Security Quality Rollup Confusion – Windows Updates

Since October 2016, Microsoft have updated their Windows Updates model (for Windows 7, 8.1, Server 2008 R2 SP1 and Server 2012 R2) to a more cumulative approach. To their credit, they had this communicated months before it started, and the word got around long before the first patch rolled out.

At the time I talked to Tom Walat who was reviewing what people thought of this model. There’s been a bit of confusion and changes in the model, including a new one for February 2017 where Internet Explorer will be seperated and have it’s own rollup. If you manage WSUS, you need to be across these changes.

There’s a great detailed blogpost on TechNet about the history and changes, as well as this really useful table:

Windows Updates for 7 and 8.1 table for Feb 2017 (source)

Here;s the TLDR version which is still long, sorry;

Since October 2016 to January 2017, there has been two main update rollups – a Security Monthly Quality Rollup which contains ‘all the patches’. In WSUS, this will have a name like “January, 2017 Security Monthly Quality Rollup for Windows 7”. There is a separate rollup for Windows 7, 8, Server 2008 R2 and 2012 R2. These are cumulative – each Rollup includes all previous rollup patches, but nothing that’s before October 2016. This is the recommended package.

There’s also the similarly named Security Only Quality Update which has just been ‘all the security patches’. This will have a very similar name, e.g. “January, 2017 Security Only Quality Update for Windows 7” again having a separate update for each OS. These are not cumulative, and each needs to be installed seperately. These updates are only required if you’re not doing the monthly rollup for some reason (e.g. one of the updates breaks something in the rollup).

Those both included Internet Explorer, but as of February 2017 that will be it’s own separate set of updates. The IE update set will be cumulative – including all older updates in each new package.

That separate IE set of patches is the Cumulative Security Update for Internet Explorer will be cumulative like the Rollups, where you only need the latest one.

These are big changes and it’s worth getting your head around it all – the end goal is to have only monthly updates for anything older than Windows 10.

There may be future changes as to how this model works, so make sure you keep up to date with what Microsoft is doing in this space.

Azure Active Directory – Assigning Groups to Applications in PowerShell

Azure Active Directory Applications have been around for a while, but it’s I’ve found it hard to find good information on them beyond the biggest benefit of Marketplace Apps.

Along with my Azure AD B2B journey (still in preview at time of writing), the option of pushing out something like a SharePoint Online site as an app is one of the jigsaw pieces required to make the whole B2B process work – as a version of the apps page is displayed as the default link to anyone who accepts an Azure AD B2B invite and logs in for the first time.

MyApps – an externally invited user will only see the apps they have access to (by default, none)

I’m trying to gloss over details here, as there’s a lot of steps with different parts of the Microsoft world to get a process automated end to end for inviting external users to a SharePoint Online site – but the last step of assigning a user or group to an application has no documentation I could find, that showed how to achieve this via PowerShell.

All I want to do here, is create an Application in Azure AD, then assign a group to it. Members of the group will then see the application on MyApps.

Two different modules are required – Azure Active Directory V2 PowerShell module and Azure Resource Manager.

What we can do with these two modules is first create the application with the New-AzureRMADApplication command:

New-AzureRmADApplication -DisplayName "SharePoint Online Site A" -HomePage "https://contoso.sharepointonline.com/sitea" -IdentifierUris "https://contoso.sharepointonline.com/sitea"

Easy, now you have an application that will point to the URL entered in Azure Active Directory. Assigning a group to it is a bit trickier…

First, a few values need to be obtained:

$app = Get-AzureRmADApplication | where displayname -eq "SharePoint Online Site A"
$appid = $app.ApplicationId
$fullgroup = get-msolgroup -all | where displayname -eq "SharePoint Online Site A"

This is getting the two objects as variables – the Application itself, and the group that you want to add onto it.

Then a new Service Principal needs to be created based on the Application, as this is required when adding the group onto the application:

New-AzureADServicePrincipal -AppId $appid

Another variable is needed, which is the new Service Principal we just created:

$servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"

Finally, we can assign the group to the application:

New-AzureADGroupAppRoleAssignment -objectid $fullgroup.objectid -principalid $fullgroup.objectid -resourceid $serviceprincipal.objectid -id ([Guid]::Empty)

You can check that this has applied by the Azure Active Directory portal too, by going to your Active Directory section, choosing ‘Applications’ and finding your app, then go into ‘users and groups’ and find the group. You should see a ‘yes’ in the assigned field.

If there’s any interest in documenting the entire SharePoint Online and Azure AD B2B invite process and script, let me know. It’s a great way of sharing data with clients via a portal.

Ancient Technology

My father handed me a crate the other day as part of a cleanup, to see if I wanted anything he’d found.

I didn’t think the bits would be as old as they were, and thought it’d be great to share what they were. I’ve used a PS4 controller for reference as I couldn’t find a banana.

First up is a very long ISA card, from an XT PC. This was purely an IDE controller – giving you the ability to add on a floppy drive or hard drive to your PC. The board itself actually says the year of manufacture – 1985.


