Microsoft TechCommunity Top Posts January 2022, Week 2

Posted on by Adam Fowler

Here’s my weekly picks on the subjectively best blog posts from TechCommunity:

Released: January 2022 Exchange Server Security Updates

Security updates for Exchange 2013, 2016 and 2019 are out, and as always, there’s exploits these mitigate. Note that https://aka.ms/ExchangeUpdateWizard will ask what you’re upgrading from and to, and talk you through the process – although it does expect you’ve done this before with some high level ‘Update your AD schema with this switch’ instructions that require you to go work out how to do that – which does involve downloading the latest ISO for Exchange, mounting it, then running the setup.exe with some switches. It also notes that these patches don’t fix the January 2022 transport queue buildup issue (Y2K22). Get patching!

Create a resume website – no coding experience required!

This one’s a really neat idea – use GitHub Pages for free, to have a static online resume. No fees, no special hosting stuff – it’s what I run msportals.io off of. Good practise in doing something fairly simple on GitHub Pages. A workshop is available to work through it all.

SQl Injection: example of SQL Injections and Recommendations to avoid it

I’m not someone who dabbles in SQL too often, but this is a nice clear post demonstrating simply how SQL Injection can work by searching with the string ‘ or 1=1 or 1=’ – then how to avoid it in code, and how Microsoft Defender for Cloud can detect and notify on those sort of attacks.

New to Microsoft Certification exams? We have something you need to try

Really good idea from Microsoft here – an exam sandbox so you can get a feel for how the exams work (without actual exam questions) which can help people be prepared for what they’ll experience doing their first real Microsoft exam. I’ve added this to https://msportals.io too :)

Continuous Access Evaluation in Azure AD is now generally available!

This is a great addition to the security Azure AD provides. Instead of just assessing risk at the time of login, Azure AD will now continually assess risk, and force re-auth if something changes that it decides has increased the risk of the account such as location change or password change. It’s auto-enabled so you don’t have to do anything, but good to be aware of.

Getting Started with a Windows 365 POC

I personally haven’t even looked at Windows 365 yet – so if I was going to get started, this is the perfect sort of blog post to get things going. It looks pretty easy without too many steps, so check this out if you want to have a play.

Microsoft Defender for Endpoint Plan 1 Now Included in M365 E3/A3 Licenses

Defender for Endpoint P1 is now in M365 E3/A3 licenses. If you’re wondering what P1 is, the article has a comparison table. That means if you have Defender for Endpoint already, it’s probably now P2. Microsoft Defender for Endpoint P1 is looking pretty cheap at $3US per user per month if you don’t already have E3/A3. This still goes to show that Microsoft licensing is hard and confusing, with so many factors to consider.

That’s it for this week, as always you can see the entire feed of TechCommunity posts at https://twitter.com/MSITTechNews

Microsoft TechCommunity Top Posts January 2022, Week 1

Posted on by Adam Fowler

This year, I’m going to pick the most interesting TechCommunity Blog Posts on a weekly basis, and talk about them. There’s so much good content that gets posted and can be missed. This is of course from my point of view and the things I care about, but I hope it’ll help others pick up on some things they might have otherwise missed.

I also have a dedicated Twitter feed that posts all TechCommunity and Azure Blog Posts at https://twitter.com/MSITTechNews if you’d rather see everything.

Here’s my picks:

Email Stuck in Exchange On-premises Transport Queues

Yikes, not a great way to start the year off – referred to as the Y2K22 bug, Exchange On-Premises servers (including ones for hybrid) were getting stuck in transport queues and eventually rejecting emails due to a date issue in malware scanning – it didn’t like the year 2022. Amusingly, the fix sets the date on the signature file as December 33rd, 2021 to get around it. The latest CU11 for Exchange 2019 doesn’t fix it, so unlikely other CUs for other versions of Exchange fix it either.

