectively. Title: Revolutionizing Network Management and Performance with ATC, HUD and AccelNet on Windows Server 2025 Team Blog: Networking Author: AnirbanPaul Publication Date: 11/04/2024 Article Summary: The release of Windows Server 2025 introduces three significant innovations in network management: Network ATC, Network HUD, and AccelNet. Network ATC simplifies network configurations by automating deployments and ensuring consistency across clusters, reducing errors, and handling configuration drift. Network HUD is designed to detect, prevent, and alert on network issues using real-time data analysis, ensuring stability across physical and virtual components. AccelNet optimizes SR-IOV management for virtual machines, enhancing high-performance network workloads by reducing latency while simplifying configuration and health monitoring. Together, these features enhance network efficiency and reliability, making them vital for modern digital environments. Title: Azure Virtual Desktop now supports Azure Extended Zones Team Blog: Azure Virtual Desktop Author: TomHickling Publication Date: 11/25/2024 Article Summary: Azure Virtual Desktop now supports deployment in Azure Extended Zones, enhancing location options for low-latency and data-residency workloads in metropolitan areas. The first zone is in Los Angeles, California. Access requires a request, and deploying host pools differs slightly due to the lack of a default outbound route. Internet access can be facilitated using Azure Load Balancer, Azure Firewall, or third-party firewalls. The Azure portal now allows creation or selection of a Load Balancer during host pool setup. Limited VM family availability is noted due to zone size. More details are available through specified Azure resources. Title: ADSS TSync vs Entra Cross-Tenant Sync: A Comprehensive Comparison Team Blog: Security, Compliance, and Identity Author: SankaraNarayananMS Publication Date: 03/06/2025 Article Summary: The article compares ADSS Tenant Sync and Entra Cross-Tenant Sync for managing identities across multiple Azure AD tenants. ADSS Tenant Sync, managed by Microsoft's consulting team, offers a centralized, customizable synchronization model ideal for complex organizations needing advanced features. In contrast, Entra Cross-Tenant Sync, a native Microsoft feature, provides a cost-effective, integrated solution with simpler authentication, limiting customization but emphasizing ease of management. The choice between them depends on an organization's needs for customization, budget, and integration with existing systems. Both aim to streamline identity management across tenants in different ways. Title: 3 internal obstacles to overcome for comprehensive security Team Blog: FastTrack Author: JulieHersum Publication Date: 01/28/2025 Article Summary: Organizations face significant cybersecurity challenges, with frequent incidents and high costs. Microsoft emphasizes comprehensive security solutions, such as Microsoft Defender XDR, to protect data and technology. However, deploying these solutions can be hindered by internal obstacles, including reluctance to replace legacy systems due to sunk cost fallacy, concerns about secure integration, and resource constraints. To overcome these issues, Microsoft offers resources like FastTrack to facilitate easier deployment. By adopting Microsoft Defender, organizations can achieve unified security, improve their security posture, and protect against cyber threats more effectively and efficiently. Title: Cloud security in the fast lane: Navigating PaaS challenges Team Blog: Azure Infrastructure Author: seanwhalen Publication Date: 03/06/2025 Article Summary: The article discusses the security challenges and strategies associated with Platform as a Service (PaaS) in cloud computing. As PaaS promotes innovation and scalability, it also introduces unique security hurdles, such as network integration issues, data exfiltration risks, a lack of infrastructure visibility, and insider threats. The article highlights the importance of adopting zero-trust models, strong access controls, and continuous monitoring to protect sensitive data. Azure's network security perimeter is presented as a comprehensive solution to enhance security through micro-segmentation, data exfiltration prevention, and unified security management, critical amidst increasing PaaS attacks. Title: Step-by-Step Guide : How to use Temporary Access Pass (TAP) with internal guest users Team Blog: ITOps Talk Author: dishanfrancis Publication Date: 01/13/2025 Article Summary: The article discusses the benefits of passwordless authentication, highlighting its enhanced security compared to traditional password-based methods. Microsoft Entra ID supports various passwordless authentication options such as Windows Hello, Microsoft Authenticator, and Passkeys (FIDO2). The article focuses on the use of Temporary Access Pass (TAP) as an initial authentication method to enable passwordless options. Originally available only for internal users, TAP now supports internal guest users—accounts in the same directory but with guest-level access, like contractors. The article walks through setting up TAP for internal guest users, ensuring a more secure login process. Title: Removal of Azure Policy aliases for Microsoft.Insights/alertRules Team Blog: Azure Governance and Management Author: ShannonHicks Publication Date: 03/05/2025 Article Summary: The article discusses the deprecation of the Microsoft.Insights/alertRules resource type and the removal of associated Azure Policy aliases. As a result, policies referencing these aliases will not be evaluated, with little impact expected since they usually target already-removed resource types. Attempts to modify such