Blog Post

Core Infrastructure and Security Blog
12 MIN READ

Check This Out! (CTO!) Guide (April 2023)

BrandonWilson's avatar
BrandonWilson
Icon for Microsoft rankMicrosoft
May 11, 2023

Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide.

These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful. If you have been a long-time reader, then you will find this series to be very similar to our prior series “Infrastructure + Security: Noteworthy News”.

From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!

 

 

Title: Preview of SAN URI for Certificate Strong Mapping for KB5014754

Source: Ask the Directory Services Team

Author: Ryan Ries

Publication Date: 4/6/23

Content excerpt:

KB5014754, released in May 2022, introduced changes to Active Directory Kerberos Key Distribution (KDC) behavior on Windows Server 2008 and later when validating certificates during certificate-based authentication. These changes were made to address elevation of privilege related vulnerabilities leveraging certificate spoofing. 

 

 

Title: Azure Arc enabled servers and Azure Automanage Integration

Source: Azure Arc

Author: Aurnov Chattopadhyay

Publication Date: 4/19/23

Content excerpt:

Tired of manually onboarding and configuring Azure services for your Arc-enabled servers? With Azure Automanage Machine Best Practices, you can point, click, set, and forget to extend Azure security, monitoring, and governance services to servers anywhere.

 

 

Title: April release of Arc data services

Source: Azure Arc

Author: Dinakar Nethi

Publication Date: 4/24/23

Content excerpt:

As many of you may know, we have a monthly release coinciding with the patch Tuesday. So, our April release went out on the 12th. 

The release includes updates for both Azure extension for SQL Server as well as Arc data services. Here's a quick rundown of some features that shipped in each of these services. 

 

 

Title: HPC, High Performance Computing, Azure, AI, AI Infrastructure, Infrastructure

Source: Azure High Performance Computing (HPC)

Author: Rachel Pruitt

Publication Date: 4/11/23

Content excerpt:

High performance computing is the use of advanced systems and techniques to solve complex computational problems, that require significant processing power and memory.  The beauty of HPC is using parallel processing and supercomputers to perform these calculations at incredibly high speeds.  Typically, each workload is split into tasks, and these tasks are all performed in parallel where possible to complete them faster. 

 

 

Title: Monitor and troubleshoot Azure & hybrid networks with Azure Network Monitoring

Source: Azure Networking

Author: Medhashree Jha

Publication Date: 4/5/23

Content excerpt:

Azure Network Watcher and Network Insights portfolio encompasses an entire suite of tools to visualize, monitor, diagnose, and troubleshoot network issues across Azure and Hybrid cloud environments.
The suite enables customers to observe health across resources and networks with comprehensive wide coverage, through a guided and intuitive drilled down experience with Network Insights.

 

 

Title: Monitor Object Replication Azure Blob Storage

Source: Azure PaaS

Author: Haitham Oaffesha

Publication Date: 4/13/23

Content excerpt:

Object replication asynchronously copies block blobs between a source storage account and a destination account. Because block blob data is replicated asynchronously, the source account and destination account are not immediately in sync. There's currently no SLA on how long it takes to replicate data to the destination account. In some cases, you might need to check the replication status, in this article we will go over the different methods that you can use to check and monitor the object replication status for the storage account.

 

 

Title: How to capture underlying outbound traffic from Cloud Service Web Role to other servers

Source: Azure PaaS

Author: Jerry Zhang

Publication Date: 4/18/23

Content excerpt:

It’s common that a part of the data of a web page is saved in another service such as storage account or SQL server. When the website is hosted on Azure Cloud Service, when we visit the page, the w3wp process of IIS component will need to send out a request to the target remote server to read the needed data. 

But when the Cloud Service fails to read the data from the remote server and developer wants to troubleshoot this issue, it will be difficult as by default users are unable to track the outbound traffic from Cloud Service to these remote servers. 