How to Remote Assist Autopilot Deployments with Quick Assist

This is about using Quick Assist to remote onto someone’s computer as part of Autopilot. It’s interesting we don’t have a nice native way of remoting into a computer we control still without requiring user input – but it does make sense if the machine is still being configured. It’d be better if one of the first things Autopilot did was allow remote controlling by an administrator without having to talk the user through opening command prompt with key combos and typing in commands.

Zero-touch onboarding of Microsoft Defender for Endpoint on iOS now in public preview

Using Microsoft Endpoint Manager to deploy Defender to iOS devices without any user input – I love the idea, but this one needs careful planning, testing and communication. What does Defender on iOS actually do? Check out the capabilities such as Web Protection, Threat and Vulnerability Management, and Jailbreak Detection.

Cannot enable Advanced Threat Protection on Managed Instance server

A simple post showing an error when trying to enable Advanced Threat Protection (we’re still apparently calling it that because it’s a pain to update everything with constant name changes!) and workaround. I’ve posted there suggesting they have a readable screenshot of the actual error, and put it there in plain text too so it’s searchable.

How to Manage Microsoft Teams Meeting Recording Auto-Expiration

“New recordings will automatically expire 60 days after they are recorded if no action is taken, except for A1 users who will receive a max 30-day default setting. The 60-day default was chosen because, on average across all tenants, 99%+ of meeting recordings are never watched again after 60 days. However, this setting can be modified if a different expiration timeline is desire”

I’ve gone and turned off the auto-expiring of meeting recordings. Why would I want that? Microsoft’s argument quoted is that people don’t watch them after 60 days 99%+ of the time – except what about the < 1% when you do need it? I only need to lose one meeting to be angry that this setting was ever there. There’s also a slight error in the post:

“To change the default auto-expiration setting for your tenant, go to admin.teams.microsoft.com, navigate to Meetings > Meeting Policies > Add in the left navigation panel”

Add isn’t in the left navigation panel, and we probably shouldn’t be adding a new policy, but instead adjusting the Global (Org-wide default). Creating a new policy that’s not applied to anyone won’t do much :)

I’ve posted the above there and hopefully will get updated.

That’s it for week 1!

Synology C2 Backup for Business Review

Posted on by Adam Fowler

Last year, I reviewed Synology’s Active Backup for Office 365 which is a cheap way of keeping another copy of Microsoft cloud data, as long as you have enough disks and space to fit it on.

This time, I’m looking at their Synology C2 | C2 Backup solution for businesses – which has a 90 day free trial (credit card details not required). This is a cloud based backup service – so no hardware required. Their support for Microsoft 365 data is quite new, and right now will cover user Exchange Online mailboxes, with OneDrive support coming in Q2 2022. Synology asked me to look at this and answered a few questions around timeframes; they’ve previously given me hardware to review, but this is not paid for content.

C2 Backup is one part of the C2 offerings, but you can pick and choose which components you want without requiring the others:

C2 Password
C2 Backup
C2 Transfer
C2 Identity
C2 Storage

At the time of writing, Synology have 3 regions you can choose from for C2 Backup: Europe – Frankfurt, North America – Seattle, and APAC – Taiwan. I’ll run through setting this up while giving a bit more information around what it is.

After creating an account, the first step is to pick your subscription – Monthly or Annual. The rates (which I won’t quote here in case they change, go have a look on their website) is per month and per terabyte, with the minimum at 5TB and the maximum 200TB.

I will note that there is an individual option that works a bit differently, but won’t run through that in this article. The data limits are smaller at 500GB, 2TB or 5TB and I’m sure there are other differences in the service vs the business option.

Next is setting up your domain, which will be a subdomain of c2.tw. You can’t change this later!

As I’m just doing a trial, I’ll skip the payment information, but it warns:

Continue without setting up a payment method? If you do not set up a payment method before the end of your free trial period, your subscription will not be automatically renewed.

Next is setting up the C2 Encryption key. This is like your password, but to all the data the service will hold. Synology point out they don’t store this – so you need to secure it yourself. If you lose it, you can’t decrypt your data and nor can Synology. They do provide a recovery code once this is done, which again you’ll need to keep – think of it as a backup password. This will be prompted to download a txt file containing the recovery code onto your computer.