policy definitions will be blocked. Affected built-in policies, including "Metric alert rules should be configured on Batch accounts," will also be deprecated. To mitigate effects, users should identify affected policies, update their definitions, test the updates, and monitor for future Azure Policy changes to ensure continued compliance and governance. Title: New Cluster-Wide Control For Virtual Machine Live Migrations In Windows Server and Azure Stack HCI Team Blog: Failover Clustering Author: Steven Ekren Publication Date: 01/05/2023 Article Summary: The article discusses a new feature in Windows Server 2022 and Azure Stack HCI, which simplifies managing parallel live migrations in a cluster by introducing the MaximumParallelMigrations cluster property. Previously, administrators had to manually configure each node, but the new property allows a single setting to be inherited by all nodes within a cluster, even when new servers are added. This ensures consistent configuration across the cluster. The default value is one parallel migration, but administrators can adjust this based on their system's capabilities. It enhances reliability and simplifies management across diverse systems. Title: Daily schedule: Microsoft in-booth sessions at NVIDIA GTC Team Blog: Azure High Performance Computing (HPC) Author: SarahYousuf Publication Date: 03/06/2025 Article Summary: The article details Microsoft's participation at the NVIDIA GTC AI Conference from March 17-21 in San Jose, CA, outlining daily sessions at Microsoft's booth #514. Key sessions include discussions on AI applications across industries, integrating NVIDIA technologies with Azure cloud services. Topics range from AI-driven manufacturing processes, rare disease detection, large language models, and AI infrastructure to generative AI applications. Presentations also cover Azure's confidential computing and NetApp Files, emphasizing Microsoft's AI innovation and collaborations with NVIDIA to enhance performance, scalability, and security in AI deployments. The blog encourages attendees to engage with Microsoft's AI offerings at the event. Title: From the frontlines: Revolutionizing healthcare workers experience Team Blog: Intune Customer Success Author: Intune_Support_Team Publication Date: 02/28/2025 Article Summary: The article by Catarina Rodrigues discusses the transformative impact of technology in healthcare, focusing on Microsoft's Intune platform that manages mobile devices in critical environments like hospitals. Intune enhances healthcare operations by securing data access and allowing seamless device management across platforms. Within ICU settings, Android tablets are used to provide nurses with crucial patient information. With Intune, these devices can operate safely with shared access, authenticated sign-ins, and timely updates. The blog highlights the flexibility and security of Intune, illustrating how it streamlines communication and workflow for healthcare professionals, ultimately improving patient care. Title: Team Blog: Windows IT Pro Author: Publication Date: Article Summary: Title: Collecting Debug Information from Containerized Applications Team Blog: Ask The Performance Team Author: Becky Publication Date: 11/17/2023 Article Summary: The article, written by Debug Engineer Will Aftring, guides developers and IT admins on collecting debug information from containerized Windows applications. It highlights the complexities of migrating applications to containers, detailing steps such as identifying dependencies, configuring settings, and managing network communications. The author provides troubleshooting techniques when applications within containers fail to run correctly, including checking console logs, accessing log files, and using external tools for debugging. Strategies for handling memory dumps are also discussed. The article aims to simplify the debugging process and assist in the efficient transition of applications to a containerized environment. Title: Announcement: System Center 2025 is GA Team Blog: System Center Author: AakashMSFT Publication Date: 11/07/2024 Article Summary: System Center 2025 is now generally available, enhancing datacenter operations with a focus on infrastructure modernization and security. New features include support for heterogeneous infrastructure management, enhanced security with reduced reliance on legacy authentication, and improved management capabilities with Azure Arc integration. It supports the latest Windows Server 2025 and provides tools for managing virtual machines, enhancing data security, and streamlining IT operations. Key updates include seamless Azure integration, enhanced generation 2 VM support, and the discontinuation of obsolete features. Users can access System Center 2025 through the evaluation center or Microsoft Admin Center to explore these enhancements. Title: Microsoft Cost Management updates—February 2025 (summary) Team Blog: FinOps Author: flanakin Publication Date: 03/05/2025 Article Summary: The February 2025 Microsoft Cost Management updates include new AccountId and InvoiceSectionId columns in cost details datasets for better cost allocation. Users can now access Copilot directly from the Cost Management overview with sample prompts. Updates about the FinOps Open Cost and Usage Specification are available in the Learning FOCUS blog series. New cost-saving features include changes in Azure Reserved VM Instances, Azure NetApp Files support, Azure DevTest Labs hibernation, and Azure Monitor diagnostics. Also introduced are improvements in documentation, API modernization, and new AKS monitoring experiences. Title: Hyper-V HyperClear RETbleed Update Team Blog: Virtualization Author: brucesherwin Publication Date: 07/19/2022 