1985 XT PC ISA Controller Card

There’s two cables, each allowing 2 devices. This goes back to the primary and secondary days of drives, where you needed to set the jumpers correctly on the back for them to be detected properly. I measured it, and it’s 35cm long!

Next up is a 3 button serial mouse. On the back is a switch to toggle between 2 and 3 buttons, which was to work around incompatibilities between the two configurations, as mentioned on the Wikiepedia article. Of course this is an old ball mouse… and someone opened up a Microsoft Serial Mouse if you want to see the ball and wheel components.

3 button Serial PC Mouse

This one’s a bit harder to date – it’s probably XT PC era too with the 3 button switch, and long before the PS/2 mouse came out in the late 1980’s.

Here we have some hard drives. They’re 3.5″ but much chunkier than the ones of today, about double the thickness. I believe they’re both 20MB – yes megabyes! At the time of this, 360KB 5 1/4 floppy disks were the norm – About the equivalent of 55 floppies could be stored on a 20MB HDD.

20MB IDE HDDs, XT PC era (198X)

The data connector on this fits the cables on the ISA card from earlier. I remember in my childhood having a 40MB HDD bought for $600AU in the early 1990s. Back in 1990 accordign to this US copy of InfoWorld, these 20MB HDDs would have cost US$699 as an addon when buying a PC.

Last up was something I was much less familiar with – a 5 1/4 inch HDD. I found a page selling the same model if you want to buy one for yourself. I couldn’t tell from looking at the unit, but based on all the links it seems to have a capacity of 42MB.

Mitsubishi 5 1/4″ HDD back (Centre)

Mitsubishi 5 1/4″ HDD front (Centre)

There is a date on this one, 1989. Because many computers had slots for 5 1/4 inch floppy drives, it made sense to have hard drives at the same size. They fell out of fashion , and the 3 1/2 inch size became the new standard, matching the 3 1/2 inch floppy disks and drives of the time. Again this one has the same connectors as the other hard drives I have. Also, those molex power connectors survived a very long time in the PC world!

Also on the back of this drive, notice the amount of switches you need to set correctly – 14 in total. I’d be surprised if anyone misses troubleshooting an incorrectly set HDD with that many combinations of options, and slow startup times.

That’s the lot – always fun to go back over the old technology and see what was normal.

Remove Microsoft Account or Work Account

If you’re using Office 365 and/or Azure, you may have run into this scenario. If you want detailed information about Microsoft Accounts vs Work or school accounts, read this comprehensive article.

For people who set up a Microsoft Account on a work email address, and then configured it for Office 365/Azure, you’d be used to seeing this screen every time you log in:

It’s necessary, but annoying when you’re signing in a lot. I’m not sure how long this has been around, but you can change the email address associated with your Microsoft account, and move it away from your work email address.

And you may notice, there’s that ‘Tired of seeing this?’ message. My brain blocked that out, so you can follow that link too :)

Atwork have a writeup on how to change the email address (the first link gives a 404 message, but you’re still in the right place to make the changes). I tested this on my own account, and within a few minutes I was no longer seeing the choice between Work or Personal when signing into Office 365/Azure services.

Combine that with ADFS or Azure AD Connect Pass-Through Authentication to make your Microsoft sign-ins a quicker process!

Microsoft StaffHub General Availability

Microsoft StaffHub has now globally been released (General Availability). StaffHub is a very simple web and smartphone app based scheduling system, primarily designed for shifts.

It lets admins set and modify member’s shifts, and gives simple day/week/month overviews. I quite like this simplistic approach, sometimes these solutions can be a bit overwhelming when it’s linked to several other Office 365 features that you haven’t used yet.

Microsoft StaffHub

I was honestly up and running with this in 5 minutes, including the tutorial. I’ve invited other staff members as part of adding them, and both web and smartphone views are clean and easy to read. The product itself doesn’t really do anything else – there’s chat options for the app, and file sharing, but it’s perfect for staff that don’t do much (or any) of their work on computers; or just staff that want to be able to see what shift they’re on quickly.

One point of confusion I noticed, was the invite it sends out to staff you invite only wants them to use the smartphone app, and that link won’t work from a browser. They’ll need to manually go to https://staffhub.office.com for the browser experience.

Microsoft have a great starter page along with video showing how it works. There doesn’t seem to be any integration with other systems – It’d be nice to be able to send shifts as calendar appointments and maybe we’ll see that in the future.

It’s part of the Office 365 suite, so if you already have a license you should be able to go to http://staffhub.ms/ and start playing.

Google Daydream View Review

Google released their Daydream View VR headset in late 2016, and I picked one up to go along with my Google Pixel XL for a bit of fun.

I’ll note that I’m still reasonably happy with the Pixel XL and my opinion hasn’t changed from that review. It’s still going pretty strong, and a good but expensive all-rounder.

Google says “Daydream takes you on incredible adventures in virtual reality. Get ready to immerse yourself in all the things you love.” I say “Don’t get your hopes up”. Going on from the general success of Google Cardboard, it seems they thought there was a market in VR, going along the media successes of Microsoft Hololens, HTC Vive and Sony Playstations VR. Don’t mistake this device on being in the same playing field, it’s a lot worse.