Next is choosing the source of the data you want to back up. This screen will just jump you to the page for either – you’re not making a single choice between the two – it can do both.

Briefly looking at the On-premises device option, there’s 2 types of backup it can do: Personal Computer or Physical Server. There’s also Backup Policy where you can set the backup rules such as frequency, schedule and scope.

Backing up a computer or server will require an agent to be installed and signed into. Once done, a Backup Policy needs to be configured so the C2 platform knows what to backup and when. The policies are pretty simple, and the default policy will just back up everything daily, and keep all versions forever.

On the Cloud side of backup sources, we have support for Microsoft 365. You’ll need to sign in with an account that can grant access to certain areas of Microsoft 365.

It will need a little bit of time to connect before you can start configuring (about 30 seconds wait for me).

The next screen lets you pick which users to back up – which will most likely be all of them.

You don’t have to worry about adding future users in manually, there’s an option for Auto-Protection which will detect new users daily and just add them in. Note the 250 user maximum on this.

Once done, you’ll see the list of users you chose with the status ‘Not backed up yet’. You can trigger a backup now through the ellipsis button rather than waiting for the daily cycle.

The first backup will probably take quite a while – but after that first one is complete, future backups are incremental so will run a lot quicker.

The recovery portal is viewed in a per user state, you can choose which version you want to browse through (by date), and search if you’re looking for something in particular.

When restoring emails, you can either choose the emails you want to restore, or just restore everything. For specific emails, you can choose where to restore (either where they came from, or in a different restore folder) and if you want to overwrite existing items or not (only when restoring to original folder).

Restoring a single email for me only took a few seconds. Searching for emails was also very quick, with results coming up within a few seconds again.

Leaving the service going for a week, it has backed up successfully each time, and I can wind back to the daily versions for mailbox content with ease:

It also provides self-service restoration portal where end users can browse backups and recover files by themselves.

I’ve reviewed and tested a few other backup solutions; this is one of the easiest to do out there, but I’m also hanging out for some of the features still on the roadmap. If you only care about emails via Exchange Online, then the platform is ready to go.

It will be interesting to see how far Synology takes their C2 Backup service; being quite new I’m impressed that they’ve got the most important items (emails) backing up reliably, with a simple to restore process. If you’re looking for a ‘forever’ copy of everything in a mailbox on a daily basis, this is worth checking out.

My Windows 11 List Of Demands

Posted on by Adam Fowler

Windows 11 is a nice visual refresh to the Windows line of Operating Systems. However, there has been a simplifying and removal of many useful functions; usually these are just hidden behind more clicks, which leaves are more frustrating experience when we’ve become used to a certain way of doing things.

In no particular order, here’s the bug bears I’ve found so far in using Windows 11, and if I’ve found a fix/workaround/setting change:

Start button Location Moved to Middle

The Start Button is in the centre of the screen by default – breaking what we’ve been doing constantly since Windows 95. This change seems unnecessary and even on my 44″ Ultrawide monitor, I’d rather it in the bottom left. I tried leaving it in the middle but gave up after a week.

You can change this back to the left side by:
Click ‘Start’ > ‘Settings’ (if you don’t see it, type it)
Click ‘Personalisation’ > Taskbar (not Start, where you’d expect it!)
Click ‘Taskbar behaviours’ to expand it.
Under Taskbar alignment, change the dropdown from ‘Center’ to ‘Left’

Task Manager missing from right click on taskbar

Task Manager has grown into a much more useful tool since Windows 10, beyond just killing off programs; it provides a bunch more visibility into what your computer is actually doing. For some reason, being able to access it via a right click on the taskbar has been removed.

Ctrl + Shift + Esc will still bring up Task Manager, but it’s one of the more awkward key combos. Right clicking on the Start button itself will bring up a very useful menu (as it does on Windows 10), with one of the options still brining up Task Manager.

The new way I’ll probably try to teach myself to bring up Task Manager is, Winkey + X > T.

