Windows IT Pro
Featured Blog Windows IT Pro Blog
- Scan changes and certificates add security for Windows devices using WSUS for updatesby Aria Carley on January 12, 2021 at 6:00 pm
To help prevent man-in-the-middle attacks, the January 2021 cumulative update for Windows 10 further improves security for devices that scan Windows Server Update Services (WSUS) for updates. These improvements build on the security changes for Windows devices scanning WSUS we introduced on September 8, 2020 and can be combined with certificate pinning for greater security. I’ll now explain these changes in more detail. Scanning behavior changes For devices scanning HTTPS-configured WSUS servers For those using proxies, we have switched to using system proxy first, rather than user proxy. This ensures that we are first trying the most secure proxy path if a proxy is needed. We will no longer fall back to user proxy for scanning WSUS servers if the policy to allow user proxy as a fallback method is not enabled. This ensures that admins must consciously enable a less secure method for scanning as doing so will put them at higher risk of attack. If you need to allow devices to scan utilizing user proxy as a fallback method, you can do so by configuring one of the following policies: Group Policy GPEDIT > Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify intranet Microsoft update service location > Select the proxy behavior for Windows Update client for detecting updates > Allow user proxy to be used as fallback if detection using system proxy fails Configuration Service Provider (CSP) policy Set Update/SetProxyBehaviorForUpdateDetection to 1 – Allow user proxy to be used as a fallback if detection using system proxy fails Configuration Manager Configure the new Allow User Proxy for software update scans setting to Yes to allow user proxy in Microsoft Endpoint Configuration Manager, version 2010 and later. To further increase security, we have added the capability for customers to pin certificates (cert-pinning) and not allow scans, even with system proxy, if cert-pinning fails. This provides the highest level of security for devices but will require more overhead for the admin in order to ensure that certificate stores are properly configured. Note: This capability is only available to those who have secured their WSUS servers with TLS protocol/HTTPS. To enable cert-pinning, simply add the correct certificates to the new WSUS certificate store. Devices will then automatically begin enforcing cert-pinning when scanning your WSUS server. If no certificates are in your WSUS certificate store, cert-pinning will not be enforced. Further, if you do not wish devices to have this extra layer of security upon scan, you can ensure that cert-pinning is not enforced by configuring one of the following policies: Group Policy GPEDIT > Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify intranet Microsoft update service location > Do not enforce TLS certificate pinning for Windows Update client for detecting updates Configuration Service Provider (CSP) policy Set Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection to 1 – Do not enforce certificate pinning For devices scanning HTTP-configured WSUS servers For those devices scanning HTTP-configured WSUS servers, there have been no additional changes since those we introduced with the September 2020 cumulative update. For online scans The order of proxy selection for online scans, if a proxy is needed, has changed: Old behavior: Scan with user proxy. If user proxy fails, attempt scan with system proxy. New behavior as of the January 2021 cumulative update: Scan with system proxy. If system proxy fails, attempt scan with user proxy. This change ensures that we first try the most secure proxy path if a proxy is needed. Note: For user-driven, interactive scenarios, we always use the user proxy, if one is available, regardless of policy configuration. Next steps To prevent scan failures and ensure the highest level of security, please follow these recommendations: Don’t enable user proxy. If you require user proxy, enable user proxy via “Select the proxy behavior for Windows Update client for detecting updates” to ensure that devices do not encounter scan issues. Note: While this will allow you to fallback to use user proxy for scans against your WSUS server, you should be leveraging this process only as a stop gap to continue getting updates while transitioning to system proxy or no proxy. Secure your WSUS server with TLS protocol/HTTP. This is pivotal to maintain the chain of trust and prevent attacks on your client computers, see Recommendations for greater security in the previous Changes to improve security for Windows devices scanning WSUS blog. When scanning against a TLS/HTTPS-configured WSUS server, leverage cert-pinning to get the highest level of security and keep your devices protected. (Reminder that this requires populating the device’s certificate store.)
