Hi, Jessica Paynefrom Microsoft Enterprise Cybersecurity Group's Global Incident Response and Recovery team guest starring on the Platforms PFE blog today.

Credential theft is a major problem in the security landscape today. Matching local administrator passwords in an environment often contribute to that problem and are a popular target for bad guys. Far more than zero days or malware, credentials are what allow attackers to be successful in your network. I think this is best summed up by John Lambertfrom Microsoft Threat Intelligence Center.

Adversaries need credentials more than malware. Deny them by avoiding the sins of Windows credential administration. pic.twitter.com/vQMasZWOwA

— John Lambert (@JohnLaTwC) April 12, 2015

Randomizing the local administrator password has always been part of Microsoft guidance such as the Pass the Hash Whitepaper, however outside of solutions provided via a Premier offering we didn't have a supported Microsoft way to do this.

On May 1st 2015, Microsoft released LAPS. LAPS stands for Local Administrator Password Solution, and it exists to address the problem of having a common administrator password in an environment. LAPS is a fully supported Microsoft product that is available for free! (Or "at no additional charge" as some of my colleagues would want me to say.) I've done a Taste of Premier episodeon the technology, but wanted to do this post for the people who prefer blog posts as well.

LAPS is designed to run in a least privilege model. No need to put a service account into the domain admins to manage passwords, the password resets are done in the context of the computer/system. There's no additional server to install - the passwords are stored in Active Directory. This has led to some interesting discussion on the Internet, with some saying "that makes AD a clear target." Active Directory has always been a clear target for attackers, and has always held "keys to the kingdom" that would allow an attacker to take complete control of an infrastructure. That's why we really want you to be aware of what the threats look like and how to configure and administer AD in a secure manner (Best Practices for Securing Active Directory, The Pass the Hash Whitepapers  and my talk on Securing Lateral Account Movement are good references for that.) By storing the passwords in AD, we're piggybacking on the controls you already should have in place to protect against Pass the Hash, Domain Admin level compromise, the Golden Ticket post exploitation technique, etc.   LAPS, just like many other security controls, should be seen as part of a holistic solution. Just taking care of local administrator passwords is a great step and a massive reduction in overall attack surface, but without the other mitigating controls in an environment it's absolutely true that attackers will still be able to gain a foothold and compromise your entire network. Randomizing local passwords is just a step in a security strategy, but it's a necessary step which is now easy and freewith LAPS.

Installation

Installing LAPS is actually really straightforward. The guide included in the download has a great walk through, and I ran through a demo install (as well as discussion on implementation strategies) in my Taste of Premier video on LAPS.

Gotchas/Weird Stuff/Implementation Lessons Learned about LAPS :

• Your biggest challenges are going to be developing a delegation model and a workflow for using the passwords. If your OU structure isn't laid out based on policy boundaries, or if you don't already have well defined Role Based Access this can will be a challenge. Your workflow for accessing the passwords will dictate a lot of how you design the access. Are you planning on using the passwords ever? Are you just trying to stop Lateral Movement, so you see it just being a break glass account and using DART disks instead? If you do have people access them, that should decrease your password expiration time - make the credential viable for less time. You may even use an orchestration engine to front the password checkouts, which has access to the ms-MCS-admpwdexpirationtime attribute to make sure it resets right after use.
• LAPS only randomizes one local account password. By default, it randomizes the built-in admin account and discovers it by well-known SID. A different local account can be specified via GPO, but bear in mind it is discovered by name. So if I'm Bad Guy Bob using an Elevation of Privilege in win32k.sys or Steve the Rogue Admin, having access even temporarily + rename account = permanent access. Account discovery and management is static in a lot of password products, not just LAPS, so it also means someone with access could create another local account and add it to admins and have permanent access - this is actually something we've seen real bad guys do.  Local accounts are tricky things to manage, which is why we created the Local Account principle. The strategy I suggest to my customers is to have 1 (one) local administrator account - the built-in one. The built-in 500 SID account is always there, always an admin and always something you can re-enable if you know what you're doing. Embrace that it's there, that LAPS will always find it and manage it. Which leads to …
• Make LAPS part of your larger Credential Theft Mitigation strategy. Implement the steps in the Pass the Hash whitepaper, use Restricted Groups to be authoritative on who is an admin, deny Local Accounts access over the network and come up with a secure way to manage machines, such as RestrictedAdmin RDP with a non-admin account and elevation/RunAs locally with the LAPS managed password.
• Monitor for the use and creation of local accounts. These are Indicators of Compromise and the successful logon of the local administrator account is a far more accurate metric of danger than auditing access to the password in many organizations.
• Monitor for Lateral Movement on the whole in your environment.Stopping Lateral Account Movement from stolen credentials via Credential Hygieneand preventing the attacker wandering unfettered around your network is the #1 thing that would have made the Incident Responses I’ve been to this year less of an Incident.Even if you are using another password management product, Credential Theft Mitigation and stopping Lateral Account Movement are critical tasks for your environment.I'm doing a whole series on tracking Lateral Movement on the blog, so please feel free to follow along.
• Since ms-MCS-adminpwd only stores one password some customers have expressed concerns for what this means for a system restored from backup. The supported scenario there would be to reset the password with a supported tool such as DART. (DART is really cool btw, you can have it access BitLocker recover keys and build all sorts of interesting actions into it. DART is a fully supported Microsoft product and a great "known good publisher" alternative to going out and downloading a hacking tool if you need to reset a password.)
• There's a GPO setting for "do not allow Password Expiration Time longer than defined by policy." I consider that to be a non-optional option, as enabling this option means if someone sets the password expiration to be 300 days, LAPS will say "I think you meant 30 days."
• Native LAPS auditing is …not optimal. The password is stored in as an AD attribute, which means access is tracked via AD Attribute logging, Event ID 4662. The bad part about that is it can get really noisy, for instance if someone who has access to the password opens attribute editor it's going to show as a password read even if they didn't mean to. Kurt Falde's made great improvements to the auditing via Windows Event Forwarding and PowerBI on his blog.
• Access to the password is granted via the "Control Access" right on the attribute. Control Access is an "Extended Right" in Active Directory, which means if a user has been granted the "All Extended Rights" permission they'll be able to see passwords even if you didn't give them permission. LAPS includes the Find-AdmPwdExtendedrights cmdlet to track down who has those permissions.
• It's really straightforward to migrate from the unsupported AdmPwd solution or the SLAM scripts that LAPS has replaced, most people have no issues with it. If you have an issue moving from the supported SLAM scripts to LAPS, open a Premier case and we'll help you out.
• Learn what really happens during an Incident Response and what attackers are actually doing to get into your network. The state of security now in most IT Organizations is borderline panic and a rush to "secure all the things" and knowing what attackers do and allows you to prioritize what to fix first (Spoiler alert: Credential Hygiene, that's what you fix first.) :)

Plaintext password storage 

One of the discussions that frequently comes up during LAPS implementations is the fact the password is stored in plain text. Applying the proper ACLs to the attribute made this a non-issue in most environments. If you don't have access to the passwords, you can’t see them. We're securing access to the attribute (along with the entire directory) versus worrying about a case where the directory is already lost.  