 

 

Title: The True Cost of Traditional File Storage

Source: Azure Storage

Author: Karl Rautenstrauch

Publication Date: 4/27/23

Content excerpt:

We’ve reached a tipping point when it comes to storing and managing unstructured data. With a focus on lowering costs and optimizing cloud spend, this series of posts will cover 3 top of mind topics for enterprise IT teams today

 

 

Title: Leverage the Cloud to Cut File Data Costs: Comparison of Alternatives

Source: Azure Storage

Author: Karl Rautenstrauch

Publication Date: 4/28/23

Content excerpt:

In our previous post, we reviewed unstructured data growth and the high costs associated with file data storage.  Since 80% of file data is cold, meaning infrequently accessed, and cost-effective tiers such as Azure Blob are 1/10th to 1/100th the cost of file storage, it is easy to see why businesses and public sector organizations want to use cold data tiering to reduce file storage costs. Here is a breakdown of Azure Blob Archive costs compared to higher performance on-premises and cloud file storage options.

 

 

Title: Azure Virtual Desktop, Azure Virtual Desktop Features, AVD, FSLogix

Source: Azure Virtual Desktop

Author: Tristan Scott

Publication Date: 4/27/23

Content excerpt:

It’s an exciting time for Azure Virtual Desktop as we continue to deliver new enhancements based on customer requests. I’m pleased to share the new capabilities we’ve recently released that improve storage, enhance configuration, deliver exceptional endpoint security, and more.

 

 

Title: Announcing Image Signing for Windows Containers

Source: Containers

Author: Akarsh Mishra

Publication Date: 4/11/23

Content excerpt:

Containers have become popular for application development and deployment due to their portability and flexibility. As more and more apps choose containerization as a means of app modernization, it is important to secure container images ensuring they remain safe from image tampering or modification.

Today we published Windows container images signed by notation, and they are now available in Microsoft Artifact Registry 

 

 

Title: Customer Offerings: Well-Architected Cost Optimization Implementation

Source: Core Infrastructure and Security

Author: Brandon Wilson

Publication Date: 4/3/23

Content excerpt:

This offering can be considered as a continuation/”part 2” of sorts for the Well-Architected Cost Optimization Assessment, where the goal is to help you implement some of the findings relating to Azure Reservations, Azure Savings Plans, Azure Hybrid Benefits, along with cleaning up some of that cloud waste sitting around.

 

 

Title: Modernizing Endpoints - Installing CM Client on AADJ Device

Source: Core Infrastructure and Security

Author: Paddy Damodharan

Publication Date: 4/5/23

Content excerpt:

In this blog we will discuss a specific use case that I came across while working with a Community College. The college wanted to simplify their Windows provisioning. They had a lot of apps built in their ConfigMgr environment. This is when we took advantage of the co-management capability offered by Windows Autopilot in connecting a pure Azure AD joined PC with ConfigMgr without using Cloud Management Gateway (CMG) or Hybrid Domain Join.

 

 

Title: Cost Governance with Azure Policy

Source: Core Infrastructure and Security

Author: Felipe Binotto

Publication Date: 4/10/23

Content excerpt:

This post is about how you can implement Cost Governance with Azure Policy.

I have delivered many Well-Architected Optimization Assessments and some of the policies here can help you to get closer to that Well-Architected state.

Cost governance is an essential aspect of managing any cloud infrastructure. Azure Policy is a powerful tool that can help implement cost governance measures within your Azure environment. With Azure Policy, you can define and enforce rules to control costs, monitor usage, and optimize your resources.

 

 

Title: Bitlocker Is Not Resuming After Reboot Count Has Been Reached

Source: Core Infrastructure and Security

Author: Helmut Wagensonner

Publication Date: 4/12/23

Content excerpt:

BitLocker is a feature in Windows 10/11 that encrypts your device’s hard drive to protect your data from unauthorized access. However, there are some scenarios where you may need to suspend BitLocker temporarily, such as when you update your BIOS or firmware using a vendor’s update utility. When you suspend BitLocker, you can specify how many times your device can restart before BitLocker resumes encryption. This is called the reboot count parameter. 

 

 

Title: Azure Monitor: Use Dynamic Thresholds in Log Alerts

Source: Core Infrastructure and Security

Author: Bruno Gabrielli

Publication Date: 4/17/23

Content excerpt:

In this new blog post I am going to explain how to use dynamic threshold in log alerts. Think for a second, that you need to create an alert that must, at the same time, apply to more than one resource and react to different thresholds.