- Deploy Windows SSUs and LCUs together with one cumulative updateby Aria Carley on December 8, 2020 at 6:01 pm
You can now deploy the December 2020 latest cumulative update (LCU) and servicing stack update (SSU) together via our new one cumulative update package, or separately. On September 9th, 2020, I announced the work in progress to simplify on premises deployments of servicing stack updates. Today, I am excited to announce that you can take advantage of this new capability using Windows Server Update Services (WSUS) and the Windows Insider Program for Business. We have released the December 2020 LCU and the December 2020 SSU to WSUS in two ways for devices running Windows 10, version 2004 and later: to the typical Security Updates category and to the Windows Insider Pre-Release category. To deploy the cumulative update and servicing stack update separately, no special action is needed. Just ensure, as always, that you deploy the SSU prior to deploying the LCU so that both updates install successfully on the device. To deploy the LCU and SSU together using the new one cumulative update package, simply follow three easy steps. Note: Before completing the steps below, ensure that you have installed the September 2020 SSU on the targeted devices. Step 1: Sync the Windows Insider Pre-Release category In the WSUS console, from Products and Classifications, select Windows Insider Pre-Release Product and Upgrades. Sync WSUS. In Microsoft Endpoint Manager Configuration Manager, navigate to the Products tab of Software Update Point Component Properties and select Windows Insider Pre-Release. Select OK to confirm this selection. Step 2: Select the OS version From the list of All Updates, select the cumulative update for the version of Windows 10 running on the device(s) that will receive the update. Currently, this would be either of the following: 2020-12 Cumulative Update for Windows 10 Version 2004 2020-12 Cumulative Update for Windows 10 Version 20H2 Step 3: Deploy the update Deploy the update to the desired devices in your organization the same way you would deploy any other monthly cumulative update. Note: When you deploy the update package to your devices, the client will automatically orchestrate the proper ordering of installation to ensure the SSU and LCU are both applied correctly on the device. This will be the exact same content as if you had deployed the December 2020 LCU and SSU separately. Check your preferred method of reporting and note that your devices are now running the December LCU (KB4592438) and SSU (KB4593175). That’s it! It’s that simple. The best part? Like all preview builds published to commercial devices in the Release Preview Channel and to the WSUS Windows Insider Pre-Release category, testing out this new deployment technology for LCUs and SSUs from WSUS is fully supported. If you run into an issue that prevents you or other users in your organization from deploying or updating using this new one cumulative package, use this online form to request assistance directly from Microsoft Support at no cost to you. Or contact customer support through your typical channel. Try out this new way of deploying LCUs and SSUs and let us know what you think by commenting below or reaching out to me directly on Twitter @ariaupdated.
- Windows 10 volume activation in the era of working from homeby Jason Leznek on December 4, 2020 at 12:23 am
While volume activation is a process that many have utilized over the years, today’s post offers guidance to help you ensure that all your devices have been properly activated regardless of their connection to your organization’s network. First, a refresher. Volume activation enables a wide range of Windows devices to receive a volume license and be activated automatically and en masse versus tediously entering an activation key on each Windows device manually. The most common methods of volume activation require that devices to be connected to an organization’s network or connected via virtual private network (VPN) to “check in” from time to time with the organization’s activation service to maintain their licenses. When people work from home and off the corporate or school network; however, their devices’ ability to receive or maintain activation is limited. Volume activation methods There are several methods to activate devices via volume licensing. For detailed information, see Plan for volume activation. Here, however, is a summary for easy reference. Key Management Service Key Management Service (KMS) activation requires TCP/IP connectivity to, and accessibility from, an organization’s private network so that licenses are not accessible to anyone outside of the organization. By default, KMS hosts and clients use DNS to publish and find the KMS key. Default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements. KMS activations are valid for 180 days (the activation validity interval). KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries to reach the host every two hours. After a client computer’s activation is renewed, the activation validity interval begins again. Multiple Activation Key A Multiple Activation Key (MAK) is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of activations allowed. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft-hosted activation service counts toward the activation limit. You can use a MAK for individual computers or with an image that can be duplicated or installed using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation, which is useful for moving a computer off the core network to a disconnected environment. Active Directory-based activation Active Directory-based activation is similar to KMS activation but uses Active Directory instead of a separate service. Active Directory-based activation is implemented as a role service that relies on Active Directory Domain Services to store activation objects. Active Directory-based activation requires that the forest schema be updated using adprep.exe on a supported server operating system, but after the schema is updated, older domain controllers can still activate clients. Devices activated via Active Directory maintain their activated state for up to 180 days after the last contact with the domain. Devices periodically attempt to reactivate (every seven days by default) before the end of that period and, again, at the end of the 180 days. Windows 10 Subscription Activation Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to Windows 10 Enterprise automatically if they are subscribed to Windows 10 Enterprise E3 or E5. With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions – Windows 10 Education. The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices. To step a device up to Windows 10 Education via Subscription Activation the device must meet the following requirements: Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. Note: If Windows 10 Pro is converted to Windows 10 Pro Education using benefits available in Store for Education, then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition. Volume activation while working from home If you activate devices in your organization using MAK, the activation process is straightforward and the devices are permanently activated. If you are using KMS or Active Directory-based Activation, each device must connect to the organization’s local network at least once every 180 days to “check in” with either the KMS host or the Active Directory domain controller. Otherwise, the user will be warned to activate Windows again. With many users working or taking classes from home, a connection to the organization’s network may not exist, which would ultimately leave their devices in a deactivated state. There are a few options to avoid this: Use a VPN. By having the device connect to your organization’s network via a VPN, it will be able to contact a KMS host or Active Directory domain controller and will be able to maintain its activation status. If you manage your devices through a wholly on-premises solution to deploy policies, collect inventory, and deploy updates and other software, there is a good chance you are already using a VPN. Depending on the VPN configuration, some manual configuration of the client device may be required to ensure the KMS service is accessible through the VPN. For more details on these settings, which can be implemented via script, see Slmgr.vbs options for obtaining volume activation information. Convert the devices from KMS to MAK activation. By converting from KMS to MAK activation, you replace the license that requires reactivation every 180 days with a permanent one, which requires no additional check-in process. There are some cases—in educational organizations, for example—where each device is re-imaged at the end of the school year to get ready for the next class. In this case, the license must be “reclaimed” by contacting your Microsoft licensing rep or a Microsoft Licensing Activation Center.One way of converting a device from KMS to MAK activation is to use the Windows Configuration Designer app (available from the Microsoft Store) to create a provisioning package, which includes the MAK, and deploy the package through email or a management solution such as Microsoft Intune.You can also deploy a MAK directly within Intune without creating a provisioning package by creating a simple PowerShell script with the following commands and deploying the script to a user group:slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX slmgr.vbs /ato(In the example above, XXXXX-XXXXX-XXXXX-XXXXX-XXXXX is your MAK key.)It is important to monitor the success of these activations and remove users from the target group once their devices have been activated so that their other devices do not receive a new license. Note: Windows Configuration Designer is also available as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10. Use Subscription Activation. This requires the devices to be joined to your Azure AD domain, enabling activation in the cloud. This is possible if you have one of the following subscriptions: Windows 10 Enterprise E3/E5 Windows 10 Education A3/A5 Windows 10 Enterprise with Software Assurance Microsoft 365 E3/E5 Microsoft 365 E3/A5 Microsoft 365 F1/F3 Microsoft 365 Business Premium If you need assistance and have one of the preceding subscriptions with at least 150 licenses, you may be eligible for assistance through FastTrack. Contact your Microsoft representative or request assistance from FastTrack and a Microsoft FastTrack representative will contact you directly. Conclusion Windows volume activation has been around for a long time, but the increased number of users working from home may require your organization to re-evaluate how to best keep your devices activated if they cannot reach your on-premises activation service if you are using KMS or Active Directory-based Activation. It is important to consider the options available to you to ensure your devices stay activated. As always, there is no “one-size-fits-all” approach, so consider the pros and cons of each option as you plan on how to best support your remote workers and students. To learn more about activation, see Activate clients running Windows 10.
- Windows Autopilot for HoloLens 2 public previewby Yannis_Lempidakis on November 20, 2020 at 5:04 pm
Today, we are announcing Windows Autopilot for HoloLens 2 public preview! In May, the HoloLens and Microsoft Endpoint Manager teams announced the Windows Autopilot private preview for HoloLens 2. Since then, hundreds of customers have participated in the program to deliver efficiency and simplify deployments across their organizations. Today, we are bringing Windows Autopilot capabilities to every HoloLens 2 and Endpoint Manager (aka Intune) customer, allowing administrators to pre-configure new devices and set them up for productive use. Windows Autopilot streamlines deployments and first user experiences, driving significant cost and time savings. You can read more details about Windows Autopilot for HoloLens 2 here. For Windows Autopilot documentation, see here. In this article, we provide a summary of the program, and useful resources to get started. Program details Windows Holographic, version 2004 (released May 2020) or newer is required to use Windows Autopilot. We began shipping devices with this version pre-installed in late September 2020. To confirm the build version on devices, or re-flash to the latest OS, you can use the Advanced Recovery Companion (ARC). You can find instructions here. Please contact your reseller or distributor to ensure that Autopilot-ready devices are shipped to you. The public preview now enables you to configure Windows Autopilot for HoloLens devices using Microsoft Endpoint Manager controls, for all customer tenants. Get started by logging into Endpoint Manager admin center and select Devices > Windows > Windows enrollment, and then under Windows Autopilot Deployment Program, select Deployment Profiles > Create profile > HoloLens (preview). Windows Autopilot for HoloLens supports Self-Deploying mode and Azure AD Join. Self-Deploying mode joins the device into Azure AD, enrolls the device in Endpoint Manager (or another mobile device management, MDM, service), and