‘Edit’ option missing from File Explorer right click (and others)

If you have a look at the right click menu against a file in File Explorer, it will be a much shorter list than what you’re used to. Several common functions (cut, copy, rename, share, delete) are icons at the top, but everything else that didn’t make the ‘cut’ is in the ‘Show more options’ menu, which takes you back to the classic looking right click menu.

As Nathan McNulty pointed out, this can be restored to the old ways via a reg setting (run in PowerShell):

New-Item -Path "HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32" -Value "" -Force

or via Command Prompt:

reg.exe add "HKCU\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32" /f /ve

File Explorer Command Bar Simplified

File Explorer had a bunch of useful options in the top Command Bar. They’ve mostly been removed (seeing a trend here?) to simplify and show only a few options. The idea of tabbed menus is completely gone. Some options like ‘Map network drive’ are in an ellipsis menu

PowerShell:

New-Item -Path "HKCU:\Software\Classes\CLSID\{d93ed569-3b3e-4bff-8355-3c44f6a52bb5}\InprocServer32" -Value "" -Force

Command Prompt:

reg.exe add "HKCU\Software\Classes\CLSID\{d93ed569-3b3e-4bff-8355-3c44f6a52bb5}\InprocServer32" /f /ve

Show all icons in Notification Area

Those little icons in the bottom right side of the taskbar – that’s the notification area. I like seeing them all, rather than having them hidden in a submenu. Windows 10 has an option to ‘Always show all icons in the notification area’. In Windows 11, this option isn’t available. I did learn that rather than mucking around with settings, you can just drag an icon out of the menu and pop them straight onto the notification area – but you shouldn’t have to do this for each icon.

Programs in Task Bar don’t expand out

In Windows 10, I’m used to having a reasonable sized bar for each program I have open. It shows the Icon and a bit of text to help identify what the program is (or in the case of Microsft Edge, which profile/web page for those untabbed). It’s great, it uses up all that task bar space. The second monitor does have a consolidated view, but I drive which program I want by clicking in the primary task bar.

Windows 11’s design is to remove that, and have all taskbar programs just show the icon. For pinned programs, you’ll need to look for a blue line/dot below the icon, to indicate a window is open. Multiple windows of File Explorer open? They’re consolidated into the one icon, you’ll need to hover over that and pick the one you want.

This one isn’t possible to restore natively, and there’s a lot of feedback about people wanting it.

Widgets

Widgets are back again (I actually liked them in Vista) except this time, Widgets is a popout menu triggered by a button in the Task Bar (although checking an Insider’s build, this looks like it will change to a weather button in the bottom left). The Widgets popout menu then contains a bunch of sections around news, weather, stocks, eSports, Traffic and so on.

It’s abilit to remember what I actually like or don’t like seems non existent. I’ve removed ‘NBA’ that many times – and yes, I am signing into Widgets with the same account, and on Windows 10 the News and Interests button works the same way). It’s a very US centric service – and only has configuration around 3 Australian Cities (Sydney, Brisbane, Melbourne). There’s a web search function, which of course only uses Bing. Although I like seeing the temperature, if you want to turn off Widgets:

Click ‘Start’ > ‘Settings’ (if you don’t see it, type it)
Click ‘Personalisation’ > Taskbar
Under ‘Taskbar items’ turn the switch ‘off’ for Widgets.

I’m sure there are a bunch of other frustrations in the simplification of Windows 11, as I’m sure the idea is that there’s too many buttons and options for a ‘regular’ user, so the idea is to clean it all up. The problem is that for many people used to these options, it feels like a step back.

Maybe the approach Microsoft should take is to have Windows 11 ‘Basic Mode’ and ‘Advanced Mode’ to try and keep everyone happy?

There are some good features in Windows 11 too, such as Snap Layouts / Snap Groups, where you can pick the size of the window to fill in your sceen – handy on an ultrawide, where you want to move a window to the right third of the screen. There’s also the whole Android app support that’s coming…

Anyway, it’s early days for Windows 11 – and although there’s plenty of criticism from Insiders on recommendations that were not taken up, I expect we’ll see the continual improvement and evolution of the platform; mostly for the better ( News and Interests is one of the reasons I say ‘mostly’ ).

