Skip to content

This site is automatic translation of http://www.marcelosincic.com.br, original in portuguese

Azure ARC – Integration of Updates, Change Monitoring and Inventory

When using ARC as we have discussed before ( https://msincic.wordpress.com/2020/07/22/azure-arc-integrated-multi-cloud-management/ ), it is a common question I get from people in the community how to enable the functions of Insigths that appear on the ARC panel.

Creating or Enabling an existing Automation account

For this, the first step is to have an authorized account automation in a region that makes the pair with the region where the Log Analytics integrated with ARC .

To find out which regions were these pairs, use the link https://docs.microsoft.com/en-us/azure/automation/how-to/region-mappings as for example East US1 is paired with East US2 and vice- versa. In other words, Log Analytics needs to be in one of the regions and the automation account in the other.

1-Zonas_LI

When creating the automation account and Log Analytics, go to the automation account and configure the integration between them.

2-Captura de tela 2021-05-03 115936

In the automation account panel itself, it is already possible to configure the Update, Change Management and Inventories resources and then in the ARC panel they are displayed ready.

Enabling features

Each module can be integrated with a different Automation or Log Analytics, which is not my case.

2-Integrando

Once integrated in the automation account’s own panel, it is already possible to see the resources and enable the computers, see that those that have the ARC agent will already appear in the inventory.

3-Inventario

For Updates you will need to choose the ones you want to automate.

4-Updates

Remembering that once the Updates control is configured, it is necessary to create the scheduling rules for the installation of these updates.

5-ARC integrado

Finally, we enable the Change Management panel indicating the computers we want to collect.

6-Habilitando Alteracoes

In my opinion this is the best of resources, since in security and support knowing the changes made on each server is an essential item.

7-

New connector for Azure Consumption in Power BI

A very interesting tool to validate and verify costs in Azure is Azure’s own Cost Managment and integration with an App panel in Power BI.

However, with the deactivation of the Power BI App, many lost a tool where it was possible to manipulate the data and started importing into Excel / CSV to create their customized reports.

Connector for Azure Cost Management on Power BI Desktop

Well, Microsoft has released a connector on the Power BI desktop that will allow you to bring more detailed data than you can see in Cost Management.

This connector can be accessed using the connector which in Portuguese will have the name Azure Cost Management and will allow use for those who have an Enterprise Agreement or individual subscriptions.

Conexao-1

In the case of Enterprise Agreement, just enter the contract number and login on the following screen:

Conexão-2

Conexao-3

It is important to remember that if the contract is very large and you choose 12 months, it may happen that Power BI takes time to be able to access the data and there is a refresh timeout so we recommend that you create with shorter periods.

If you want to test with additional months or decrease the number of months, enter the Advanced Editor of the query and change the number of months as the example below, remembering that you will need to do this in each of the tables.

Editor de conexao

Working with cost tables

Once the connection is made it is possible to choose the tables that will work.

All tables are intuitive and detailed with the data you already have access to when exporting the CSV on the Azure portal, however it adds the data set for Reserved Instance and Budgets .

Tabelas

I particularly liked the option of the IR tables because it details the VMs and resources being charged and the original cost, allowing to show the savings generated in a much simpler way!

Dashboard reservas

The recommendations can also be seen in detail:

Recomendacoes

And finally, the use of reserves with the percentage of “quality” where you can have an idea if they are actually being used is one of the most important:

Uso

Recent trainings and ebooks

Below is a useful list of recent online training and documentation.

  • Windows Virtual Desktop Quickstart Guide
    With the adoption of the Home Office for employees, the VDI as a service (SaaS) solution has grown a lot
    This guide shows the concepts and requirements for a SaaS WVD architecture in Azure
    Windows Virtual Desktop E-book | Microsoft Azure
  • SQL Server on-premisse e Azure SQL Server Workshops
    O conteúdo dos workshops que a Microsoft entrega aberto para ser utilizado nas empresas ou individualmente
    É necessário um esforço de setup, mas o conteúdo é bem rico e valioso
    sqlworkshops | SQL Server Workshops (microsoft.github.io)

Monitoring Azure with System Center Operations Manager (SCOM)

Many companies use SCOM to monitor on-premise environments. Extending this monitoring to Azure features will help centralize alerts and dashboards as integrated cockpits.

To download the Management Pack use the link: https://www.microsoft.com/en-us/download/details.aspx?id=50013

Installing and configuring the MP

When executing the package you can find the 3 MP files that should be imported:

1-MP

Then open the console and import the 3 installed packages:

2-Matters

After importing the packages you can assign the subscriptions you want to monitor and this can be done by assigning the user at authentication or creating an SPN in Azure to serve as an application and assist in Azure if it is necessary to search the records or assign specific permissions.

This SPN creation process is automatic by simply informing the user and letting the Wizard do the work!

2-Importa

3a-SPN

3b-Assinaturas

Configuring what will be monitored

Find the MS Azure Monitoring Management Pack and choose which of the subscriptions you want to monitor. The recommendation is that you create a new Management Pack to host the resources that you will monitor and facilitate reconfiguration if necessary.

If there are multiple subscriptions, it will be necessary to reconfigure and follow the process to include in the same custom MP created for each of the subscriptions.

5-Novo monitor

6-subscricao

7-recursos

Finding the Resources

The Management Pack creates a new folder in Monitoring with the name Microsoft Azure with several items, where you can see the different types of dashboards and reports available.

In a few minutes, SCOM will collect the resources and immediately after returning the status of each one.

8a-Health vms

8-Health resources

As there are several features and reports, you can view performance, status data and define or change alerts according to common status rules.

Azure Arc – Integrated Multi-cloud management

Azure Arc is a preview product that has the function of standardizing and allowing the use of Azure resources for managing VMs and Kubernets Clusters hosted in on-premise environments or other integrated clouds.

https://azure.microsoft.com/en-us/services/azure-arc/

Computadores

Enabling the Service by Registering the Components

The first step is to access the subscriptions where you will host Arc services.

Once the subscription has been chosen, Hybrid resources must be registered as below.

In general the ADHybridHS feature will already be enabled and has to do specifically with AD synchronization, but the Compute, Data and Network features need to be enabled before adding features:

Registro Provedores

Registering Computers and Resources

When creating the Arc resource, choose a subscription and a Resource Group to serve as a base and that in the future after the Preview you will have the service charge (if any).

Right after enabling, click the Add button on the first print of this article and download the script to run on the servers. If you want to open the script it is very simple and basically downloads an msi and runs it with the subscription data.

Onboarding

The first execution of the script shows the obligation to activate the resources, which was the first topic of this article, and it will be a recurring error since when enabling Arc this process should be automatic.

Note that when executing the script it generates a code that must be confirmed on the indicated website https://microsoft.com/devicelogin

Registro Servidor

Using Policies and Initiatives

Once linked, the different Policies and initiatives that would serve to create alerts and define standardization of resources in what we generally call Compliance can already be created and enabled .

Politicas-1

By default, the above policies are configured, but it is possible to create new ones to generate compliance reports. To do this, use the pre-existing rules that will facilitate several different types of alerts such as backup, antivirus, ASR, etc.

Politicas-2

As for the Initiatives, we are not only checking, but implementing some types of standards such as the level of auditing or legal requirements / regulatory standards:

Iniciativas

Enabling Log Analytics

For the resources to work correctly, it is important to use Log Analytics that will capture the server data to generate alerts and relationship maps.

To do this, access the servers and click on the warning in the stripe that is displayed and with that you can enable the resources for each server or in Insights . An interesting feature is that each server can use different subscriptions or even different Log Analytics workspaces .

Habilitar Log Insigths

From the integration that will take 5 to 10 minutes, it is already possible to use the monitors, alerts and even the relationship map:

Alertas

Habilitar Log Insigths

Monitor-2

Mapa

CONCLUSION

In compositions with physical servers, virtual servers and cloused machines, having the ease of integrating Azure management functions will help a lot.

Much of the work is already possible in Log Analytics but in a passive way. With simple integration with policies, initiatives and interface the use of Azure Arc will be an excellent tool for IT professionals with multiple hosting environments.

Enabling remote work during the Corona Virus period

In this period when many employees are being moved to remote office, what solutions can be quickly adopted for this?

Scenario 1 – Use of VPN

The first solution is the use of VPNs, where the employee will access the company’s network environment via the internet from home.

What are the advantages?
This method is very interesting because it is fast to implement, usually in the firewall that the company already uses. The user will be able to access his e-mails, servers and applications as if he were physically inside the company, using his personal computer. As it uses an existing product in most environments, the cost is minimal to enable it on the firewall and many manufacturers just need to enable it.

What are the disadvantages?
The biggest risk in using VPNs is the lack of security arising from direct external connections, from unknown equipment. For example, imagine that the employee’s machine is the same as he downloads content from the internet, games and others. What guarantee do I have that a worm or virus will not come through this connection? None.

What solutions can I use to complement security?
NAC (Network Access Control) are protocols and protections installed on the firewall that when trying to connect a script is executed on the remote equipment to validate that it has valid anti-virus, operating system updates, etc. through an NPS (Network Policy) rule Service / Server) . However, NPSs are usually limited in what they can check and that is when we need to install an agent in advance and only validate when entering the network without validating settings that can be changed or allow the equipment to be unprotected.
The MDM solution in the Microsoft portfolio is Microsoft Intune, which is now called Microsoft Endpoint Management Service for joining SCCM (System Center Configuration Manager) .
Intune is a cloud solution with functions similar to SCCM, but with modules for devices such as phones and tablets. It allows the administrator to create validation rules to be applied to the user’s machine from the monitoring software and these rules may involve:

• Operating system updates
• Installing corporate applications automatically
• Compliance rules such as mandatory and password type, use of resources shared between different environments on mobile (KNOX and Apple Secure)

• Restriction on the exchange of information between applications classified as corporate (copy and paste)
• Several other rules that vary between Android, iOS, MAC and Windows
Integrate with various physical NAC models

Scenario 2 – Use of PaaS and SaaS for work applications

Well known as Modern Workplace, these solutions in the Microsoft portfolio are in Microsoft Office 365.
Sold in individual service packages, Business package (up to 300) and enterprise (Office 365 and Microsoft 365), it allows an employee to work remotely without any type of access to the internal network.

What are the advantages?
Because they have different models of contractual acquisition (CSP on demand, MPSA and EA with fixed prices) it is accessible to all customers.
Data security is greater because the user accesses files and email directly from Microsoft through the common internet and does not have access to the company’s internal servers. As a model of cloud services, it does not need facilities, servers and local infrastructure other than the TCO for maintaining and operating these services.
Well, we don’t need to say much because today the PasS and SaaS model with Exchange, Teams, SharePoint, OneDrive and other products in the suite is already consolidated.

What are the disadvantages?
There are few negative points, since here we are dealing with essential services (email, messaging, audio and video conference, exchange of files). But unrestricted access to data without the facility to create security rules that we have with ACL on a physical file server scares a lot of people … Since the files are in the cloud and accessible from anywhere and device how to prevent unauthorized access ?

What solutions protect my content?
This is where things get easier! In the Office 365 PaaS and SaaS model we have security packages available for any of the options, both contractual and package type:

• Encrypt, categorize and identify protected content we have AIP ( Azure Information Protection ) which is the old Windows RMS, now in the cloud, which can identify for example that a user is passing CPFs and Passports to other people inside or outside the company
• Detect suspicious activity we have ATP ( Azure Advanced Threat Protection ) that analyzes activity in the on-premises and cloud AD

• With CASB ( Cloud App Security ) Make advanced usage detections, integrating third-party applications and identifying possible violations and problems such as logins in different locations simultaneously or in impossible displacements (Chile and Australia in less than 2 hours for example)
Allow the creation of access and login rules (similar to NAC) with AD Premium, which also allows detailed activity reports

These features are those that would cover the security of access to company data on any device!

