What’s actually new in Windows 10

So far for those that have been part of the windows insider preview, most have been caught up with the GUI, which of course is an important aspect on how user friendly the operating system has become.

And some have been speculating on what Microsoft actually are doing since the GUI has been coming along pretty slow, but most haven’t looked at how much is new in Windows 10, so therefore I decided to write this post. So no I not gonna dive into Cortana and Microsoft Edge… this is pretty much covered on every windows blog.

Windows 8

Windows 10

 

Now lets start with some of the pretty known facts:

Universal Applications

Which is modern type appliations (which started in Windows 8) but is rewamped in Windows 10 which pretty much allows developers to create the same application for all Windows 10 platforms, so like Office Preview which is in the Windows Store will appear the same on mobile as on a desktop computer. Since the universal apps are from the modern application framework they are bound to the same lifecycle which I will cover in a bit.

Now problem with modern applications when it came in Windows 8 was that the ones that microsoft created werent that great, now they made some other examples which actually shows how great they are!

Microsoft has already created some examples like

Mail & Calender
Skype
Office
Microsoft Edge (Which will be the standard Browser in Windows 10)

Also announced that Dropbox will be created a universal appliation which will be released late this year as well.

Now modern applications are actually a pretty good idea, problem is that it was “forced” upon us in Windows 8 but for those that aren’t familiar with it, the applications are bound within a lifecycle which defines how an app applications is going to happen. They don’t do any registry writes and therefore do not clutter your registry, they are isolated and run within a container.

you cannot run an modern application as administrator so you cannot elevate the level of integrity of the application. The applications need to be signed and can only be installed either via the Store or sideloaded using for instance System Center.

Problem is that most buisnesses still use regular Win32 based applications, which cannot be pushed via the Store. Microsoft is working on a solution which is called Project Centennial which allows us to convert Win32 based application and force them to work within the boundaries of a modern application, kinda like a app-v based application. Which will in essence allow Microsoft to bridge existing applications to modern applications, read more here –> https://dev.windows.com/en-us/uwp-bridges

 

Windows update for buisness & Windows As a Service

One of the most known factors is that Windows 10 will be the last Windows desktop version, since the last 30 years, Windows has been shipped in the same way. Microsoft creates a new operating system ships it with OEM, sells physical media like floppy, cd, dvd and so on. With Windows 10 all with be with Windows 10 and Microsoft will be constantly created new builds of it and shipping it using Windows update. Which will be like most mobile users are familiar with on Android and IOs.

And also with this Microsoft also created a cloud based update solution called Windows update for buisness which is in essence a smaller cloud based WSUS. Which will allow buisnesses to control updates and builds going to their computers.

Moving forward all new builds will be first tested internally in Microsoft, then it will be moved out to those who have signed up on the Windows Insider program and then be pushed out to the consumers using Windows update and then come to the first branch on Windows Update for Buisness.

 

 So I essence Windows As a Service is a pretty nifty Update sequence set in motion actually. And Windows Update for Buisness is a cloud based service to actually control it. Now it will have some other features as well such as.

Peer-to-Peer seeding (Meaning that a client can share binaries with other clients within a network for instance)

Maintance time (When can we ship updates)

Deployment Rings (Who gets the builds first for instance, based on Computer Groups)

Important to note that this will be offered as a free service, but will be most likely aimed at users of Windows Enterprise.

Also as a part of this Microsoft is also releasing a new private store which as aimed at the same type of buisnesses, called Windows Store for Buisness.

 

Windows Store for Buisness

 

Now this will be a private section within the Microsoft Store where users can authenticate with their Azure Active Directory user and get access to LoB application which for instance their IT-guy have published. This is also a free service which can eventually be accessed from https://businessstore.microsoft.com

At first release it will only support Azure Active Directory users, but it will also allow for licens management and offlice access meaning that users dont have to download large applications from the internet, but be redirected to a internal network share to get an application, and with the coming of project centennial we can also eventually published Win32 applications within the store as well. But as with all the other stuff it will be possible to manage it using System Center or Intune.

 

Security features

Now this is where things get interesting, and where many have actually havent paid attention on what Microsoft has been doing with Windows 10.