There are other plaintext high value attributes in AD such as Bitlocker keys and due to the nature of secrets stored in AD loss of control of the database can lead to deeper compromise through other non-plaintext avenues. Strong ACLs and overall Credential Hygiene are the strategy to be using anyway, and applying them to LAPS is just another step. We did threat model the scenarios where plain text would be part of the attack below. Remember that LAPS is just part of the Credential Theft Mitigation strategy and LAPS attributes are just part of the veryhigh value data you need to protect in Active Directory.

Attack strategies to take advantage of plain text password storage:

1. Acquire a copy of the NTDS.dit (Active Directory Database.) The passwords would be in plain text, meaning the attacker doesn't have to crack them. This attack vector is superfluous though, because if they have your NTDS.dit, they don't need to crack the passwords because of techniques like Pass the Hash. The machine computer account passwords are stored hashed in Active Directory just like user account passwords so the attacker could already have admin/system level access on those computers without the local administrator passwords. Additionally, the AD database contains far more powerful accounts of interest than local admin accounts - Domain Admins, high value users and the KRBTGT account for Golden Ticket creation. While the passwords are in plaintext, capture of the NTDS.dit is already game over, so the plain text doesn't add additional attack surface here in our opinion. You should already be protecting your AD against theft, so having the local admin passwords there doesn't really affect the value of AD or the need to protect it.

2. Steal the credentials or compromise the computer of someone with access to the passwords, access admin passwords for multiple computers in domain.  In most environments, the initial stolen credential would be someone with wide reaching admin access for all of the computer accounts they were delegated ms-MCS-admpwd attribute access to - a help desk or desktop engineer so - this isn't really increasing the attack surface in this scenario. It can actually reduce the time to detection in some ways, or at least provide better monitoring for the compromise. Without the LAPS delegation, the theft of the single desktop engineer level credentials would mean instant deep/wide privilege in the domain (CEO's computer for instance.) Abusing LAPS password delegation to gain this access means they would generate a very clear audit trailas they will have to work for each password. As the worst, this is likely a net equal. The basis of the attack is that a single account had unrestricted access to assets, but that has nothing to do with plain text storage (or which credential vault you are using since it's just stealing the identity of someone who would have access.)

3. To make use of the fact this is plaintext over the wire you would have to then use that stolen identity to open a tool such as LDP.exe that would send the password in plaintext over the network and then sniff the credentials. Since they already had access to the credentials, this threat vector would fall into the category of "post exploit technique" and is also superfluous. Active Directory Users and Computers, Powershell and the LAPS UI all send the password in an encrypted/obfuscated traffic channel. So if you provision the password access only to secondary admin accounts locked down to use from a known good source such as an admin workstation/jump server that is already secured with software restrictions, credential tiering and network policies as recommendedthis attack vector isn't likely to be the thing an attacker goes for.

LAPS is just onepart of a larger Credential Theft Mitigation and monitoring strategy, but an important one that you can implement for free. Hopefully this helps you on the way to a holistic security strategy.

Here's some links to the resources I talked about:

Pass the Hash Whitepapers:

https://microsoft.com/pth

Best Practices for Securing Active Directory:

https://aka.ms/bpsadtrd

Channel9 video on LAPS:

https://channel9.msdn.com/Blogs/Taste-of-Premier/Taste-of-Premier-How-to-tackle-Local-Admin-Password-Problems-in-the-Enterprise-with-LAPS

Blog posts on getting basic monitoring with Windows Event Forwarding in place and Tracking Lateral Movement:

http://blogs.technet.com/b/jepayne/archive/2015/11/24/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem.aspx

http://blogs.technet.com/b/jepayne/archive/2015/11/27/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts.aspx

Detailed LAPS auditing building upon Windows Event Forwarding:

http://blogs.technet.com/b/kfalde/archive/2015/11/18/laps-audit-reporting-via-wef-posh-and-powerbi.aspx

-Jessica "http://aka.ms/jessica" Payne @jepayneMSFT

(With a little editorial help and moral support from John Rodriguez and Aaron Margosis)

Over the last year, the Enterprise Mobility Suite has grown at an unbelievable rate, and this explosive progress means that we have to work harder than ever to communicate clearly about how to use it, why it’s better than ever, and how it helps organizations all over the world do more.

In this new video, I talk in detail about the unique capabilities in EMS that allow you to manage and protect devices and corporate assets without compromising user experience.  There are ton of demos, scenarios, and background info on how and why we built these great new features.

I think you’ll be really impressed with what you see.

We will be releasing the next service update for Microsoft Intune between January 6 and January 14. New features and enhancements will be made available as part of this service update including:

• Support for new Windows 10 features:
  • You can now set an additional rule in the Compliance Policy for conditional access to require Windows 10 devices to be reported as healthy via the Health Attestation Service in order to access corporate data. Windows 10 devices will then be evaluated to ensure that the following items are enabled: BitLocker, code integrity, secure boot, early-launch antimalware (desktop only). In addition, you can view reports on Windows 10 health attestation data collected by Intune.
  • You can now set Microsoft Passport for Work policies (such as PIN or Windows Hello requirements) for Windows 10 devices enrolled in Intune as well as deploy certificates to Passport for Work container by specifying them as the Key Storage Provider in SCEP or PFX certificate profiles. Note: Microsoft Passport for Work policy is enabled by default, so all eligible Windows 10 and Windows 10 Mobile devices will have this policy enforced. Customers can choose to disable it, if needed.
  • You can now define a list of apps in a VPN profile for Windows 10, so that when an app from this list is launched, per-app VPN is triggered. In addition, you can lock the VPN connection to be only available for the apps defined on the list.
  • Additional policy settings for Microsoft Surface Hub devices can now be configured through the "General Configuration (Windows 10 Team and later)" template.
  • You can now perform a full remote wipe of Windows 10 desktop devices that are enrolled in Intune. Selective wipe of corporate data is already available in Intune.