 

 

Title: Azure Monitor: Logs Ingestion API Tips & Tricks

Source: Core Infrastructure and Security

Author: Bruno Gabrielli

Publication Date: 4/20/23

Content excerpt:

Today I am going to share with you an interesting experience in configuring the Logs ingestion using the new API in Azure Monitor in a data collection rule created using ARM templates.

 

 

Title: Azure Data Studio - Connections to Azure Government

Source: Core Infrastructure and Security

Author: Joshua Lent

Publication Date: 4/24/23

Content excerpt:

My typical toolset for working with databases has been SQL Server Management Studio. More recently I've been doing my work from Azure Virtual Desktop that only has Azure Data Studio installed. I quickly encountered a problem connecting to Azure SQL resources in the US Government clouds. Some of these details can be inferred from a similar article about connecting VS Code to Azure SQL Resources in US Government clouds. So, I figured it best to make an article specifically for Azure Data Studio and hopefully take the guesswork out of the procedure for someone else.

 

 

Title: Reporting on Azure AD Password Protection

Source: Core Infrastructure and Security

Author: Graeme Bray

Publication Date: 4/27/23

Content excerpt:

Hi everyone! It's been a long time, but Graeme Bray here with you to talk about an Azure Monitor workbook you can deploy in your environment to help you report on your Azure AD Password Protection.  You are running AAD Password Protection, right?  If you have Azure AD P1 or P2 for your users, you're licensed for it, and it extends the exact same password protection from Azure AD to your on-premises environment.  That's great, because if a user tries to reset their password via Azure AD or via Active Directory, they have the same password requirements.

 

 

Title: Using Microsoft Intune for Local Administrator Password Management

Source: Core Infrastructure and Security

Author: Atil Gurcan

Publication Date: 4/28/23

Content excerpt:

As you may have heard; Windows LAPS feature is released to Public Preview in the last week of April. It has support for two main scenarios for backing up local administrator password such as storing passwords in Azure AD and Windows Server AD. It also has interoperability with legacy LAPS solution. This article on the other hand; will focus on native cloud deployment for Windows 10/11 clients that does not have legacy LAPS client installed, managed through Intune and either Hybrid Azure AD Joined or Azure AD Joined.

 

 

Title: Understanding Connectivity Issues in Azure SQL Database

Source: FastTrack for Azure

Author: Karthik Yella

Publication Date: 4/10/23

Content excerpt:

The connections established to Azure SQL Database from applications or client tools may be unexpectedly terminated and impact user environments due to internal (System) maintenance work, client networking, application related or other health related issues. In this blog post, we will cover recommended steps to identify connection failures to your database and best practices to handle these failures using resources & tools available for Azure SQL Database.

 

 

Title: Journey to Containers

Source: FastTrack for Azure

Author: Saverio Proto

Publication Date: 4/13/23

Content excerpt:

When running a container, the root filesystem is mounted in an isolated namespace. The content of the root filesystem is provided by a container image. Since the image contains the container’s filesystem, it must contain everything needed to run an application - all dependencies, configurations, scripts, binaries, etc. The image also contains other settings for the container, such as environment variables, a default command to run, and other metadata.

 

 

Title: How to call an AKS-hosted workload via Application Gateway Private Link and AGIC

Source: FastTrack for Azure

Author: Paolo Salvatori

Publication Date: 4/17/23

Content excerpt:

Azure Application Gateway can connect to a backend application via Azure Private Link Service (PLS). For more information, see Application Gateway Private Link.

Private Link for Application Gateway allows you to connect workloads over a private connection spanning across different virtual networks and Azure subscriptions. When configured, a private endpoint will be placed into a defined virtual network's subnet, providing a private IP address for client applications looking to communicate to a service behind an Application Gateway. 

 

 

Title: Configure Azure Application Gateway Private Link

Source: FastTrack for Azure

Author: Paolo Salvatori

Publication Date: 4/19/23

Content excerpt:

Private Link for Application Gateway allows you to connect workloads over a private connection spanning across VNets and subscriptions. When configured, a private endpoint will be placed into a defined virtual network's subnet, providing a private IP address for clients looking to communicate with the gateway. 