Microsoft Edge has an Identity Problem

Posted on by Adam Fowler

Right now, it appears that Microsoft Edge is trying to be everything to everyone – which sounds good, until you look at what it could turn into. For enterprise and business, it’s a constantly updated browser that receives frequent Security Baseline recommendations to keep the browser’s settings in line with Microsoft deem as best practise – just like Windows 10/11 and Office apps.

There’s even a ‘Super Duper Secure Mode‘ (which I’m surprised the Microsoft Marketing team approved the name of) which promotes using the browser in the most secure way possible.

Microsoft also provide a fairly open roadmap of upcoming features, and looking for feedback on new items. Check out this list of feedback provided to Microsoft, how long it’s been on their list for, and the status.

The browser itself supports profiles that sign into Azure AD accounts (amongst others) and sync profile data securely to the tenant that account lives in – which can include browser history, favorites, and cached passwords. I’m highlighting here how much trust is put into what Microsoft holds on their business users.

This is the Microsoft I’m a fan of. It’s also why we have openly found out about a new feature currently in canary and dev builds called ‘Buy now, pay later‘. And, it’s also why I’m so disappointed to see this feature, as it flies in the face of what it seems Microsoft is trying to achieve with this trusted, natively embedded in the OS, browser. You can see the angry comments on the TechCommunity post above.

I’d already tweeted my disappointment:

Which lead to a journalist asking for my views for this article:

https://portswigger.net/daily-swig/microsoft-pushes-ahead-with-controversial-buy-now-pay-later-feature-for-edge-browser

I’ll try not to repeat what I wrote there, but it sets a precedent of a slippery slope on where the browser ends and third party features start. Microsoft who have become one of the more ‘woke‘ (which I use as a compliment, not an insult) IT companies, should they really be encouraging ‘buy now, pay later‘ to encourage people borrowing money to buy things online?

What I’m really hoping to see is the retraction of this feature, and it’s why I say Microsoft Edge has an identity problem. It can’t be both a consumer and a business/enterprise solution at the same time, if this is the path Microsoft is taking aspects of the browser down. Do we need to have a consumer SKU and an enterprise SKU of the browser? Different installers?

For the particular feature in question, there doesn’t appear to be a way to turn it off specifically. You CAN turn off ‘Save and fill payment info’ which I expect would disable the Zip pay option, but that’s a handy feature you’re removing from users.

Having Candy Crush baked into Windows 10 Home is questionable, but in Windows 10 Enterprise it’s ridiculous (which thankfully it isn’t). However, it’s in Windows 10 Pro

Am I being too harsh? So many online stores have the Zip pay option on their own store, along with Paypal payment plan options, so does it matter if Edge does it natively too? In my personal opinion it still does matter, because it’s a line that shouldn’t be crossed at all; advertising and the promotion of third party services for profit, native to the trusted browser. If the desktop wallpaper in Windows 10 was changing to promote anything outside of Microsoft services, people would be outraged.

I also expect Microsoft has a reasonable agreement lined up with Zip, which would make reversing this decision harder (or costlier), which will mean they won’t give it up quickly. Historically we have seen Microsoft change direction based on waves of negative feedback – which is awesome – but I’m really unsure if that will be enough this time.

Microsoft needs to decide what Microsoft Edge is. Is it a trusted platform, or is it a vehicle to increase revenue directly through partnerships, making money off the user? If it’s both, then it needs to have a high level switch to allow users and companies to turn off the money making side – especially when we’re already paying for the OS, and the browser is bundled with that.

Edit: I believe this feature will only turn up if you’re signed into the browser’s profile with a Microsoft account – so less of an impact on business users, but the general points still stand. I’ve seen this profile detection behaviour recently, where advertising fo the Microsoft Start app only popped up when I was logged in with a consumer profile, potentially triggered by one of Microsoft’s home pages – having the same home page in an AAD account profile didn’t show: