Skip to content

This site is automatic translation of http://www.marcelosincic.com.br, original in portuguese

Windows Defender ATP — The New Security Product

Part of the new features of Windows 10 is the ability to drill down on security and integration with features of Microsoft DCU (Digital Crime Unit), which is the Microsoft unit that works with the Defense Department to generate and identify attacks around the world (https://blogs.windows.com/windowsexperience/2016/03/01/announcing-windows-defender-advanced-threat-protection/).

Types of protection Available

In general the virus are based on what are DAT files with virus signatures and can identify programs that have activities or part of these codes considered dangerous. In this category are all current antivirus, which includes Windows Defender.

Already advanced protection systems rely on internal and external behavioral analysis, that is, they identify potential threats by behaviors like some products from Symantec and McAfee, which identifies machines by sending packets to other machines, with brute force logins, etc.

Already the behavioral protection systems with external analysis are very different products. They analyze behavior of machines in the environment and external communications. With this it is possible to identify:

  • A group of machines getting packages from a particular machine with suspicious content
  • Packages from countries where the phishing attack and the like are common
  • Packages from machines already identified as "zombie"

That is, based on the analysis of the own environment and behavior of hackers, it is possible to identify certain hacker is trying to break into a company to analyze that this hacker is sending packets to the target company’s network.

What is the ATA and the ATP

Microsoft products this product is the ATA (Advanced Thread Analysis) that works in Active Directory and user logins, and ATP (Advanced Thread Protection) that works with Machine Learning (data analysis) on the logs of the individual machines.

In practice the Windows Defender ATP works with the same log that Windows Defender, but online and on the basis of the analyses and data of the DCU. With this it is possible to identify threats that are not found in traditional DAT or based only on a single machine, which is how the traditional antivirus work.

The ATA is part of the EMS (Enterprise Mobility Suite), but can be purchased part: https://www.microsoft.com/pt-br/server-cloud/products/advanced-threat-analytics/overview.aspx

The ATP is still in preview with on-demand access: https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp

Overview of ATP

As I already have access to the ATP, let’s see how it works. To request such access, enter the page above and complete with your data. You can include machines for your environment, but the system generates some machines with viruses and problems to test automatically. Note on the screens below the user used is generated by Microsoft for testing.

To get access, the first step is to indicate retention time and company profile to produce threads by thread type:

capture20160724155740716

In the sequel we generate the package or the script for distribution of the settings. Note that you can create the packages for distribution by GPO, SCCM, Intune or site which is what I use in my tests:

capture20160724155906768

The next step is to download the package, in my case the Script Location:

capture20160724155940968

The script contains a file CMD to be executed manually in machines that wish to Defend logging is sent to the ATP. This script creates a key in the registry to indicate my tenant and activate the ATP:

Capturar

From now on its machines will send data to the ATP.

In the case of my test, I can use the data of the machine that Microsoft generates tests and view alerts and dashboard. The first screen is the Dashboard indicating the General behavior in the monitored environment:

capture20160724161031396

In this case I have no alerts generated in the last 30 days, but I have the tenant creation to demonstrate how to use the alert management:

capture20160724155810843

Each alert can be ignored, marked as resolved or deleted in any tenant or just for this particular machine:

capture20160724155833547

Conclusion

This type of data analysis is essential for the security of the Corporation. Soon available as a service on Azure, the ATP is a new way to analyze and ensure your environment.

Using the Azure Log Analytics (OMS) and the SCOM on Same Machine

To use the Log Analytics, former Operational Insights, together with System Center Operations Manager you can do this by SCOM itself console.

This form of integration already in March 2014: https://msincic.wordpress.com/2014/03/27/integrating-scom-with-system-center-advisor/

Despite having changed the name of System Center Advisor, then for Operational Insights and Analytics Log now, the process of integration with SCOM remained the same.

But to a limitation in the SCOM integration process, because it only allows a who/Log Analytics account by organization. In many cases it is necessary to use more than one account, for example:

  • Service providers and CSC in that each client has a different account in Azure
  • When we use multiple signatures to monitor the same physical environment
  • When one of the accounts is the benefit of Visual Studio with limited credits and wish to separate the servers in different accounts

In these cases we can use the two methods the same time, install the SCOM agent and do not link to a Log Analytics account and make the process only in the desired machines.