• Integration with Apple Volume Purchase Program (VPP) for Business: You can now sync, deploy, and track the installation of apps that were purchased through Apple VPP for Business in the Intune admin console.

• Better support for corporate-owned device scenarios: You can now identify corporate-owned devices by pre-declaring their international mobile equipment identity (IMEI) numbers in Intune admin console. When a device from the list is enrolled in Intune, it is automatically set as Corporate. If necessary, a more restrictive device policy can be deployed to corporate-owned devices.

• Microsoft MyApps support: Users can now access MyApps portal, a central hub for SaaS applications, directly from the Intune Managed Browser and take advantage of single sign-on to thousands of SaaS apps, self-service password reset, and more.

• New setting for Android devices: You now have an option to configure Smart Lock setting for Android 5.X devices in order to prevent users from bypassing the lock screen on devices enrolled in Intune.

• Intune Company Portal improvements on iOS devices:
  • A checkmark now indicates the user’s current device.
  • Users can now choose which mail app (including Microsoft Outlook) they would like to use to send diagnostic reports to help desk or IT. Previously, only the native mail app could be used.
  • Support has been improved for devices that were enrolled through Apple Device Enrollment Program (DEP). 
    

The following new features were also recently released for customers using System Center Configuration Manager integrated with Intune (hybrid):

• Conditional access based on the operating system version. Read more here. Note: This feature is also coming to Intune standalone (cloud only) soon.
• Ability to deploy MSI apps to MDM managed Windows 10 devices. Read more here.

Also, as announced earlier, you can manage Office mobile apps using Intune Mobile Application Management (MAM) capabilities without requiring the device to be enrolled for management. You can view the full list of features being released to Intune standalone (cloud only) by visiting the what’s new in Intune page in the TechNet library. Additionally, you can view the list of features being released to System Center Configuration Manager integrated with Intune (hybrid) by visiting the what's new for MDM in Configuration Manager page in the TechNet library.

Additional resources:

• Submit feedback and suggestions to the Intune engineering team
• Find technical resources for Intune in the TechNet library
• Register to watch the enterprise mobility webinar series
• Sign up for a free trial of Microsoft Intune
• Subscribe to the Intune blog RSS feed
• Follow us on Twitter and Facebook

Note: To see the specific timeframe for when your tenant will be updated, please visit the Microsoft Intune status page. You can identify the Service Instance that your Intune subscription is running on by opening your Intune administration console, clicking on the Admin tab and then selecting View Service Status. Your Service Instance will then be displayed at the top of the Intune Service Dashboard.

One of the biggest changes you are likely already seeing with Windows 10 is something we call the Windows distribution rings. These are the good kinds of rings (e.g. onion, Saturn, wedding), not the kind forged in the bowels of some evil mountain. I’m talking about the Windows Servicing Options.

Looking ahead, at any given time there are going to be multiple branches of the Windows code in the market, and you’ll even have multiple branches deployed within your organization. This will become normal (and not at all as complex as it may at first sound), but understanding what each branch does is very important. The authoritative source for definitions and details of the various Windows 10 servicing options can be found here. I recommend that you become super familiar with this blog and refer to it as you make decisions on which Windows branch to use in each scenario within your organization.

In this post, I’ll touch on the definitions of the servicing options and share some insight on how the individuals and devices in your organization can participate in all of the rings – as well as how you can manage all the servicing options via SCCM and EMS.

As we’ve worked on Windows 10 to define the overall strategy for how Windows will be delivered as a service, servicing the multiple servicing options is something we have spent a lot of time discussing. We understand that the majority of Enterprise organizations are going to use ConfigMgr and EMS to manage Windows 10 devices, and we have significantly enhanced the capabilities of ConfigMgr to help you manage and report across the servicing options.

What are the Servicing Options and Why?

Let me start with the why.

I regularly get asked for advice on how to best keep Windows devices secure, reliable, and compatible. At Microsoft we have a pretty strong point-of-view on this: Your devices will be more secure, more reliable, and more compatible if you are keeping up with the updates we regularly release.

Most people I talk with generally agree with that point-of-view, but they still have concerns about whether or not their devices can handle all the updates without first rigorously verifying that the updates won’t break something. That process can, obviously, consume a ton of time. Some examples of devices in this type of scenario are PC’s that operate in truly mission-critical roles (e.g. operating and assembly line or in an operating room). These mission-critical use cases are very different from the typical Information Worker scenarios where the devices get used for a lot of different activities and can therefore be more flexible.

In our mobile-first, cloud-first world, Information Workers expect (and, you could argue, insist) on having new value and new capabilities constantly flowing to them. Most of these workers have smart phones and regularly accept the updates to their apps from the various app stores. The iOS and Android ecosystems also release updates to the OS on a regular cadence.

With this in mind, making updates isn’t abnormal, and we are committed to continuously rolling out new capabilities to users around the globe – but we also understand that there are use cases where this simply doesn’t make sense. Windows is unique in that it is used in an incredibly broad set of scenarios – from a simple phone to some of the most complex and mission critical use scenarios in factories and hospitals. One size (and one servicing model) does not fit all of these scenarios.

To strike a balance between the needed updates for such a wide range of device types, there are four servicing options you will want to deeply understand.

• Windows Insider Program
• Current Branch (CB)
• Current Branch for Business (CBB)
• Long-Term Servicing Branch (LTSB)

Windows Insider Program

The Windows Insider program is where individuals who want to see the new innovations coming out as early as possible can sign up and receive regular updates – essentially directly from the Windows engineering team. Having millions of devices participating in this program and getting regular updates has been a wonderful part of building Windows 10. As soon as we think the new capabilities/features are ready to put in the hands of customer, we release it to the Insiders.

I am sure many (if not all of you) have said sometime in your career that you wished you had an early/inside view of the capabilities that would be coming out in the next version of Windows so that you could start preparing for them – this is exactly what the Insider program does for you. Insiders can see, months in advance, the capabilities being developed.

At any given time, we expect there to >10M devices participating in Windows Insider Program. This gives us early feedback on functionality as well as any compatibility issues that may surface.

Current Branch (CB)

As scenarios mature, and as our confidence in the capabilities/compatibility meet a specific bar, we move code to the Current Branch. The Current Branch is what we will be distributing through Windows Update to the 100’s of millions of consumer devices around the globe.

On a regular basis, consumers around the globe will have new functionality as well as core fixes in stability, reliability, and compatibility distributed out through the Windows Update solution that we all know so well.

Today, Windows Update services/updates close to 1 billion PCs each month. It is one of the most amazing services I have ever worked on. You will definitely have users/devices on this branch – it will be the most common branch you will see on BYO devices.

Windows devices being serviced from the Current Branch will be referred to as “serviced from CBs.”

Current Branch for Business (CBB)

This is the branch where many/most of your Information Worker’s CYO devices will ultimately end up. There will be 100s of millions of devices running code in the CB before we classify the capabilities as ready for Current Branch for Business.

Consider this for a minute: 100’s of millions of devices will have been running the code that is in CBB for a few months and, through the telemetry coming in from CB, we will be able to see any issues and address them prior to the code moving into CBB. This is a huge benefit to every organization using this branch: All the telemetry coming in gives us a view of the reliability/stability of the new features, and this means IT can have confidence that what they’re deploying is stable and ready for use. Additionally, end-Users get a constant stream of new features – so it’s a win-win!

Windows devices being serviced from the Current Branch for Business will be referred to as “serviced from CBB’s.”

Long-Term Servicing Branch (LTSB)

For the mission-critical scenarios in which Windows devices will be used, we will release what we call Long-Term Servicing branches at the appropriate time intervals. Devices on these branches will receive the level of enterprise support expected for the mission critical systems and it will keep those systems more secure with the latest security and critical updates, while minimizing change by not delivering new features for the duration of mainstream or extended support.

Bringing it All Together

With this approach, you can enable innovations to roll out to your users and their devices at different speeds. It provides you with a tremendous amount of flexibility.

Now what you need is a way to see all of this in one view and get that all-up perspective. That is what ConfigMgr provides. In ConfigMgr we have delivered a dashboard (see below) and the ability to see an all-up status in one place. I know that many of you already use the ConfigMgr reports as a part of your security and compliance efforts – but now I believe it’s important for you to have that same kind of report across these servicing options. With ConfigMgr you can now aggregate all of this together.

Here is are some screen shots of what is coming:

In terms of suggestions/guidance, this is where I think many of you will want to go:

• Windows Insiders Program
  Take a few of your organization’s technology enthusiasts and have their primary device participate in the Insiders Program. This could be your architects, or it could be individuals in IT who have been the most active participants over the years in the TAP and beta programs. You want to have some of your thought leaders getting that super early view of what is coming. This will also give you the opportunity to have some of your apps in very early compatibility testing as these users do their daily work.
• Current Branch
  If you are enabling BYO, the majority of your users’ BYO devices are going to be on this branch. If you are not enabling BYO, you will want to identify a set of users who like being the first to use something new and then have them on this branch. You could take an approach where you have a handful of users from each of the major departments (engineering, sales, marketing, etc.) on the consumer branch to test its widespread applicability. If you do this, you are going to have a set of users/devices validating that the core apps work (a form of real-world compatibility testing) across all the departments.
• Current Branch for Business
  This is where the majority of your Information Workers devices will reside. I expect that they will love the continuous flow of new capabilities. The fact that you have had individuals participating in the Insider Program and Consumer Branch will provide a level of confidence for compatibility and stability before you roll these updates out to any user.
• Long Term Servicing Branch
  Identify the devices that are mission critical or have more strict regulations around change (a stock traders desktop, a PC being used in pharmaceutical trials, etc.) and group those devices here.

ConfigMgr is going to enable you to have the dashboard to approve and monitor what is happening across the servicing options. A big part of what is enabling this the additional business capabilities we are building into Windows Update, e.g. we announced Windows Update for Business in May 2015.

I have been leading the ConfigMgr team since 2003, and my philosophy (and the view of Microsoft) is that we want to deliver increasingly rich capabilities in our platforms and then provide more granular and detailed management capabilities through solutions like ConfigMgr and EMS. This is exactly the case with Windows Update for Business. The Windows Update for Business capabilities will be integrated into ConfigMgr just like WSUS has been integrated into ConfigMgr. As you read about Windows Update for Business capabilities, they will be exposed through ConfigMgr.

ConfigMgr will continue to be that single pane of glass for all your updates – both Microsoft updates and our partners’ updates.

Windows 10 brings an incredible amount of flexibility to how you want to flow innovation out to your users and devices. I believe we have tackled this in the right way. We are hoping you will enable the updates to flow to your devices as quickly as possible, and we believe that, as you do this, your devices will be performant, secure, reliable, and compatible.

This is how we see working together moving forward: We are updating the tools you use today to enable this flexibility with the skills and knowledge you already have.

Work Folders syncs files between client and server. Although most issues are discovered by users, it could be root caused on the server, the client or the network. This blog post shares the most common problems customers have reported, and some troubleshooting techniques on Windows devices.

Setup

When user setup Work Folders using Control panel app, any issues encountered will be shown in the UI. Some common issues are:

• Work Folders path cannot be encrypted: If the admin requires the files to be encrypted on the client, Work Folders will try to encrypt the folder created. If the encryption fails, user will see the failure, and ask to use a different path. A few examples:

  • If the folder handle is opened, encryption will fail.

  • If the folder is on a USB drive, and the drive is not supporting encryption.

  • There is an existing Work Folders folder, and the folder is encrypted by other keys.

  • If the device is domain joined, you may also search (then fix) expired/revoked certificate in the “Default Domain Policy”, that can prevent encryption on the client.

• Password enforcement failure: Password policy is also an admin configuration on the server, and enforced on the client. User must be an admin on the client machine to enforce the policy.

  • However, it is not common that user has local admin right for domain managed machines. To exempt password policy on domain devices, admin must configure the domains to be excluded, by using Set-SyncShare cmdlet, and specify PasswordAutolockExcludeDomain list. For example:

 Set-SyncShare -PasswordAutolockExcludeDomain

• Password enforcement is done by the using the EAS engine in Windows. It requires that user can change password on the device. In Windows 10, EAS engine has change such that all users (including local user accounts) on that device can change password. You can find more details here (note that the MailApp also uses the EAS engine to enforce password)

• Access Denied:

  • Mirrored account: This usually happens in testing, when the device is connected to the corpnet, and logged on with a local account, and there is a domain account for the same user name as the local account. Windows may try to use NTLM to authenticate, and didn’t prompt for domain user credential (note, if you logged on as device local account, you should get prompt for domain credentials). In this case, setup will fail.