AU$119 for the Google Daydream View

If you’ve already tried Google Cardboard (I hadn’t) then you’ve got a reasonable idea already. Your phone slips into this headset, which instead of being folded cardboard, is now lovely breathable fabric with a head strap and cushions for your face. Inside the headset are two lenses that magnify the phone screen, and a front flap that has a NFC chip to tell the phone that it’s inserted.

The phone itself has the Daydream app, which is a wrapper to a Daydream App Store as well as giving you a platform to get to all VR things, along with a tutorial.

This is what the phone displays inside the Daydream

The real difference between Google Cardboard and Google Daydream, is that you’ll also get a remote. This is a very light and small remote. that charges via USB-C. There’s 3 buttons, with the top also being a trackpad. There’s also volume up/down buttons on the right hand side.

Google Daydream Remote

Think of it as a more basic Nintendo Wii remote, without as many sensors (it still seems to have gyro). This remote lets you control a cursor on screen, or a wand if you’re playing that Harry Potter game that doesn’t have Harry Potter in it.

I mentioned the Daydream demo – that was the most fun I had with the kit, and it wend downhill from there. The demo is fun and well designed; it teaches you how to use all the controls and look around in a 3D world. Anyone watching you do this however, will think you look silly – everyone looks silly doing this. Android Authority have a great clip on using Daydream:

Going beyond the demo, I started to realise the picture actually wasn’t that great. Unless the headset was in the absolute most perfect spot, I had blurryness around the edges of my vision. Watching YouTube through this sounds cool, but all you really get is a 3D room where you can zoom in, out and around a video. You also can’t use this lying down, orientation can be reset on an X axis, but not a Y if you’re thinking about lying in bed to watch a movie. The graphics a game will show are rather low end too, because you’re using a super thin device that’s never going to get close to what a PC or console can do.

Also, you can watch 360 degree videos on YouTube with this, or use Google Street View to pretend you’re walking down a street – but to me, moving your head around to see in a full 360 degrees gets tiring quickly.

Even more worrying, is the Google Pixel XL’s extreme heat generated by running this. We’ve got a top end, brand new phone that can barely run Daydream; and when I say barely run, on more than 1 occasion the device has given a warning that it’s too hot and has to stop operating. This was widely reported and doesn’t seem to be fixed yet.

There’s very few apps which I’ll assume is due to the limited customer base who have both a Pixel phone, and then a Daydream View. A few are free, enough to play around with different things. There’s a racer game that lets you use the remote like a steering wheel (again, think Nintendo Wii) but when are you really going to sit there with a headset on, closing yourself off to the world, to focus on playing a few low end games that require you to move your head instead of your eyes? Maybe that’s part of the problem where it feels unnatural, a glance changes to a more tedious head and neck movement with this device.

As you can probably tell, I don’t recommend buying one. It is a fun novelty for a short time, so try one if you can to see what VR is about, but the experience is just that average. This recent reddit thread asks “Those of you who have a daydream headset, what do you think of it after a few months?” and you can see the general consensus there.

I think VR/AR (Augmented Reality) itself is still taking off and will do well, but these lower end experiences won’t and it’ll be another abandoned Google idea. However, if they worked out how to do AR with the inbuilt camera, that’s a different story…

 

Searching Multi-Valued Properties in PowerShell

I’ve been playing with Office 365 commands in PowerShell and had to do a search. Sounds simple, but depending on what you’re searching, some scenarios are less basic than others.

Everything in PowerShell is an object. Usually, a property in PowerShell has a single value, such as:

UserPrincipalName: afowler@contoso.com

which is one of the results from Get-MsolUser. However, another property is different:

AlternateEmailAddresses: {microsoft@contoso2.com}

Visually, the difference is just the {} braces that contain the value. These braces mean that the property has been built to contain multiple items, rather than a single item.

If I wanted to see a list of all UserPrincipalNames, I’d use this command:

Get-MsolUser -all | select UserPrincipalName

A nice list of UPNs would display on the screen. However, that same command against AlternateEmailAddress, all that comes up is a bunch of blank lines.

To make this work, we need to select the value and show all the expressions of each value:

get-msoluser -all | select @{Name=“AlternateEmailAddresses”;Expression={$_.AlternateEmailAddresses}}

To then search on those values with the ‘where’ command, you’d have to write it like this:

get-msoluser -all | select @{Name=“AlternateEmailAddresses”;Expression={$_.AlternateEmailAddresses}} | where {$_.AlternateEmailAddresses -like "*contoso*"}

The good news is, for a where search by itself, you can forget all that and go back to basics:

Get-MsolUser -all | Where AlternateEmailAddresses -like "*contoso*"

Because of this requirement on the Select command, it lead me down the wrong path for a bit. There’s other reading on how to list all the values of a multi-valued property

If you’re still lost and want to get started with PowerShell, try checking out this PowerShell Basics video