For this, the first step is to open the Log Analytics and copy the Workspace ID and the Primary Key. See in the example below I already have my SCOM Log integrated Analytics.

capture20160706181016883

The next step is to go to the machine that you want to monitor and open the SCOM monitoring agent (Microsoft Monitoring Agent):

capture20160706180916785

To open the agent settings note the aba Azure Operational Insights (previous name Log Analytics). See in this print that I already have the machine being reported to the SCOM:

capture20160706180926742

Enter your account details in the Log Analytics and ready, now you can have multiple accounts or individual monitoring:

capture20160706180935405

Now my Active Directory data that previously were not being populated are duly completed and monitored:

capture20160706180955111

Installing System Center Service Manager Authoring

In the Technical Preview version or R2 Service Manager Authoring 2012 is common cannot pass from the point below the pre-verification requirements:

capture20160614095229613

Even clicking and leaving the Installer run the Visual Studio 2008 Shell, the message that he is not present continues.

To solve it is important to understand the reason. The Visual Studio Shell is not only a component, but a set. What happens is that the Service Manager Authoring doesn’t make the installation of all the components, only the Shell you need other requirements.

To resolve download the Shell, run and go to the directory created by the installer and run the VS_Shell_Isolated.enu application

capture20160614095251004

See what various components will be installed and updated and why the Installer Service Manager Authoring does not complete the process of prerequisites:

image.axd

After running the Shell, rerun the Service Manager Authoring and installer now spending by check!

capture20160614095905551

Reinstalling DPM After Evaluation or Technical Preview

One of the common questions that I’m told is when you installed the System Center Data Protection Manager, is an evaluation version or a Technical Preview, when you try to uninstall to upgrade DPM error occurs that DPM is already present or that he is installed as evaluation.

This error happens in many cases, but the commonplace is when using a Technical Preview and uninstalling maintains the license key.

To solve the problem, just delete the license key that "left":

  1. Open the Registry Editor (RegEdit.exe)
  2. Navigate to the key HKEY_CLASSES_ROOT\Licenses
    capture20160614000138497
  3. Delete the key 830D982D-9ADC-4479-85CE-6474F7D00BB1

After removing the DPM license, installation occurs successfully.

Microsoft Virtual Machine Converter (MVMC) – Retirement of the product

Microsoft announced this week the withdrawal of MVMC as product later this year.

https://blogs.technet.microsoft.com/scvmm/2016/06/04/important-update-regarding-microsoft-virtual-machine-converter-mvmc/

For those who don’t know or don’t remember MVMC its function, it is a plugin to convert physical machines (P2V) or other virtual platforms (V2V) for VMs in Hyper-V.

What to use in place of MVMC?

The suggestion is to use the Azure Recovery Site, but it actually is a service and it would not be useful when the desire is to climb on-push environment VMs.

However, in the case of the client that wants to transform the physical environment (P2V) for cloud (IaaS) Azure Recovery Site is the best option.

And for those who need to do V2V hosted on VMWare to Hyper-V can use VMM (System Center Virtual Machine Manager) that processes the conversion natively.

Finally, for cases of physical-to-virtual machine conversion (P2V) you can use Disk2VHD as already commented on other occasions and is a very well-known product to generate VHDs from physical disks, which I discussed in 2009: http://www.marcelosincic.com.br/post/Ferramenta-to-convert-HD-physical-(in-use)-para-VHD.aspx (pt-BR)

Link of Disk2VHD: https://technet.microsoft.com/en-us/sysinternals/ee656415.aspx

Software Asset Management (SAM) with System Center Configuration Manager – Windows and Office Desktop (Part V)

In this fifth article about using SCCM to talk about SAM (Software Asset Management) we’ll start reading of reports involving data from Windows desktops (client) and Office.

To remind you of our agenda and the agenda of the items, use the link started: https://msincic.wordpress.com/2016/05/03/software-asset-management-sam-with-system-center-configuration-manager/

Introduction

The licensing that involves the Windows client and Office are not complicated to be interpreted. Basically the calculation is made by adding versions and editions installed, and compare with the licensing that the Corporation owns.

In the case of licensing for customers is more important to understand the different types of licensing for the products involved, not to fall into the "pranks".

 

Windows

OEM

Windows Licensing is typically not bought on contract, as most buy computers with the OEM license. The greatest difficulty in the event of an audit or software asset management for OEM is the fact of having to keep all receipts. And if the license is FPP (box) it is necessary to have pasted the machine label (COA) and save the box while that machine is with the OS.

References: http://windows.microsoft.com/pt-br/windows/genuine/business # T1 = tab01

And when the customer does not have the invoices or the box?