  • Windows 10 specific: This issue existed in some pre-release of Windows 10 and TH1, it is fixed in Windows 10 TH2 release. In some setup, the following regkey is missing: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager. There is no good workaround for this, recommending to get the TH2 build which has the fix in it.

Sync

Both Encryption and Password enforcement error described above can happen during sync, if the admin turns on the policy after user already setup the Work Folders. On each sync, the client will check for policy change, and apply if necessary.

For client errors, it’s always good to start with the message displayed in the Control panel. List below describe some common errors showing on the client:

• Require credential: this is more common if the admin configured ADFS for authentication. The frequency for the user to re-enter credential is defined by the ADFS token lifetime. The configuration is in ADFS. On Windows 8.1 or below, if the device is WorkPlace joined, token lifetime is 7 days by default. On Windows 10, it extends to 42 days. For non-Workplace joined devices, token lifetime is 8 hours.

• Key revoked: This happens when the encryption key was revoked by either the admin or user themselves. There are multiple ways can trigger the key revocation.

  • Admin chooses to wipe a device.

  • User removes the device from Intune management (or other MDM app if it is supported for key revocation)

  • User removes corporate email account on the device.

  • Work Folders is configured on an external drive, and the drive is connected to a different machine. The encryption key is tied to a device, when the folder is configured on one device, you can’t simply move it to another device to read it.

  • PC refresh: If the device is clean installed, the encryption key will be deleted. That will result the data unable to be decrypted.

• Conflict files: When the same file is getting modified on different devices, at the next sync time, conflict file will be generated. Work Folders determines a winner file by the last write timestamp. The winner file keeps the file name; the loser file will get renamed by appending a device name to the file name, the device name indicates where the conflict was created. Some known examples:

  • If user has changed file on one device without closing it, the file will not sync to the server, user goes to another device change the file. When both files are closed then synced, there will be conflict.

  • IE favorites: IE changes the favorite links periodically, although there is not content change, sync will detect the change, and create conflict. In Windows 10, Work Folders has optimized this by comparing content. If the file is truly identical, it will not generate conflict.

  • Server data restore: if the server lost the sync metadata database, client and server will need to compare the file sets to determine what to sync. During this reconciliation process, any differences found between the client and the server will generate conflicts.

• File types excluded from sync: Work Folders tries to optimize sync by excluding temp files and a few files specific to the device itself. The files which are excluded from sync: thumbs.db, desktop.ini and temp files (most temp files seen by Work Folders are from Office applications).

   

Client upgrade

Upgrade from Windows 7 to Windows 10, ensure the Windows 7 client has KB 3081954 is installed, otherwise, the device will lose the sync partnership to the server after upgrade. User will not be notified for any errors (since Work Folders will be shown as not installed on the device). If the user didn’t have the KB installed before the upgrade, he/she will need to re-configure Work Folders after upgrade.

From Windows 8.1 to Windows 10 upgrade, if the upgrade is done using USMT, the Work Folders link in File Explorer may not work after the upgrade. To fix this, user needs to simply open the control panel -> Work Folders, this action triggers the service to reload the partnership, and fix the link of the Work Folders path in File Explorer.

Event logs

Work Folders event logs are stored under Applications and Services -> Microsoft -> Windows -> Work Folders. The logs under Operational folder should be examined. ManagementAgent logs are used to show notification center, which can be ignored.

Traces

If the problem is not covered in any of the above or resources below, you will need to contact Microsoft CSS, who can guide you to capture the debug traces for further investigation.

Resources

The Technet wiki is also getting updated periodically when issues are reported:

http://social.technet.microsoft.com/wiki/contents/articles/tags/Work+Folders/default.aspx

If you want to learn more about Work Folders, I’d recommend the list of the blogs:

http://blogs.technet.com/b/filecab/archive/tags/work+folders/default.aspx

There are also good technet articles on Work Folders here:

https://technet.microsoft.com/en-us/library/dn265974.aspx

In this podcast, we look at the important topic of how/why Windows 10 is changing (for the better!) the way we handle deployment and management in the enterprise.

This is a topic I covered in depth in yesterday’s blog post, and this discussion expands on that overview.

To dive into the entire "Windows 10 + EMS & ConfigMgr" series, visit aka.ms/DeployWin10.

As noted yesterday, most people I talk with generally agree that your devices will be more secure, more reliable, and more compatible if you are keeping up with the updates we regularly release.  Even though they agree with this in principle, they still have concerns about whether or not their devices can handle all the updates without first rigorously verifying that the updates won’t break something. That process can, obviously, consume a ton of time. Some examples of devices in this type of scenario are PC’s that operate in truly mission-critical roles (e.g. operating and assembly line or in an operating room). These mission-critical use cases are very different from the typical Information Worker scenarios where the devices get used for a lot of different activities and can therefore be more flexible.

In our mobile-first, cloud-first world, Information Workers expect (and, you could argue, insist) on having new value and new capabilities constantly flowing to them. Most of these workers have smart phones and regularly accept the updates to their apps from the various app stores. The iOS and Android ecosystems also release updates to the OS on a regular cadence.

With this in mind, making updates isn’t abnormal, and we are committed to continuously rolling out new capabilities to users around the globe – but we also understand that there are use cases where this simply doesn’t make sense. Windows is unique in that it is used in an incredibly broad set of scenarios – from a simple phone to some of the most complex and mission critical use scenarios in factories and hospitals. One size (and one servicing model) does not fit all of these scenarios.

To strike a balance between the needed updates for such a wide range of device types, there are four servicing options you will want to deeply understand.

• Windows Insider Program
• Current Branch (CB)
• Current Branch for Business (CBB)
• Long-Term Servicing Branch (LTSB)

Read more about this on the post “Navigating the Windows 10 Servicing Options.”

By contributing author, Tim Rains, Chief Security Advisor of Microsoft’s Enterprise Cybersecurity Group

Security threats continue to dominate news cycle today. As more companies move to the cloud, privacy and transparency are also hot topics in the news. The result: organizations are increasingly weighing the benefits of new, cloud-based opportunities against the corresponding risks and mitigation costs.