Scenario 3 – Virtual Desktop

A well-known solution, it can be implemented in a model of direct access to applications from servers (RDS) or independent virtual machines for users (VDI).

What are the advantages?
Nothing is outside the company, there is no data exchange via the internet.
In this model, the data is accessed from within the company, since the user will see the screen of the server or his personal VM that is in the infrastructure and network of the corporation.
So access to data is very controlled and 100% similar to what the employee would be seeing and doing while sitting at his office desk.

What are the disadvantages?
Cost, both of equipment and licensing.
To build a RDS (Remote Desktop Service) structure, it is possible to directly use Windows Server and have a much more attractive cost or solutions such as VMWare Horizon and Citrix.
As for the VDI (Virtual Desktop Infrastructure) solution, we have a high cost, since for each user logged in it is necessary to have a Windows 10 VM activated.
Therefore, if there are 200 remote users, it will be necessary to have 200 VMs active on physical servers, which after the outbreak would no longer be necessary.

What alternatives for the lack of Hardware in this moment of isolation?
Microsoft has a service called WVD ( Windows Virtual Desktop ) which is a hosted VDI, with the advantage of being scalable and can go from 1 to 25,000 VMs in minutes! This service is open to all customers through an Azure account and Windows Enterprise with SA or Windows E3 subscription.
Users who already have Microsoft 365 (except F1) are already enabled, since the M365 E3 and E5 include Windows Enterprise licensing.
And for those who don’t, you can subscribe to Windows E3 licenses in the monthly CSP model, where you will only pay for what you activate from WVDs.

Unidentified CPU usage in Task Manager

This tip is old, but important.

When using the Windows Task Manager, the System process gets stuck between 20-30% CPU usage.

The System process should never have constant use, it is triggered every time a Kernel task is executed and returns at rates between 0-1%.

Task Manager symptom

See that the process is high, despite having no reason since memory is less than 100Kb, no disk and network activity.

tela1

What normally causes this behavior?

If memory and disk were high it could be an update or process that crashed and the operating system is trying to recover, but it doesn’t match the above situation.

This indicates that the process is derived not from a program, but from a device that does not use system resources such as a video card, controller or other.

How to find the source of the problem?

Since Task Manager is a user tool, it omits important internal details. Therefore, download and use the Process Explorer tool from SysInternals (belongs to Microsoft) at https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

After opening PROCEXP you can see the same System process now in detail and see what it is running:

tela2

Right-click and see the details of the process where you can see in the Threads tab to see what the System process is controlling and the CPU usage to identify who is responsible for the high CPU usage:

tela3

By clicking on the “criminal” process, we see the details and understand what is causing the high CPU usage:

tela4

Now it would be enough to search the internet for what this process is and I would discover that it is very basic and it is the equipment’s energy management driver ( Power Interface).

So, I went to the manufacturer’s website and downloaded the updated drivers and the result after the boot is the System process in its proper place in the task list:

Telafinal

Conclusion

This process does not mean that the error is always the same, this is an example of how to find a process or program that crashes your machine.

Many users do not have much knowledge to solve themselves, but it is possible to find many references on the internet after identifying the process that causes the problem.

This tip applies mainly to processes with dependencies as is the case with the System that in the Task Manager are hidden.

Office 365 Compliance Supervisory Dashboard

As discussed in the previous post https://msincic.wordpress.com/2020/03/08/new-compliance-and-risk-dashboard-in-office-365/ we have a new panel aimed at the Risk Management team.

Now let’s talk about the Supervision panel where it is possible to monitor actions, very similar to what the administrator already sees in the Office 365 protection panel. Unlike the Compliace panel and the management panel, the rules in the supervision panel have filters for specific users and definition of reviewers.