In this case it is necessary to pay the licensing GGS, GGK or’S LATEST GGWA (regularization) for each machines that do not have a receipt. The value of the settlement is very similar to a FPP license but has the possibility of easing the control volume contract since it need not have the sticker on the machine.

It is also possible to buy the Windows through licensing contracts, for example in EA (Enterprise Agreement), EAS (Enterprise Agreement Subscription), MPSA (Microsoft Products and Services Agreement) or in Office 365 online licensing with the ECS (Enterprise Cloud Suite).

Note: In future articles we will cover the different types of contracts https://www.microsoft.com/en-us/Licensing/licensing-programs/enterprise.aspx

In cases of contract and, EAS and MPSA licensing can be the already mentioned regularization or use a bundle called ProDesk licensing which include Windows, Office and CoreCal to a smaller value when purchased separately.

Windows Enterprise and VDA

In the case of licensing and the ProDesk can acquire the Windows Enterprise that has some important features, for example the MDOP that is a set of tools (App-V, MBAM-Bitlocker Manager, AGPM) that are guaranteed by the SA (Software Assurance).

The VDA (Virtual Desktop) are virtual machines that exist in the environment. We can’t get the licensing of client machines and allocate to a VM, except in the case of Windows Enterprise. In other cases it is necessary to buy a VDA license for each VM of Windows Client that is inventoried.

References of the Enterprise with SA: https://www.microsoft.com/en-us/Licensing/licensing-programs/software-assurance-by-product.aspx # tab = 2

Upgrade for Windows 10 (29/July/2016)

Upgrade to Windows 10 can be done until 29/July in any one of the methods of purchase, mostly OEM. Customers can upgrade and continue.

What is the difference of someone who upgrade after the scheduled date?

The automatic activation of Windows 10 is only possible with licensed and OEM keys until this date. If you do not upgrade within, the machines failed to activate and you will need to purchase a new license or return to previous one.

Right to Downgrade

The page https://www.microsoft.com/pt-br/licensing/learn more/brief-downgrade-rights.aspx get the download link for details of downgrade the OS:

image0

Microsoft Office

As well as Windows Office can be bought in OEM, FPP, Get Genuine (GG) and volume contracts, worth the same previous rules.

Don’t fall in the repetition, let’s address what we have different relative to the Windows Client.

Downgrade rights

The same document specified in Windows determines the right to downgrade to Office:

image1

The right to downgrade is only for version and not for editing, i.e. can I use Office 2010 Standard have the 2013 Standard version, but I can’t buy the Professional and use the Standard.

Office 365 Online

The various editions of Office 365 online does not serve to license installed versions on desktops.

It is important that in the case of customers who have Office licenses to legalize and bought Office 365 ProPlus (separately or as part of the ECS, E3 or E5) that are uninstalled the full versions.

The reason is that the full versions of Office are activated with a serial key and are mountain, while the Office 365 versions are validated with the user account ID and Microsoft when the subscription expires stop working as it belongs. For customers who tried to buy the online version and are using the full, will not occur and expiration so you need the upgrade.

License per Device or User

Office and Windows allow both types of licensing, being the more correct usage profile defined.

In the case of most customers use Device since we count the machines and assign a license for each computer. However, in the case of environment with Office 365 licensing is per user and need to understand the difference and how to count.

For per-user licensing need to count how many users in AD are not administrative or machines and buy the licensing.

The per-user licensing has benefit in the case of the environment in which the same user uses mobile devices to access your mail account, since it includes up to 5 devices for each user.

The per device licensing has the advantage of not being necessary to control users and we can have shared machines, since in most of the environment there are more users than machines.

Maintain environments with both types of licensing (Device and User) is possible but complex to control. You need in this case count and have controlled which machine has the device license and the users who are using per-user license.

To find out how many user licenses would have to be purchased if this is the expected volume, you can use the Asset Intelligence report that we have seen in previous articles, especially those that indicate shared machines (Shared Computer) and which indicates the primary user to each computer.

Conclusion

The licensing of Windows and Office are not so complex, but require attention by the volume, mainly Office Professional that has a high cost.

General Reference: https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx

Software Asset Management (SAM) with System Center Configuration Manager – Software Metering (Part IV)

In this fourth article about using SCCM to talk about SAM (Software Asset Management) Let’s talk about Asset Software Metering (software metrics).

To remind you of our agenda and the agenda of the items, use the link started: https://msincic.wordpress.com/2016/05/03/software-asset-management-sam-with-system-center-configuration-manager/

Introduction of the Software Metering

When you need to manage use of software is important to control who needs and actually uses a given software asset. Often we are faced with the situation of users requesting and installing various software, or even put it in pictures, and the company is paying the Bill for something that was never used.