Article Summary: The article discusses recent disclosures of speculative execution side channel vulnerabilities in Intel and AMD processors, specifically CVE-2022-23825, CVE-2022-29900, CVE-2022-29901, and CVE-2022-28693, similar to the Spectre attack. Microsoft's virtualization team has been using Hyper-V HyperClear, a mitigation architecture, to protect against these vulnerabilities without significant updates. HyperClear uses three main components: Core Scheduler, Virtual-Processor Address Space Isolation, and Sensitive Data Scrubbing, to maintain strong inter-VM isolation and safeguard against speculative execution attacks with minimal performance impact. Title: Stop Worrying and Love the Outage, Vol IV: Preference items Team Blog: Ask the Directory Services Team Author: Chris_Cartwright Publication Date: 01/28/2025 Article Summary: In the fourth installment of the "Stop Worrying and Love the Outage" series, Chris Cartwright from the Directory Services support team highlights the risks of using Group Policy Preference items that conflict with existing client-side extensions, leading to potential system instability and outages. Using the example of Cipher Suite Ordering, the article illustrates how conflicts between Administrative Templates and Preference items targeting the same registry key can lead to unpredictable outcomes. Cartwright advises against targeting Group Policy registry locations with Preference items, as it creates administrative challenges and system instability, unless it's a necessary workaround for unsupported OS limitations. Title: Protecting the Public IPs of Secured Virtual Hub Azure Firewalls against DDoS Attacks Team Blog: Azure Network Security Author: gusmodena Publication Date: 02/28/2025 Article Summary: The article discusses the enhancement of Azure Firewalls in Secured Virtual Hubs by configuring specific Azure public IPs, enhancing network security against DDoS attacks. This feature allows for complete control and management of public IP addresses, enabling custom configurations aligned with security policies. Azure DDoS IP Protection can be configured to mitigate attacks, maintaining service availability and security. The article provides steps for enabling DDoS IP Protection and discusses benefits such as enhanced security, flexibility in IP address management, and ensuring a robust defense against DDoS attacks, thereby securing the network infrastructure more effectively. Title: Get AI ready: What we’ve learned building AI competency at Microsoft Team Blog: Microsoft Learn Author: SandraMarin Publication Date: 02/13/2025 Article Summary: At Microsoft, developing AI skills and fluency is deemed essential for maximizing the technology's potential. Organizations are encouraged to provide both technical and non-technical team members with AI-learning opportunities, building a foundation for future leadership in the AI era. Jeana Jorgensen, Microsoft's Corporate Vice President of Worldwide Learning, emphasizes the importance of effective AI training programs, acknowledging the unique paths of different organizations. Her blog and the e-book "10 Best Practices to Accelerate Your Employees’ AI Skills" offer practical advice and insights to implement effective AI training, helping organizations to evolve, support employees, and foster innovation. Title: Upcoming Breaking Change in Az SSH for Arc Connections Extension Team Blog: Azure Tools Author: stevenbucher Publication Date: 02/27/2025 Article Summary: The Az SSH extension, crucial for secure Azure VM connections, will undergo a breaking change affecting Azure Arc Machine connections. By May 21, versions prior to 2.0.4 will fail upon installation due to the deprecation of a storage blob. While existing installations will function unless corrupted, reinstalling outdated versions will be impossible. Users should upgrade to at least version 2.0.6 using the Azure CLI to ensure continuity. Additionally, scripts using older versions should be updated. This change is vital for security, and users are advised to stay informed about further updates. Title: Azure VMware Solution Broadcom VMSA-2025-0004 Remediation Team Blog: Azure Migration and Modernization Author: rvandenbedem Publication Date: 03/04/2025 Article Summary: Microsoft recently identified a critical ESXi vulnerability in Azure VMware Solution and collaborated with Broadcom to develop a secure patch. Using advanced analytics for early detection, Microsoft swiftly assembled a global team to work on the ESXi 8.0 U2d Build 24585300 patch. The patch is set for completion within 30 days, ensuring proactive security for customers. New Azure VMware Solutions deployed after March 4, 2025, will have the patch pre-applied. The company's in-depth risk management and partnership with Broadcom enhance overall security, allowing for quick vulnerability responses and effective digital asset protection. Title: Simplify frontline workers’ sign-in experience with QR code authentication Team Blog: Microsoft Entra (Azure AD) Author: Robin Goldstein Publication Date: 02/25/2025 Article Summary: Microsoft has introduced QR code authentication in Microsoft Entra ID, aimed at easing sign-ins for frontline workers on shared devices by eliminating the need for usernames and passwords. This feature, now in public preview, allows employees to scan a unique QR code and enter a personal PIN for fast, secure access to essential applications. The system significantly improves efficiency and security, as demonstrated by Contoso Industries, which is transitioning to QR code authentication to simplify app access for its retail employees. The initial feedback has been positive, highlighting the streamlined authentication process and enhanced security measures.
