Microsoft Antimalware for Azure is Now in Preview

Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a new cloud service that detects and remove viruses, spyware, and other malicious software. Administrators can configure alerts to detect when malicious software attempts to install or run on a Microsoft Azure workload. The service is currently in preview.

I was really excited when I heard this new service announced at TechEd North America. Microsoft Antimalware for Azure addresses a major gap in the market. There is a legitimate need to protect IaaS and PaaS workloads running on Azure from viruses and other malware. So it is great to see that Microsoft has recognized that this is an issue and that they are trying to address it.

For those of you who are familiar with Microsoft’s portfolio of security solutions, Microsoft has four offerings for consumers and businesses:

1) Microsoft Security Essentials (MSE)

2) Windows Defender (for Windows 8 and higher)

3) System Center Endpoint Protection

4) Windows Intune Endpoint Protection

Microsoft Antimalware for Azure is built on the same engine as the existing solutions from Microsoft. But it is a distinctly different service. It is single-agent solution for PaaS applications and virtual machines. It is designed to run in the background without human intervention. The service has a default configuration which is appropriate for most workloads. But it also offers the option for advanced custom configuration, including antimalware monitoring.

The following core features are available in the preview release:

Real-time protection – monitors activity in Azure Cloud Services and on Virtual Machines to detect and block malware execution.

Scheduled scanning – periodically performs targeted scanning to detect malware, including actively running programs.

Malware remediation – automatically takes action on detected malware, such as deleting or quarantining malicious files and cleaning up malicious registry entries.

Signature updates – automatically installs the latest protection signatures (virus definitions) to ensure protection is up-to-date on a pre-determined frequency.

Antimalware Engine updates – automatically updates the Microsoft Antimalware engine.

Antimalware Platform updates – automatically updates the Microsoft Antimalware platform.

Active protection – reports telemetry metadata about detected threats and suspicious resources to Microsoft Azure to ensure rapid response to the evolving threat landscape, as well as enabling real-time synchronous signature delivery through the Microsoft Active Protection System (MAPS).

Samples reporting – provides and reports samples to the Microsoft Antimalware service to help refine the service and enable troubleshooting.

Exclusions – allows application and service administrators to configure certain files, processes, and drives to exclude them from protection and scanning for performance and/or other reasons.

Antimalware monitoring – records the antimalware service health, suspicious activities and remediation actions taken in the operating system event log and collects them into the customer’s Azure Storage account. The antimalware monitoring is enabled via the Azure Diagnostics Service extension as an advanced configuration.

The capabilities of Microsoft Antimalware are somewhat similar to other antimalware products available from Microsoft. Unfortunately, the current release of Microsoft Antimalware for Azure is extremely difficult to deploy, configure, and manage. The main reason for this is the lack of any UI for the administrator or end user. To do any type of meaningful administration of the service requires the use of Powershell. I do not believe it is an exaggeration to say that Microsoft Antimalware for Azure is the most difficult to use antimalware solution on the market today. I realize that the product is in preview and that it will mature over time.

Another major limitation of Microsoft Antimalware for Azure is that it cannot be deployed to an existing Azure VM. There is no way to deploy the agent to a VM that has already been created. You have to create a brand new VM and choose the option to add the Microsoft Antimalware security extension by checking the box in the create virtual machine wizard. This is the one and only configuration option which has a user interface at the present time. The fact that you cannot deploy Microsoft Antimalware for Azure to an existing VM is a major limitation. It means that you will need to delete and recreate any VMs which you have already deployed in order to start using the solution. This is a major undertaking which makes deployment extremely difficult and cumbersome.

I am frankly surprised that Microsoft has taken the approach of building an entirely new service to provide antimalware to Microsoft Azure VMs. This seems like an enormous engineering effort for an organization that already have four different antimalware solutions. Instead of creating a fifth service to protect against antimalware, it would seem far more logical to take one of the existing services and adapt it to protect Azure VMs. I would have thought that extending Windows Intune Endpoint Protection (WIEP) to run on Azure VMs was the most sensible approach. One of the nice benefits of WIEP is that it has a very simple UI which is ideal for businesses that lack the technical expertise to run System Center Endpoint Protection. But Microsoft chose to build an entirely new antimalware product instead which make System Center Endpoint Protection look simple by comparison.

I sincerely hope that Microsoft will take this feedback in the spirit in which it is intended. The concept behind Microsoft Antimalware for Azure is terrific. It is a fantastic idea whose time has come. But Microsoft needs to prioritize their investment in a user interface so that the major of administrators can deploy and use the product successfully. Otherwise, it offers no real benefit to customers.

Windows Intune Features and Policies for Samsung KNOX

Microsoft and Samsung have announced a partnership whereby Samsung KNOX devices can be managed by Windows Intune using both Direct Management and Exchange ActiveSync.  ​Windows Intune now supports direct configuration of Samsung KNOX devices.  This feature allows IT administrators to manage Samsung KNOX mobile devices via the Windows Intune administration console.  Samsung KNOX devices are designed to be used in high security environments.

 

Here are the list of Windows Intune policies which are available today for managing Samsung KNOX devices:

Group
Policy
Security / Password Require a password to unlock mobile devices
Security / Password Password quality
Security / Password Minimum password length
Security / Password Number of repeated sign-in failures to allow before the device is wiped
Security / Password Minutes of inactivity before screen turns off
Security / Password Password expiration (days)
Security / Password Remember password history –> Prevent reuse of previous passwords
Security / Encryption Require encryption on mobile device
Device Capabilities / Hardware Allow camera

 

If you are looking for assistance managing your corporate owned or personally owned mobile devices, please contact Kloud Solutions using the following URL:

http://www.kloud.com.au/contact-us/

Bulk Enroll iOS and Android Devices With Windows Intune vNext

​The current version of Windows Intune is designed for managing devices for knowledge workers.  Knowledge workers generally own more than one device.  Moreover, they rarely share their device with another user.  Knowledge workers want a mobile device which is customized according to their personal preferences.

By contrast, task workers generally do NOT own their own devices.  They use devices which their employer provides.  These devices are typically designed to be used for a specific purpose.  A common examples of a task worker device would be a handheld scanner for a package delivery service.  Task worker devices are also very common in retail stores.  Task workers share a single device across multiple users, often according to a shift schedule.  The concept of a task worker who “owns” a device does not really exist in this scenario.  This creates a challenge when enrolling devices with Windows Intune.  Which user should enrol a device to be managed when it is shared across multiple users who have different user accounts?  How can you target a user-based MDM policy against a managed device with multiple users?

The next version of Windows Intune addresses this scenario with a new feature called bulk enrolment.  This new feature allows an Intune Administrator to enrol task workers devices, set policies, and install applications based on the device, rather than the user.  A single Intune service account can enrol Android and iOS devices instead of having separate user IDs for each device.  For iOS, Intune will support Apple’s Device Enrolment Program to enable bulk enrolment.

If you are looking for assistance managing your corporate owned or personally owned mobile devices, please contact Kloud Solutions using the following URL:

http://www.kloud.com.au/contact-us/

New Windows Intune Features and Policies for Windows Phone 8.1

The latest release of Windows Intune provides new MDM features and policies for Windows Phone 8.1.

The new features include:

  • device configuration settings
  • software installation (sideloading) enhancements
  • selective wipe
  • support for Web Authentication Broker (WAB) enrolment
  • automatic MDM certificate renewal

 

Here are the new Windows Intune Policies for Windows Phone 8.1:

 

Group Policy
Security / System Allow screen capture
Security / System Allow diagnostic data submission
Applications / Browser Allow web browser
Applications / Apps Allow application store
Device Capabilities / Hardware Allow camera
Device Capabilities / Features Allow copy and paste
Device Capabilities / Features Allow Bluetooth
Device Capabilities / Features Allow Wi-Fi tethering
Device Capabilities / Features Allow NFC
Device Capabilities / Features Allow Wi-Fi
Device Capabilities / Features Allow Wi-Fi hotspot reporting
Device Capabilities / Features Allow automatic connection to free Wi-Fi hotspots

 

If you are looking for assistance managing your corporate owned or personally owned mobile devices, please contact Kloud Solutions at the following URL:

http://www.kloud.com.au/contact-us/

 

When Will Microsoft Drop “Windows” from the Name of Windows Intune?

It has been a pleasure to observe a truly significant change in the thinking at Microsoft.  Slowly, Microsoft is realizing that not everything is about Windows anymore.  I say this as someone who is a former employee of Microsoft.  I am a regular user of Windows.  I personally think that Windows is a terrific product and brand.  I run Windows 8.1 Update 1 on my notebook.  I also run Windows VMs.

 

But we live in a world of BYOD now.  For many users, IT no longer chooses the device that you use at work.  Moreover, even users who have a device dictated by IT will often use a secondary device that is a personal asset.  Some companies have sanctioned BYOD programs.  Other companies forbid BYOD, but users find ways around policies which are not well enforced.  To Microsoft’s credit, they have realized that BYOD is an inevitable trend.  Rather than fight it, they have chosen to embrace it.  This is very sensible because users are unwilling to be told what device they have to use. 

 

Microsoft’s move to embrace management of other platforms goes back to 2008.  Microsoft announced at the Microsoft Management Summit that System Center would support cross platform management of Unix and Linux servers with System Center Operations Manager 2007 R2.  This was a big shift for Microsoft which previously only supported management of Windows Server.   Why did Microsoft make this change?  Because they realized that all enterprises run a heterogeneous mix of servers.  While Windows Server may be the dominant server platform in most organizations, there is generally a small quantity of non-Microsoft servers which need to be managed.  For System Center to be a true enterprise class management tool, it needed to manage every server in the enterprise.