Previously up to version 2007 R3 was possible indicate how many concurrent executions could be carried out in a software, but this type of licensing no longer exists. In the current licensing rules include the installation of a software and not the execution. Companies that still use the method of simultaneous execution using logs on the server or key locks .

A good example of the necessity of Metering are products such as Access, Visio and Project. Many installations of Visio and Project were made for a single occasion that the user needed and there was consuming license and therefore money.

The case of Access is the difference between Office Standard and Office Professional, which in very different values (Professional enough to be more than twice the price of the Standard) but in functionality the main difference is Access and Skype For Business full. Few users actually use the Access, most could only use the Runtime engine. In the case of the SfB can use the Basic version that just does not work for VoIP or multi-point Conference, which are little resources used in everyday life of most users.

Enabling the function

It’s not a Software Metering Server role and a feature that is controlled by the Management Point. The basic operation of the Metering can be described as:

  1. You enable the Software Metering rule in settings of agents
  2. We created or enabled what inventoried software will be measured
  3. The agent receives metering rules to control the use of the software indicated
  4. These data are periodically sent to the Management Point that will consolidate

To enable the rule, just go in Administration-> Client Settings and change the default rule or create a specifies:

capture20160525162016091

In the example above I enabled the Metering and pointed out that the agents will report every 7 days. This time is important within its asset management schedule, if you manage assets on a monthly basis can increase the biweekly period, but it is important to remember that if the collection period is high may have delayed data.

For example, if the collection period is 20 days and a given agent made the report of data on day 14, it will only report again on day 4 of the following month. If your reports are generated on the first day of the month, he will be with incomplete data for this example. Therefore, in general choose the period of 7 or 5 days.

After you have enabled the agent rule can indicate on the server which the retention period of the data, and if we want the list of software is copulada automatically:

capture20160525162851101

Note that it is possible to indicate that a software only to appear automatically in the list if it is more than 10% of computers, to avoid that the list be so great with any executable that exists on the machines. Also note that we can set a limit and after this (in the example 100 softwares) will no longer be created the rule for new software.

Defining the software that will be measured

The Metering takes advantage of software inventory to generate a list, bringing all disabled:

capture20160525162459512

The easiest way to work the Metering is enabling for the desired software, but that’s how inconvenient the file version (File Version) because the inventory generates version rules.

capture20160525162513716

This can be useful for companies that have multiple software licenses in different editions, for example the Visio 2010, 2013 and 2016. In these cases it is possible to know who uses Visio on version specifies.

However, in most cases it is irrelevant. Do not control who uses each version, because almost all of the software do not allow different editions on the same machine.

Therefore, you can change the data or create new rules using wildcards such as “*” to indicate that any version, language or name goes for the rule. For example, we can change the rule above VMConnect.exe version for “*” or “6.*” and thus increase the range of measurement rather than create a rule for each version.

In addition, you can create your own rules like the example below:

capture20160525162739514

In this case we’re measuring the use of the Word in any language version of Office.

Software Metering reports

There are currently 13 reports to the Metering:

capture20160525172555946

Some are very interesting and worth mentioning.

The first one is the “Total Usage for all metered software programs” that provides summary data of all software with rule enabled, sorting by local usage or by Remote Desktop:

capture20160525172802568

As the TS/RDS licensing is different from local licensing, these data are very important to generate an optimized licensing for the enterprise.

Another report that seems to have a lot of added value but serves administrative purposes is “Time of day usage summary for a specific metered software program” as it provides a view of demand:

capture20160525172938666

For example, this information may be useful to measure network performance on client server applications such as SAP, TOTVS or others who suffer spikes in use during the day.

Other reports also provide interesting data:

  • Computers that have a metered program installed but not run in time – allows you to view the computers that have, for example Project and don’t use it during the whole month
  • Computers that run a specified metered software program – is the reverse of the previous one, showing who used the program during the month
  • Total usage trend analysis for a specific metered software program-this report details the previous one, because it shows how many times a particular software was used and for how long. This report will make it possible to identify someone who used a software and kept it open for 10 seconds, indicating that actually opened by mistake.

Conclusion

The Software Metering is not a part of the SAM, do not represent licensing data as does the Asset Intelligence.

However, the Software Metering is essential to reduce and optimize the licensing that companies pay, for allowing to know who actually uses a specific software to work.

Follow

Get every new post delivered to your Inbox.