Archive

Archive for September, 2024

Windows Server 2025 Security Baseline Preview

September 30, 2024 Leave a comment

With Windows Server 2025 getting closer and closer to GA, Microsoft recently announced Windows Server 2025 Security Baseline Preview (beginning with build 26296 -> register as insider -> download).

With new security baseline for Windows Servers we got some major changes in security management:

  • apply baselines for individual machines:
    • PowerShell cmdlets (available in Microsoft.OSConfig)
    • Windows Admin Center (WAC)
  • apply and monitor baselines at-scale:
    • Azure Policy and Azure Automanage Machine Configuration

The WAC, Azure Policy and Azure Automanage Machine Configuration experiences will be released soon to the Windows Insider Program and will only work with Windows Server 2025.

At the core of new security baseline is Microsoft.OSConfig PowerShell Desired State Configuration (DSC) module. (There is also Linux version with similar name and capabilities: Azure OSConfig.) Because we are going to be using DSC to apply security defaults, those settings that we want to enforce will be automatically protected from any drift (DSC also enables us to use declarative model for system configuration management – we define the end state and the DSC module knows how to get there.)

Current version (0.1.201) of Microsoft.OSConfig DSC module has four functions that we can use:

  • Get-OSConfigMetadata
  • Get-OSConfigDesiredConfiguration
  • Remove-OSConfigDesiredConfiguration
  • Set-OSConfigDesiredConfiguration

and three aliases (that we probably shouldn’t be using):

  • osc-get
  • osc-remove
  • osc-set

To apply security defaults we get to choose from four baseline scenarios:

  • AppControl
  • Defender\Antivirus (48 settings)
  • SecuredCore (3 settings -> UEFI MAT, Secure Boot, Signed Boot Chain​)
  • SecurityBaseline (329 settings -> Account and password policies​, Credentials Protections, Protocol defaults, Security Policies and Security Options,…)

CSV files (report) with details for above scenarios are available on GitHub.

Peeking into SD subfolder of the current version of Microsoft.OSConfig DSC module reveals few more details about the supported scenarios:

  • AppControl
  • AppControl_AzureStackHCI_DefaultPolicy_Audit
  • AppControl_AzureStackHCI_DefaultPolicy_Enforce
  • AppControl_WS2025_AppBlockList_Audit
  • AppControl_WS2025_AppBlockList_Enforce
  • AppControl_WS2025_DefaultPolicy_Audit
  • AppControl_WS2025_DefaultPolicy_Enforce
  • Defender_Antivirus
  • SecuredCore
  • SecuredCoreState
  • SecurityBaseline_AzureStackHCI
  • SecurityBaseline_AzureWindowsBaseline
  • SecurityBaseline_WS2025_DomainController
  • SecurityBaseline_WS2025_MemberServer
  • SecurityBaseline_WS2025_WorkgroupMember

After we install the prerequisites:
Install-PackageProvider NuGet, PowerShellGet -Force
we can install OSConfig module:
Install-Module -Name Microsoft.OSConfig -AllowPrerelease -Scope AllUsers -Repository PSGallery -Force
Get-Module -ListAvailable -Name Microsoft.OSConfig

To apply the Security Baseline via PowerShell cmdlets we have to run Set-OSConfigDesiredConfiguration (to apply new configuration, we have to restart the device):

  • On domain-joined device:
    Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Default
  • On workgroup device:
    Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\WorkgroupMember -Default
  • On domain controller device:
    Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController -Default
  • For Secured-core configuration:
    Set-OSConfigDesiredConfiguration -Scenario SecuredCore -Default
  • For Defender Antivirus configuration:
    Set-OSConfigDesiredConfiguration -Scenario Defender\Antivirus -Default

Set-OSConfigDesiredConfiguration cmdlet includes few additional nice-to-have parameters that we can use when we apply security baseline:

  • Setting & Value -> custom value for specific setting
  • Setting & Default -> use the default value of the setting
  • Version -> apply specific version (current module has one version per scenario)

If we want to customize specific setting in the basline, we can run:
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Name AuditDetailedFileShare -Value 3
or
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Name RemoteDesktopServicesDoNotAllowDriveRedirection -Value 0

Verify custom setting:
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Name AuditDetailedFileShare
or
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Name RemoteDesktopServicesDoNotAllowDriveRedirection

To view the compliance of the applied Security Baseline we can use:
Get-OSConfigDesiredConfiguration -Scenario SecuredCoreState

More info including impact and some known issues are available in the official anouncement.

Categories: Azure, Microsoft, Preview, Security, Windows, Windows Admin Center, Windows Server, Windows Server 2025 Tags: , ,

Microsoft Office LTSC 2024

September 27, 2024 Leave a comment

Microsoft Office LTSC 2024 is now generally available and in a few days most customers will also be able to download it from the usual places. As it was with the last version, Office LTSC 2024 will be supported for five years .