There are many new enhancements here but Im going to name some of them and what they can do.¨

 

VSM (Virtual Secure Mode)

Im guesing that most have heard about pass-the-hash and Mimikats ? NTLM has some known security issues which allows some fortune ones to get access to a NTLM hash of a administrator user.

 

When a hacker has access to this hash well, we can pretty much enter everyone. This is because of the LSA service. In Windows 10 Microsoft did something creative, with VSA what they actually do is isolate the LSA service within a virtual machine running a coreOS subset on Hyper-V. This means that a regular Windows user is not able to gain access to the hash of a user since they arent allowed to communicate with the LSA service.

Windows Defender

Now this is the same engine as Security Essentials, Endpoint Protection and so on. This is not a new feature in Windows 10 but it has a huge number of improvements.

First of it now has an network IDS feature which will analyze the network traffic, because if your system is already infected and defender cannot spot it, the only way it can is to check the traffic.

Windows Defender will also now become an isolated process, because in the previous versions, defender was a regular service which if a system was defected it could be turned off. Now as an isolated service a virus/malware or something cannot turn of the service.

Also Microsoft has stated that if a user has another type of security software installed like Symantec or trend for instance and that software expires, after 3 days Microsoft will activate Windows defender again. Also Defender has been included in WinRE (Recovery Enviroment) which allows us to run malware scans without starting the actuall operatingsystem.

Windows Hello

Which is a builtin biometric authentication system, this allows us to authenticate using who we are, for instance it can be facial recognition, iris scan or fingerprint. This is not something new, but this is the first time that Microsoft has built-in this features into the operatingsystem. This is also a framework which will allow users to authenticate to other resources using biometric.

Next-Generation Credentials

Now the problem with todays infrastructure is that authentications are based upon username and passwords. Where it can be easy for hackers or someone else to be able to snif out the username and password and use it to gain access to resources.

With Next-generation credentials, Microsoft is creating a two-factor authentication system, where YOU is one of the factors (Windows Hello) and another factor might be the device itself, using either an asymmetric key which is stored in the TPM or can be a traditional certificate on the device. This essentially means that in order for a hacker to get your info he needs to steal your device and yourself…

This will also be allowed to be used as a SSO provider against different services, but will be first implemented in Azure AD where this will allow for a secure authentication process.

Enterprise Data Protection

Which is a security feature which will be able to sort between buisness data and private data. It allows for data to be automatically be encrypted on a end users device. And yes this is a feature which is coming for mobile and desktops

We will be able to define 4 different levels of security.

• Block (We can say that users are NOT allowed to share data from a buisness file to for instance social media)
• Override (Users get a warning but are allowed to override, events are logged)
• Audit (Everything is logged)
• Off

So this in coop with for instance Azure RMS opens to some pretty interesting stuff.

Device Guard

Ever tried Applocker ? Is was a good idea to be able to lock down what kind of applications a user were able to execute, problem was that is was only running in software meaning that you could bypass it, shut down the service and so on. Therefore Microsofot decided to take it to the next level by creating Device guard, which is a hardware assisted application locker, which only allows signed applications to run on a system. This feature will only be in Windows Enterprise and requires UEFI and Intel VT-X or AMD-V and also requires some specific hardware but many OEM partners like Lenovo, Dell and HP are creating new devices which will support this feature. Microsoft is also creating tools which allow us to sign application to be trusted with Device guard.

Health Attestation Service

This is a feature that came with Windows 8.1 but is improved vastly in Windows 10, this is a feature which allows Windows 10 to do a health check to the cloud before gaining access to internal resources. This will check features like SecureBoot, DEP, Bitlocker, AV status, Patch level and so on. You can see the OMA URL CSP set here –> https://msdn.microsoft.com/en-us/library/windows/hardware/dn920025(v=vs.85).aspx

And regarding MDM, Microsoft has done alot already in preperation for Windows 10, and for those wondering, yes Intune supports Windows 10 now and can already now push OMA URI settings for Windows 10, all the settings can be found in the same list –> https://msdn.microsoft.com/en-us/library/windows/hardware/dn920025(v=vs.85).aspx

So what else is new that isn’t that known ?