 

 

Title: New settings in Microsoft Intune to enhance Windows Defender Firewall management

Source: Intune Customer Success

Author: Intune Support Team

Publication Date: 4/24/23

Content excerpt:

We're pleased to highlight some of the new additions made to the Microsoft Intune admin center to configure settings related to Windows Defender Firewall. Admins can take advantage of these capabilities to enhance security and ease Defender Firewall management. The properties come directly from the Firewall configuration service provider (CSP) and apply to the Windows platform.

 

 

Title: Deploying a Windows AKS cluster with Terraform

Source: ITOps Talk

Author: Vinicius Apolinario

Publication Date: 4/19/23

Content excerpt:

Terraform is one of the most popular tools today for cloud management. As an Infrastructure as Code (IaC) tool, it allows you to declaratively provision infrastructure on cloud providers such as Azure. In this blog post, we will cover how to deploy an AKS cluster with Windows nodes, so you can deploy Windows based applications into it.

 

 

Title: gMSA sample application for Windows containers

Source: ITOps Talk

Author: Vinicius Apolinario

Publication Date: 4/26/23

Content excerpt:

Recently I talked to a customer about their deployment of gMSA on Azure Kubernetes Service (AKS). This customer was having trouble when trying to run their deployment on AK, and the goal was to identify where the issue was. While discussing with the customer, it occurred to me that sometimes it’s hard to say if the issue is with the configuration of the underlying Kubernetes environment, or if it’s an issue with the application the customer was trying to deploy. To that end, I created a containerized sample app to test if the gMSA config is working or not.

 

 

Title: Quick Wins to Strengthen Your Azure AD Security

Source: Microsoft Entra (Azure AD)

Author: Chitresh Pandit

Publication Date: 4/3/23

Content excerpt:

While talking about identities, Azure Active Directory (Azure AD), part of the Microsoft Entra product family, is a critical identity system leveraged by most of the organizations and it serves a single point for authentication and authorization of users against applications, resources and much more.It’s at the heart of an organization's zero trust strategy.    

In this blog we discuss someQuick Winsto reduce the attack surface of Azure AD. From a technician's standpoint, these tasks are immediate and require minimal testing to get them rolled out in production.

 

 

Title: Entra Identity Governance with Entra Verified ID – Higher Fidelity Access Rights + Faster Onboarding

Source: Microsoft Entra (Azure AD)

Author: Joseph Dadzie

Publication Date: 4/7/23

Content excerpt:

I’m excited to announce the integration of Entra Identity Governance Entitlement Management with a very cool technology we recently introduced, Microsoft Entra Verified ID! 

If you think about what you need to onboard new users including employees, contractors, partners, or other business guests, it often includes verifying identity information and credentials. This process can be tedious and time-consuming, requiring users to fill out redundant online forms or paperwork, ultimately delaying hiring timelines and ramp-up periods. 

 

 

Title: The challenge of Cloud PC performance testing

Source: Windows IT Pro

Author: Ron Martinsen

Publication Date: 4/5/23

Content excerpt:

Let's dive into why relative performance data for Windows 365 helps you compare different configurations and choose the one that suits your workload best.

Many years ago, I built the first large scale performance lab for the series of products that would become Office 97 for Windows and Office 98 Macintosh Edition. This process taught me a lifetime of lessons about the challenges of collecting performance data. I would continue to acquire new learnings during my experiences in SQL Server, Internet Explorer, Windows, and more.

 

 

Title: Skilling snack: Windows lifecycle

Source: Windows IT Pro

Author: Jason Leznek

Publication Date: 4/13/23

Content excerpt:

Servicing refers to maintaining your devices up to date with security, quality, and feature updates. In Windows, it's part of the optimal lifecycle that preserves functionality and security of our products and your peace of mind.

Check out our policies below, take training on our servicing model and channels, browse frequently asked questions, and find detailed release information for your versions of Windows!

 

 

 

 

Previous CTO! Guides:

 

Additional resources:

 

Updated May 09, 2023
Version 1.0
No CommentsBe the first to comment