If we want to compare Office LTSC to subscription version of Office products in detail, we can look at the official GA announcement or we can go to the desktop productivity suites comparison page. In short, Office LTSC release does not include any of the cloud-based capabilities of Microsoft 365 Apps (real-time collaboration, AI-driven automation, Copilot,…) and works fully offline (including product licensing&activation that is only device-based).

We have two Windows-based LTSC versions: Standard and Professional Plus. Office LTSC Standard 2024 comes with classic versions of Word, Excel, PowerPoint, and Outlook installed on one PC. Office LTSC Professional Plus 2024 includes everything in Office LTSC Standard 2024, plus Microsoft Access. As it has been for a while now we also have Office LTSC Standard for Mac 2024 (classic versions of Word, Excel, PowerPoint, and Outlook installed on one Mac).

“Office LTSC 2024 offers a locked-in-time version of familiar productivity tools, updated with a subset of the features that have been added to Microsoft 365 Apps for enterprise over the last three years. New features for this release include Dynamic Charts and more than a dozen new text and array functions in Excel, enhanced search and meeting creation options in Outlook, and improvements to performance, security, and accessibility.” (source) (more info: What’s new in Office 2024 and Office LTSC 2024)

Office LTSC 2024 Preview activation keys will expire on January 13th 2025. After that all the apps go in reduced functionality mode, where we can only view and print our documents. If we were testing Office LTSC 2024 Preview, we can update it without uninstalling the preview version. All we need to do is activate the preview installation with our volume license key. How to:

This update process also applies to updating Project Professional 2024 Preview to Project Professional 2024, and/or Visio Professional 2024 Preview to Visio LTSC Professional 2024.

Sources we can use, to deploy and/or customize Office applications:

Categories: Office Tags: ,

Windows Server 2025 – Hotpatching and WSUS

September 26, 2024 Leave a comment

Windows Server 2025 GA is around the corner and with it more and more features are getting finalized. To keep up with the latest we should also check the list of features removed or no longer developed starting with Windows Server 2025.

Just few days ago Microsoft announced they are planning the deprecation of Windows Server Update Services (WSUS). For now, they are going to preserve the current WSUS functionality (in Windows Server 2025) and they will also continue to publish existing and new updates through the WSUS channel.

Due to more mobile workforce and probably also due to general cloud adoption, more and more of the updating services are moving to the cloud. For client patching, Windows Autopatch has been available for a while now and it alows us to automate Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates from the cloud (requires Intune and Entra ID joined devices). It does require one of the cloud subscriptions for the devices but in combination with Delivery Optimization it can bring us some nice bandwidth optimizations (probably one of the core reasons for typical WSUS deployment). We can even monitor DO usage for free in Azure Monitor or directly on the device with native PowerShell commands (Get-DeliveryOptimizationStatus, Enable-DeliveryOptimizationVerboseLogs,…). If we want to get more detailed DO usage report from the same data, we can also look at a free solution like this one (based on Power BI template). To go even deeper with DO analysis, we can follow along this nice Deep Dive guide (including setup in Configuration Manager) including detailed configuration guide.

Windows Autopatch is used for client update management. If we want to manage server updates from the cloud, we do have Azure hosted solution for that – Azure Update Manager. In combination with Windows Server Hotpatch we can get some nice update management capabilities and patching optimizations that we can use with our server infrastructure.

We can use Azure Update Manager (AUM) to us help manage and govern updates for all our machines (Windows and Linux servers) in Azure, on-premises, and on other cloud platforms from a single dashboard. Some of the nice to have features of AUM are: on-demand check for updates and/or deploy security and critical updates, enable periodic assessment to check for updates, customer-defined maintenance schedules, hotpatching,… Azure Update Manager pricing page tells us that we pay per day when server is connected to Arc and managed by Azure Update Manager.

Windows Server Hotpatch has been around for a while now but it had some major limits – probably the biggest one being that it only worked on Windows Server Datacenter: Azure Edition virtual machines either on Azure or Azure Stack HCI platform. The big thing that we get with hotpatching is a monthly Windows Server update without a required reboot at the end. It works by patching the in-memory code of running processes without the need to restart the process. Just recently hotpatching got an improvement – now it works on any Azure Arc-enabled Windows Sever 2025 Datacenter and Standard.

If we look at the Azure Arc pricing, we can see that we get some of the options for free (inventory, remote management with Windows Admin Cener (WAC) including remote RDP, SSH and PowerShell,…) as soon as the agent gets connected to our Azure subscription. Some of the Azure services that can be enabled as an add-on to Azure Arc: Azure Update Manager, Azure Policy guest configuration, Azure Monitor, Microsoft Defender for Cloud etc.

If we want to test all this features before we have to deploy them in our production environments, we can use evaluation versions of the required products:

Categories: Azure, Microsoft, Windows, Windows Admin Center, Windows Client, Windows Server, Windows Server 2025, WSUS Tags: , , , , , ,