 

In 2012, Microsoft released System Center Configuration Manager 2012 SP1.  This was the first release of Config Manager which provided native management of Linux, Unix, and Mac OS X.  Microsoft also released a version of System Center Endpoint Protection that was compatible with Mac OS X and Linux.  Previous versions of Config Manager required 3rd party management extensions to manage these platforms. 

 

In April 2014, Microsoft announced that they would be changing the name of Windows Azure to Microsoft Azure.  Microsoft dropped “Windows” from the Azure product name to emphasize that Azure is not just a platform for running Windows VMs and .NET applications.  Microsoft Azure supports Linux, Java, PHP, Oracle, and other non-Microsoft technologies.  Microsoft’s goal is to rebrand itself as a company focused on public and hybrid clouds, not just clouds that run Windows Server.

 

Reviewing Microsoft’s recent history around cross platform management leads to the inevitable question:

When will Microsoft wake up and drop the name “Windows” from Windows Intune?

When Windows Intune began as a product back in 2010, it was developed out of the Windows Product Group.  Windows Intune could only manage Windows PC and Windows Client VMs.  Every customer that purchased Windows Intune was also purchasing a Windows Client SA Upgrade subscription.  Windows Intune and the Windows Client OS were deeply tied together. 

 

All of that changed in 2012 with Windows Intune Wave C.  Microsoft introduced new MDM features into the product.  This provide a way for Windows Intune to manage iOS, Android, and Windows Phone devices.  They changed the licensing from a per device subscription which included a Windows Client SA Upgrade to a per user subscription which could be purchased without the upgrade.  Microsoft also moved the Windows Intune Product Group into the System Center Product Group.  This made sense now that Windows Intune was evolving into a management product for multiple platforms.  But the name has remained the same for multiple releases since 2012.  The next release of Windows Intune is due to release in Q2/Q3.  For more information on this release, please see my previous blog post:

https://blog.kloud.com.au/2014/05/04/windows-intune-vnext-coming-q2q3-2014/

 

There have been some great features announced for the next version of Windows Intune.  One notable oversight is the lack of any announcements regarding the name of the product.  Windows Intune is a cloud-based management solution for the BYOD era.  It is no longer about managing Windows PCs.  When will Microsoft wake up and change the name of the product to reflect its current usage in the market?  A great cloud service deserves a great name.  Hopefully Microsoft will give Windows Intune a name that reflects its true greatness as a solution for BYOD.  How about System Center Device Manager Online?

 

Windows Intune vNext Coming Q2/Q3 2014

Here is a summary list of features for the next version of Windows Intune which Microsoft has indicated will release in Q2/Q3 2014:

Flexible Deployment

  • Full MDM parity in Windows Intune standalone
    • Email/Wi-Fi Profiles, VPN and Certificates
  • Bulk IT enrolment of devices and device targeting
  • Cloud-only scalability

Device Configuration Management

  • Windows Phone Enterprise Feature Pack support
  • Application Whitelist/Blacklist
  • Customizable IT Terms of Use
  • Start Screen in Windows 8.1
  • Windows Azure AD Premium Integration in Company Portal 

Email Configuration and Protection

  • Access to email only if device is managed

Safety

  • Family Safety in Windows 8.1
  • URL Filtering 

Device Data Protection

  • Application restriction policies for iOS
  • Enterprise Wipe of Email (iOS) and access controls via certs
  • TPM cert enrolment
  • MFA support for Intune enrolment

New Windows Intune MDM Features for iOS and Android

The January 2014 release of ODS includes a number of new features to extend and enhance the MDM capabilities of the service. ODS uses a direct management method to manage iOS and Android devices. There is no longer a requirement to have an Exchange Server or Exchange ActiveSync. iOS and Android devices can be managed via the ODS cloud service with no on-premises infrastructure required.

Here are some of the ODS features available for iOS and Android device management:

•Retire or remotely wipe a device that is lost or stolen
•Remotely lock a device
•Remotely reset the passcode
•Detect if a device has been jail broken
•Proactive alerting to identify problems with the health of the device
•Hardware inventory
•Enforce policies and settings for:
◦password management
◦encryption
◦malware
◦device security
◦documents and data
◦email
◦web browser
◦apps
◦gaming
◦device hardware
◦cellular
◦voice assistant

If you are looking for a way to manage and secure iOS and Android devices in your home or office, please contact Kloud Solutions using the following URL:

http://www.kloud.com.au/contact-us/

Windows Intune Agent Update Coming April 23rd, 2014

Windows Intune will be releasing an update to the anti-malware agent beginning on 23/4/2014. The service regularly releases anti-malware platform updates to guarantee consistency in protection, performance, robustness, and usability in a malware landscape that is constantly changing.

Since this is an agent update, computers may have to be restarted after the update is applied; in most cases however, a reboot is not required.