Microsoft is committed to providing a cloud you can trust. We believe there are five critical areas you need to know about cloud security:

1. Security options and capabilities available in the cloud
2. Maintaining privacy and control of your data
3. Addressing industry compliance rules
4. The need for transparency and visibility into how your data is stored and protected
5. Taking advantage of hybrid options without sacrificing the benefits of the cloud

To help you understand how the cloud offers security and privacy controls that are likely better than those your organization uses on-premises, I’ll be offering a webinar that covers these five critical areas, and offers tools and strategies on everything from encryption considerations, including encryption at rest and in transit; physical data center security, and platform security. I’ll also cover privacy and data control topics including where your data is physically housed and how long a provider can keep your data after you decide to leave a service. I’ll also address how to work through industry compliance questions, hybrid options (for data you decide not to move to the cloud), and the level of transparency you should expect from your provider. I hope you’ll join me.

The “Cloud security: 5 things you need to know” webinar will be held on January 12, 2016. Registration is now open. Register now!

~ Sekar Raju

Hi everyone, Sekar Raju here from the Microsoft DPM and Azure backup team with quick support tip for you. When attempting an Azure backup, you may experience a problem where the backup job fails with the following symptoms:

• In Microsoft Azure Backup, you have a backup job that fails with the following error:

Backup has encountered an irrecoverable error. Contact Microsoft Support for further assistance. (0x086C8)

The Error tab on the Job Details dialog will also contain the following:

Job failed with error (Operation failed.(0x086C8)

• The CloudBackup Event Log contains an Event ID 11 similar to the one below:

Log Name:      CloudBackup
Source:           CloudBackup
Date:             
Event ID:         11
Task Category: None
Level:              Error
Keywords:     
User:              SYSTEM
Computer:     
Description:
The description for Event ID 11 from source CloudBackup cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:

84d3f434-df64-4595-af6e-xxxxxxxxxxxxBackupAborted

1308740310939xxxxx1308740393522xxxxx
34504-2146233088(or)2137452629DLS_ERROR_CODE_NAME
34504__ErrorSource__
Service/None/Client
AbortedPreparingMedia
…

• The following exception appears in CBEngine.log:

12E4        1488                71        prepunmanagedutils.h(120)                84D3F434-DF64-4595-AF6E-F7A271EC0581        WARNING        Error occurred, DlsErrorCode - 34504, Exception - FMException: [ErrorCode:SalMetadataVhdCorrupt, DetailedCode:0, Source:Service/None/Client, Message:Corruption is detected. FMException: [ErrorCode:SalMetadataVhdCorrupt, DetailedCode:0, Source:None, Message:Corruption is detected.]

To fix this problem, install the latest version (2.0.9022.0 or later) of the Microsoft Azure Recovery Services Agent. Here are the steps:

1. Close the Microsoft Azure Backup snap-in if it is still running.
2. Download and install latest Microsoft Azure Recovery Services Agent from here.
3. Launch the Microsoft Azure Backup snap-in.
4. Manually start the backup job by clicking the Back up Now option, or optionally wait for the scheduled backup job to start and complete.
5. If the backup job you started on step 4 fails, manually start the backup job one more time or wait for the next scheduled backup job to start and complete. This is because sometimes the first backup with the new agent may fail with the same error, however subsequent backup jobs will successfully complete.

Hope this helps!

Sekar Raju | Senior Support Engineer | Microsoft

Our Blogs

• Configuration Manager: http://blogs.technet.com/configurationmgr/
• Data Protection Manager: http://blogs.technet.com/dpm/
• Orchestrator: http://blogs.technet.com/b/orchestrator/
• Operations Manager: http://blogs.technet.com/momteam/
• Operations Management Suite: https://blogs.technet.microsoft.com/omsblog/
• Service Manager: http://blogs.technet.com/b/servicemanager
• Virtual Machine Manager: http://blogs.technet.com/scvmm
• Microsoft Intune: https://blogs.technet.microsoft.com/intunesupport/
• WSUS: http://blogs.technet.com/sus/
• AD and Azure RMS: http://blogs.technet.com/b/rms/
• Application Virtualization: http://blogs.technet.com/appv/
• MED-V: http://blogs.technet.com/medv/
• Application Proxy: http://blogs.technet.com/b/applicationproxyblog/
• Forefront Endpoint Protection: http://blogs.technet.com/b/clientsecurity/
• Forefront Identity Manager: http://blogs.msdn.com/b/ms-identity-support/
• Forefront TMG: http://blogs.technet.com/b/isablog/
• Forefront UAG: http://blogs.technet.com/b/edgeaccessblog/

DPM 2012 R2

Hi, Linda Taylor here, Senior Escalation Engineer from the Directory Services team in the UK.

I have been working on this issue which seems to be affecting many of you globally on windows 8.1, 2012 R2 and windows 10, so I thought it would be a good idea to explain the issue and workarounds while we continue to work on a proper fix here.

The symptoms are such that after a password change, logon hangs forever on the welcome screen:

How annoying….

The underlying issue is a deadlock between several components including DPAPI and the redirector.

Why does it happen?

So far we have seen this issue in the following circumstances (always after a password change/reset which is done somewhere other than the users machine – i.e. on the DC or in a portal)

1. If the user has a home drive which maps to a DFS like path for example: \\contoso.com\homefolders\user1

OR

2. If The following GPO is applied:

Computer configuration\administrative templates Windows Components\File Explorer\ “Set a default associations configuration file”

And the XML file is stored on a DFS based path. For example \\contoso.com\netlogon

OR

3. If you use GPP to map drives during logon to a DFS path like \\contoso.com\someShare

This issue happens due to a deadlock between DPAPI, Credential manager and the Redirector (RDR).

It goes like this…

1. When the user logs on, the profile service tries to map network home folder to \\contoso.com\...

2. To do this, we need to have a call created in RDR, and this requires a SMB session setup to dcname.contoso.com

3. The SMB session setup requires a security blob created to authenticate with the target server, which is the DC.

4. To create the security blob, Kerberos will check saved credentials by calling DPAPI.

5. DPAPI cannot decode the saved credential because the master key is not available because the user's password is reset on DC, so it will need to query the DC for a master key. This requires a named pipe call to \\dcname.contoso.com\IPC$\protected_storage

6. To connect to this named pipe, RDR found it is the same as previous call in#2 (same fqdn DC name \\dcname.contoso.com) so now session setup is queued…

7. The Kerberos thread will hang forever, and the profile service will hang forever until a reboot.

8. After reboot, the user still cannot logon with the same symptom. (note: a different user CAN log on).

The problem occurs on client computers with Windows 8.1, Windows 10 and also Windows Server 2012 R2 (for example RDS scenario).