DirectX 12 support
MKV support
Print to PDF support
Azure AD Domain join support
Packet Manager with Powershell v5

Here is also an upgrade Matrix for those that are wondering what options you have

#azure-ad, #windows-10, #windows-hello

Netscaler and Office365 SAML iDP setup

With Netscaler 10.5, Citrix announced the support for SAML Identity Provider on the Netscaler feature. That basically meant that we could in theory use the Netscaler as an identity provider for Office365 / Azure AD. Now I have been trying to reverse engineering the setup since Citrix hasen’t created any documentation regarding the setup.

But now! Citrix recently announced the setup of Netscaler iDP setup for Office365 setup http://support.citrix.com/article/CTX200818

Yay!

on another part Citrix also released a new build of Netscaler VPX (build 56.12) which fixes the CPU utilization bug on Vmware you can see more about the release note here –> http://support.citrix.com/article/CTX200818

And there is also a new PCI DSS report which shows compliance for version 3.

#azure-ad, #netscaler, #office365, #saml-idp

Azure Active Directory features and possibilities

In the last couple of years now, Microsoft has been working actively with new features in Azure Active Directory. For those who aren’t aware of what that is I can tell you briefly. It is identity as a service hosted in Azure (Its not the same as regular Active Directory even thou it shares the same name, but it is a user administration system and stores users in a catalog but it is built for the cloud. You also don’t have features like Group Policy and the notion of Machine objects are not present (well almost not) ill come back to that.

So when you set a Intune account, Office365 account or CRM online it will automatically create a Azure Active Directory tenant. All users that are created will be populated into that Azure AD tenant. From an administrator point-of-view all they will see is the users listed in their administration portal. In order to get full benefit of Azure Active Directory you need to go into Azure.

(Before I go into specifics you need to be aware of that there are 3 edtions of Azure Active Directory, free, basic and Premium) You can see the different features that are included in all 3 here –>

And also take note that Premium is also included in Microsoft EMS package (With Azure Rights Management and Intune) https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx

So what do I mean that its built for the cloud ? well first of regular Active Directory which today is well established and one of the key important features of an on-premise setup does not work well with all the SaaS services that are being added to many enterprises today. Now many vendors include Active Directory integration in their Service (like Dropbox and such) but this is because that there are no native features in Active Directory.

Azure Active Directory on the other hand is built to be a platform which can include all the applications you want and work as an identity provider for all your SaaS applications or be on-premise. Now many are familiar with the syncronization tools that Microsoft offer to give a consistent user experience between on-prem and Office365. These tools will place users in Azure Active Directory tenant and will then allow us to build upon with new features and add integrations with other SaaS applications. We can also use Azure Active Directory standalone if we want a more pure cloud based setup.

So what does Azure Active Directory consist of ?

• Azure Access Control
• Azure Authentication System (SAML, OpenID & Oauth, WS-federation)
• Azure Graph
• Azure Rights Management Service
• Azure Multi-factor authentication

So all these services have a set of sub-features as well, but with all this Azure Active Directory can be a platform for managing identity across different clouds. So what might it look like ? Let’s think of a traditional enterprise where the HR application is where all new employees might be generated, the IT needs to setup a Active directory user and then he would need to provisiong access to all SaaS apps that the company uses.

What would it look like with Azure Active Directory setup with the different tools that Microsoft offers ?

Lets look at the example again, a new employee is setup in the HR system. Microsoft Identity Mnager(which is vNExt of Forefront) has a connector which allows it to grab hold of the information and has a workflow of how new employees should be setup and provisions a user in the local Active Directory. Azure AD Connect (Which is the new and upcoming Dirsync and AAD sync) will based upon the filters sync the user to Azure Active Directory. There can also be an ADFS which allows for true SSO since then ADFS will work as an SAML iDP and users can access it in real-time, another option is the setup user syncronization with password hash, this allows for users to use their username and passwords (a bit delayed when a password has been changed and a sync has not been run) but it does not give users a true SSO to services in Azure.

Now that the users are in Azure we can setup access to other SaaS services like SalesForce, Dropbox, other Social media applications and maybe even Citrix. Another option is to setup an internal application which we want to publish. This requires another feature called application proxy which will allow the users to authenticate users their Azure AD credentials (with or without MFA) then proxy a connection to a on-prem service)

So far I’ve covered some of the basics. Lets look how it looks like. this is a screenshot from my management portal here I have one catalog

Inside here I have multiple users, some are cloud only and some are synced from on-premise. Here I also have option to manage MFA for my tenant ( I have a valid subscription)

Also inside the tenant catalog I have a bunch of different options which we are going to go trough.