applies all device targeted policies (such as certificates, networking profiles, and kiosk settings) before the user logs in. For device registration, we recommend that you work with your reseller or distributor to ensure that when devices are delivered to you or your users, they are Windows-Autopilot-ready. Microsoft Cloud Solution Providers can assist you in that process. If you wish to register HoloLens devices manually using the hardware hash, please see Register devices in Windows Autopilot. For more general information, see Adding devices to Windows Autopilot. Windows Holographic, version 2004 (build 19041.1103) only supports Windows Autopilot over ethernet connection. Ensure the HoloLens device is connected to ethernet using a “USB-C to ethernet” adapter before turning it on. Upon device boot, no user interaction is required. If you are planning to roll out Windows Autopilot to many HoloLens devices, we recommend that you plan for the adapter infrastructure. We do not recommend USB hubs as they often require additional third-party drivers to be installed which is not supported on HoloLens. Windows Holographic, version 20H2 (build 19041.1128) or later adds support for Windows Autopilot over Wi-Fi, in addition to the use of an ethernet connection. For devices connected via Wi-Fi, the user must: Continue past the first interactable moment. Choose the language and locale. Go through eye-calibration. Establish network connection. Known issues and limitations We continuously invest in new features and quality improvements. Currently, we are tracking the following: We are investigating an issue where device-context based application install configured in Microsoft Endpoint Manager does not apply to HoloLens. Learn more about device context and user context installs. While setting up Windows Autopilot over Wi-Fi, there may be an instance where the Windows Autopilot profile is not downloaded when the internet connection is first established. In this case, an end user license agreement (EULA) is presented and the user has the option to proceed with a non-Windows-Autopilot setup experience. To retry setup with Windows Autopilot, put the device to sleep and then power up, or reboot the device and let it try again. We have identified a fix and planning to release it in our next servicing update. The “Convert all targeted devices to Windows Autopilot” feature in Endpoint Manager is not supported on HoloLens at the moment. Support paths For support on device registration, please contact your reseller or distributor. For general support inquiries about Windows Autopilot, or for issues like profile assignments, group creation or Microsoft Endpoint Manager admin center controls, please contact Microsoft Endpoint Manager support. If your device is registered in the Windows Autopilot service and the profile is assigned on the Endpoint Manager admin center, please contact HoloLens support. To provide general feedback on Windows Autopilot for HoloLens, please submit this survey. Follow us on Twitter @HoloLens to keep up to date with the latest news!
- Year two: Extended Security Updates for Windows 7 and Windows Server 2008by Poornima Priyadarshini on November 10, 2020 at 5:00 pm
The Extended Security Update (ESU) program is a last resort for customers who need to run certain legacy Microsoft products past the end of support. Support for the following versions of Windows and Windows Server ended on January 14, 2020: Windows 7 SP1 Windows 7 Professional for Embedded Systems Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 Windows Server 2008 R2 SP1 for Embedded Systems and Windows Server 2008 SP2 for Embedded Systems If your organization has been unable to update devices running the versions of Windows listed above to a currently supported version before January 12, 2021, ESU can provide security updates to those devices through January 11, 2022—helping protect those devices while you complete your Windows and Windows Server upgrade projects. Many organizations have made the transition to the latest version of Windows 10 or Windows Server. Those who deployed Windows 10 benefit from strong protection against threats plus the latest security and manageability features such as Microsoft Defender Antivirus, richer device management policies, and Windows Autopilot. Other organizations running legacy applications shifted their Windows 7 devices to Windows Virtual Desktop, which includes ESU for Windows 7 virtual desktops at no additional cost, enabling you to continue running critical line-of-business apps while you continue your migration to Windows 10. As a last resort, however, a number of organizations purchased, installed, and activated their first year of ESU to receive security updates for eligible devices through January 12, 2021. What you need to know about year two coverage for ESU Because ESU are available as separate SKUs for each of the years in which they are offered (2020, 2021, and 2022)—and because ESU can only be purchased in specific 12-month periods—you will need to purchase the second year of ESU coverage separately and activate a new key on each applicable device in order for your devices to continue receiving security updates in 2021. If your organization did not purchase the first year of ESU coverage, you will need to purchase both Year 1 and Year 2 ESU for your applicable Windows 7 or Windows Server devices before installing and activating the Year 2 MAK keys to receive updates. The steps to install, activate, and deploy ESUs are the same for first and second year coverage. For more information, see Obtaining Extended Security Updates for eligible Windows devices for the Volume Licensing process and Purchasing Windows 7 ESUs as a Cloud Solution Provider for the CSP process. For embedded devices, contact your original equipment manufacturer (OEM). We recommend that you prepare now to install and activate the second year of ESU coverage for the devices in your organization that require it. To learn more about ESU, please watch our Microsoft Ignite 2019 session on How to manage Windows 7 Extended Security Updates (ESU) for on-premises and cloud environments. We’re here to help We understand that everyone is at a different point in the upgrade process, which is why we offer assistance with tools like Desktop Analytics and services like Microsoft App Assure—as well as monthly Office Hours to help you deploy and stay current with Windows 10 across your organization. More information on ESU for Windows 7 and Windows Server 2008 and 2008 R2 is available in the Windows 7 end of support FAQ and Windows Server 2008 and 2008 R2 FAQ.