The problem occurs most frequently after an admin password reset which has occurred elsewhere (not the on the client computer to which the logon is happening) but it can also occur when the password change is not recent if the user is logging onto a machine where the cached credentials are old and they have changed their password on some other machine some time ago.

So, what can you do to get out of this problem?

There are several options for working around the issue:

1. If you have the mentioned policy – move the XML to some file share which is not DFS based and is not on a DC.

2. Assuming no-one wants to change home drive paths because there are many users and it’s a hassle, the other option is to disable Credential manager and clear the cached credentials.

When there are no entries for credential manager, there are no reasons to access the DC to refresh the keys. Hence the dead-lock.

This could be done by disabling this policy:

https://technet.microsoft.com/en-us/library/jj852185.aspx

3. Dig your way out by connecting to the machine remotely and deleting the entry under C:\Users\\AppData\Roaming\Microsoft\Protect\[Problem Users SID].

Note if there is a roaming profile you can also delete this entry on the profile server and it works. This is because the profile is downloaded before the drive mapping takes place.

4. Another (not so great) option is to boot the PC without any network cable and log on with the old password. Then connect it back.

Some history:

This issue also has a long history and there are other variant’s of this deadlock which were fixed before. See below list of related fixes:

Related previous Fixes for Windows 8.1 an Windows 2012 R2:

There are no previous fixes for Windows 10.

There are some related past fixes for similar deadlocks in windows 8 also:

Finally, Microsoft is actively working on fixes for Windows 8.1 / WS 2012 R2 and Windows 10 TH2 for the current issue described above. I will share the release dates and article #’s once known. If you experience this issue please ensure you have all of the above fixes in place and use the workarounds noted above and keep an eye out on updates to this blog.

Linda Taylor.

Hi, Linda Taylor here, Senior Escalation Engineer from the Directory Services team in the UK.

I have been working on this issue which seems to be affecting many of you globally on windows 8.1, 2012 R2 and windows 10, so I thought it would be a good idea to explain the issue and workarounds while we continue to work on a proper fix here.

The symptoms are such that after a password change, logon hangs forever on the welcome screen:

How annoying….

The underlying issue is a deadlock between several components including DPAPI and the redirector.

For full details or the issue, workarounds and related fixes check out my post on the ASKPFEPLAT blog here http://blogs.technet.com/b/askpfeplat/archive/2016/01/11/does-your-win-8-1-2012-r2-win10-logon-hang-after-a-password-change.aspx 

I hope this helps,

Linda

Last year, an issue with Operations Manager DataWarehouse event grooming was discovered that was addressed in Microsoft System Center 2012 R2 Operations Manager Update Rollup 7 (OpsMgr 2012 R2 UR7). This was an issue where dependent tables were not being groomed:

In a database, the grooming of certain MT$X$Y tables were missed because of the filtering logic, therefore the tables were never groomed.

In Data Warehouse, the grooming of certain tables was missed occasionally because current logic expects the rows to be returned in a certain order.

What’s important to note about this fix in UR7 is that it simply prevented the issue from continuing. It did not delete any orphaned data that was already in the EventParameter tables.  Because of this, you may still be seeing large EventParameter tables in your environment. If so, Microsoft’s own Nicole Welch has a great blog post where she’ll tell you how to get this cleaned up:

SCOM 2012 - Large Event.Parameter Table(s)

J.C. Hornbeck | Solution Asset PM | Microsoft

Our Blogs

• Configuration Manager: http://blogs.technet.com/configurationmgr/
• Data Protection Manager: http://blogs.technet.com/dpm/
• Orchestrator: http://blogs.technet.com/b/orchestrator/
• Operations Manager: http://blogs.technet.com/momteam/
• Operations Management Suite: https://blogs.technet.microsoft.com/omsblog/
• Service Manager: http://blogs.technet.com/b/servicemanager
• Virtual Machine Manager: http://blogs.technet.com/scvmm
• Microsoft Intune: https://blogs.technet.microsoft.com/intunesupport/
• WSUS: http://blogs.technet.com/sus/
• AD and Azure RMS: http://blogs.technet.com/b/rms/
• Application Virtualization: http://blogs.technet.com/appv/
• MED-V: http://blogs.technet.com/medv/
• Application Proxy: http://blogs.technet.com/b/applicationproxyblog/
• Forefront Endpoint Protection: http://blogs.technet.com/b/clientsecurity/
• Forefront Identity Manager: http://blogs.msdn.com/b/ms-identity-support/
• Forefront TMG: http://blogs.technet.com/b/isablog/
• Forefront UAG: http://blogs.technet.com/b/edgeaccessblog/

~ Bala Rajagopalan, Group Program Manager

As Mike Neil noted in his blog post, Windows Server (WS) 2016 brings cloud-born technologies to your datacenter. System Center (SC) 2016 is the perfect companion for managing this infrastructure and monitoring the associated workloads. If you are already using SC 2012 R2, upgrading to SC 2016 will provide enhanced value in client and server configuration, virtualization management, infrastructure and application monitoring, service management, and automation.

While SC 2016 will deliver significant feature enhancements in various areas, the particular focus is on the following:

Fundamentals: Ease of deployment, usability, and performance are fundamental to enhancing your operational experience with System Center. SC 2016 focuses on improving these fundamentals across various SC components. The improvements to SC 2012 R2 that were already delivered via various Update Rollups (URs) will also be available in SC 2016.

Support for Windows 10 and WS 2016 deployments: Deployment and management of Windows 10 devices is a key goal of SC Configuration Manager (CM). Furthermore, both SCCM and SC Virtual Machine Manager (VMM) will fully support the management of WS 2016 deployments and virtualization capabilities. SC Operations Manager (OM), in conjunction with WS 2016 Software-Defined Networking (SDN), will provide new network monitoring capabilities. It will also ease the development and deployment of management packs in support of WS 2016 deployments.