First of lets look at the configuration part. First of is the part to customize sign-in experience for our users.

So we can define background logo and background screen and such. Just basic stuff so when users try to login they might see this.

(Familiy photo!)

We also have configuration options for users password reset

We can also define a password write back feature (Which allows new passwords generated in Azure AD be written back to an on-premise Active Directory. Note that this requires Active Directory sync services be setup with write back feature.

As I mentioned earlier was that Azure AD has no idea about machine objects, well they kinda do. This is another preview feature but it allows for Windows 10 machines to “join” Azure Active Directory and allow for user login using their Azure AD credentials

(From a Window 10 tech preview machine)

After joining the Azure AD domain you can now sign it with your credentials

There are also alot of different options regarding Group Managment in Azure

And one important part is Application Proxy

I have blogged about this before (https://msandbu.wordpress.com/2015/02/19/publishing-internal-applications-using-azure-active-directory-using-application-proxy/)

So let’s talk abit about the important part.. The Applications. Now Azure has some possibilities when adding applications. Work as an front-end authentication feature for instance on-prem applications. single-sign on for web based applications (password and federated SSO) and setting up MFA.

So let’s start with adding Facebook for our tenant and seting up the new feature called password roll-over (Which allows Azure AD to automatically update a password on behalf of the user)

So head on over to applications and choose add from Gallery

Find Facebook from the list and choose OK.

Click on Configure Single sign-on and choose Password SSO (Note that this requires that a user authenticate first with a username and password using a browser which has Azure AD extension installed. So when the user authenticated the extension will take the username and password, encrypt it and store it in the Azure AD tenant, so next time the users logs inn they don’t need to enter a username and password.

Then lets assign some users. Go into users and groups and find a users and choose Assign

Now we can also enter a username and password on behalf of the user

(Note that for Linkedin, Twitter and Facebook) we have the preview feature automatic password rollover)

Then click OK.

Now let’s add an on-prem application, now as I’ve blogged about it before it won’t show what the steps are but just to show what’s new.

For on-premise applications we can configure access rules, let’s for instance say that all users (except for sales users) need to use MFA when accessing this application outside of the Office.

Note that this is based upon IP whitelisting to allow who needs to access with or without MFA. Now this is part of the cloud based MFA feature, it is also possible to download a server component MFA which you can attach to your on-prem services as well using traditional AD https://msandbu.wordpress.com/2014/05/05/azure-multifactor-authentication-and-netscaler-aaa-vserver/

Now note that you can also use Azure Active Directory as an SAML iDP and use Graph API when developing other applications and setup integration with it. Now there are also some applications like Salesforce which offer full identity management

true SSO and provisioning.

But this is only a few vendors which has added this support. Now if we are approaching a enterprise with “Hey you should get Azure AD, its great stuff!” and they have like 200 applications SaaS based which they use how can you get the overview ? Microsoft has also created something called Cloud App discovery (Which also is in preview –> https://appdiscovery.azure.com/)

Which is basically an agent that you download and run in your infrastructure it will gather info and find out what applications are being using and try to map them aganst those that Microsoft has support for.

So when you have setup the applications and given users access how does it look like ?

and voila user access!

 

Now this was just a brief touch into Azure Active Directory. In the last 6 months these features has been added to Azure AD

•Administrative units

•Dynamick Group membership

•Password roll-over

•Azure AD Connect Health

•Per-App MFA

•200+ applications in the gallery list

•Workplace join

•SaaS provisioning attributes

•MIM in Public Preview

•Azure AD Proxy

•Password write-back

•Azure AD on iOS and Android

•Conditional Access pr App

And this list will continue to grow, if you want to see what’s happning on Azure AD I suggest you follow Alex Simons (@Alex_a_simons) on twitter (He is the Product Manager for Azure AD, and from the looks of it from the feature list, he is feeding his developers Red Bull or something stronger)

and follow the Azure AD blog http://blogs.technet.com/b/ad/

Stay tuned for more news about Azure AD

#azure-ad, #cloudapp-discovery, #mfa, #rms