The link to this panel is at https://compliance.microsoft.com/supervisoryreview

See that different from the initial compliance management panel, this panel has its own dashboards and callsigns:

Painel

Once the rules are created, it will be possible to see the effectiveness, applications and users with the most occurrences:

t1

Creating Rules for Supervision with Models

In this example I created a policy based on sensitive data such as CPF, CNPJ and RG, but the list is quite large including data such as checking accounts and credit cards in addition to the ones you create yourself.

t2b

In this second example the rule is for offensive language, where he uses the Office 365 dictionary to detect this type of action:

t3

After creating the rules-based policies it is possible to create notice templates, which are the emails that I will send to the user in case of notice of an unwanted action:

t4

Editing Policies Created by the Model

Now when editing the policies that the models create, we can see what it uses and also customize:

t5

t6

New Compliance and Risk Dashboard in Office 365

As is already known, with Microsoft 365 or EMS 365 licenses several security features are enabled. I have already addressed one of them who is Compliance Manager at http://www.marcelosincic.com.br/post/LGPD-disponivel-no-painel-de-Compliance-do-Office-365.aspx

In addition to this panel we have two more that are very interesting, the first one treated here is the Compliance and Risks Panel. This panel allows a management area to create rules monitoring policies.

This means that in addition to the DLP rules already existing in the Office 365 configuration panel ( https://protection.office.com ) we have this other panel.

The difference is that the protection panel creates the rules with several actions blocking the sending of emails and documents with confidential data.

The risk panel, on the other hand, serves to generate data without creating reprisals or blockages, that is, for the risk area to be able to measure data that is traveling regardless of whether the corporation has a specific DLP rule for blocking.

Opening the Dashboard

The Risks panel is at https://compliance.microsoft.com/insiderriskmgmt and when opened it is already possible to see alerts, general security scores, compliance with rules, etc:

painel1

The score on Office 365 panels is important, since from them we know the rules of a standard and what to do to adapt to it and be closer to a 100% safe environment:

Painel2

Creating an example rule

To create rules you can use the menu on the side and in the example below I show how I created a rule to warn me about various actions that may indicate a data leak.

For example, when users share a SharePoint site with someone outside, it is one of these possible indications. It is also possible to link the DLP rules that you have already created in Office 365, avoiding duplication of settings if the corporate rule is implemented:

t1

t2

Note that it is possible above to choose the different risk protection templates, each one will present data that will be monitored. In my example I used Data Leak and chose All Users , after enabling the pre-configured items:

t4

Conclusion

This new panel will greatly help companies that have a separate Governance department from the one that manages IT, allowing them to have a view of the risks in the company without the need for administrative access.

Some items are additional and need configuration, for example the HR data requires a connector.

For more details see the links below:

https://docs.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-policies
https://docs.microsoft.com/en-us/microsoft-365/compliance/import-hr-data

Integrating Manufacturer Updates with System Center Configuration Manager (Endpoint Protection Server)

One of the needs that many IT administrators have is to update centrally.

This is due to having a single point of contact, to avoid installing more software from manufacturers, mainly for drivers of clients and servers with several manufacturers.

Already well structured and since the 2012 version, SCCM has the capacity called SCUP (System Center Update Service) for this.

Using SCUP

It is very simple to use, go to the manufacturer’s website which can be HW or SW and get the URL with the updates cab file. Within this file you will have the XML definitions of updates and requirements. For example, it contains updates with the list of compatible servers and machines, or software requirements for updates such as Adobe and Autodesk.

Once you have the URL go to Software Library -> Software Updates -> Third-Party Software Updates and include the catalog as the image below:

Anotação 2019-12-30 180714-2

Anotação 2019-12-30 180714-3

From there on, just wait for it to finish the synchronization process and use the Subscribe to Catalog button to start the updates:

Anotação 2019-12-30 180714-4

They will appear with the Windows updates to be approved, with a separate class to create the automatic Deploy rules.