Attach to Microsoft Operations Management Suite (OMS) : SC 2016 will start providing native integration with OMS – a set of cloud-based services that would complement and extend SC functionality to give you new analytics, correlation, orchestration, archival, and hybrid management capabilities. With SC and OMS, you can use System Center – with its rich set of capabilities and familiar operations – on-premises, while tapping into OMS as needed for extended capabilities that rely on the power of the cloud. The integration of SC and OMS will be a continuous process starting with SC 2016 and extending beyond.

Technical Preview (TP) 4 reflects the above focus of SC 2016. A component-wise summary of the key capabilities in SC 2016 TP4 is given below (the links will take you to product pages that provide additional details).

If you are yet to try out SC 2016 TP 4, please visit https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-technical-preview.

The TechNet documentation for SC 2016 TP 4 is available at https://technet.microsoft.com/en-us/library/dn997272.aspx.

If you have any questions on SC 2016 TP4, you can post it at the SC social forum.

Looking forward to hearing from you on your experiences with SC 2016 TP4.

Bala Rajagopalan | Group Program Manager | Microsoft

Our Blogs

• Configuration Manager: http://blogs.technet.com/configurationmgr/
• Data Protection Manager: http://blogs.technet.com/dpm/
• Orchestrator: http://blogs.technet.com/b/orchestrator/
• Operations Manager: http://blogs.technet.com/momteam/
• Operations Management Suite: https://blogs.technet.microsoft.com/omsblog/
• Service Manager: http://blogs.technet.com/b/servicemanager
• Virtual Machine Manager: http://blogs.technet.com/scvmm
• Microsoft Intune: https://blogs.technet.microsoft.com/intunesupport/
• WSUS: http://blogs.technet.com/sus/
• AD and Azure RMS: http://blogs.technet.com/b/rms/
• Application Virtualization: http://blogs.technet.com/appv/
• MED-V: http://blogs.technet.com/medv/
• Application Proxy: http://blogs.technet.com/b/applicationproxyblog/
• Forefront Endpoint Protection: http://blogs.technet.com/b/clientsecurity/
• Forefront Identity Manager: http://blogs.msdn.com/b/ms-identity-support/
• Forefront TMG: http://blogs.technet.com/b/isablog/
• Forefront UAG: http://blogs.technet.com/b/edgeaccessblog/

Hello Everyone, this is Jeroen van Eesteren from the Remote Desktop team. I am writing you today to let you know about the graphics remoting enhancements we made to the Remote Desktop Protocol (RDP) version 10 which shipped with the Windows 10 1511 update and the Windows Server 2016 Technical Preview 4, both released in November 2015. But first, let me provide some background and a brief history on why we made these improvements.

Graphics Remoting challenges

Monitor resolutions continue to significantly increase; today larger resolutions such as 1440p and 4K are common. The increase in resolution sizes present a challenge for graphics remoting protocols as there are more pixels which need to be encoded on the server and more bandwidth is required to transfer these encoded pixels over the network. In addition, the demand for rich and fluent graphics experience in remoting scenarios increased due to more graphics intensive applications being used. For example, with Windows Server 2016 Technical Preview we now enable OpenGL applications with RemoteFX vGPU scenarios which enables support for additional high-end engineering design applications that use OpenGL. 

RDP and AVC/H.264

The graphics compression (codec) standard which has been used by RDP for a couple of releases is the ITU-T H.264 codec (also known as MPEG-4 AVC (Advanced Video Coding)). The benefit of this codec is that it is widely available in hardware so that CPU intensive encoding and decoding can be offloaded to a separate hardware block. With RDP 8, we introduced RemoteFX Media Streaming which uses AVC/H.264 to remote video content detected on the server. RemoteFX Media Streaming replaced Multi Media Redirection (MMR). Note: MMR is now completely removed from RDP 10 given that RemoteFX Media Streaming works for all types of video content whereas MMR which just worked for some. More details can be found here. With RDP 8.1 we introduced an AVC/H.264 mixed mode which in addition to using RemoteFX Media Streaming, extended support for AVC/H.264 to images as well, while text is compressed using a proprietary Codec. This mode is used by Windows RT devices running Windows 8.1 and some 3rd party RDP implementations.

With RDP 10 we are now taking AVC/H.264 support a step further with the introduction of full-screen AVC 444 mode.

Introducing the AVC 444 mode

The main challenge to use AVC/H.264 as the one and only Codec in Remote Desktop scenarios is that text shows a halo effect with typical implementations of AVC/H.264. This is caused by the color conversion process that happens as part of the compression which throws away some of the

chrominance information, as represented in the 4:2:0 format. To the human eye the lack of chrominance information is not as apparent with video content, however with Remote Desktop scenarios, where mostly text is used, it is something that is noticeable and users will perceive this as blurry. The AVC/H.264 standard defines the capability to use 4:4:4 format which doesn’t lose the chrominance during conversion, however typically this isn’t part of most AVC/H.264 hardware encoder and decoder implementations and thus provides a challenge. To show the difference between 4:4:4 and 4:2:0 please see the following image which shows easily noticeable differences:

As part of the AVC 444 mode in RDP 10 we solved the challenge to get 4:4:4 quality text with 4:2:0 hardware encoders / decoders. In addition, with the AVC 444 mode we were able to improve the frame throughput significantly, for example with 1440p we can achieve a consistent frame rates of up to 50 fps on standard hardware.

AVC 444 and AVC/H.264 Hardware Encoders / Decoders

With the Windows Remote Desktop Client (MSTSC.EXE) the AVC 444 mode automatically uses the AVC/H.264 Hardware decoder if available via the Windows DirectX Video Acceleration (DXVA) API. In addition, the GPU must be DirectX 11.0 capable and the H.264 hardware decoder must support Level 4.1 and BT. 709 Full Range color conversion. If the resolution of the remote session exceeds the capability of the hardware decoder, software decoding will be used instead.

The RDP server can take advantage of any AVC/H.264 hardware encoder exposed in Windows via Media Foundation Transform and is therefore not hardware vendor dependent.

In which RDP 10 Remote Desktop scenarios is the AVC 444 mode available?

Today, the AVC444 mode is enabled by default for all RemoteFX vGPU scenarios which use RDP 10 on Windows Server 2016 Technical Preview 4. The built-in Windows 10 Remote Desktop client (MSTSC.EXE) is currently the only client that has support for AVC444 but we are planning to add this mode to our other remote desktop clients for Mac OS X, Android, iOS, Windows Universal Windows Platform (UWP) and Windows Phone in the future as well.

What about Windows N and KN SKU’s where the AVC/H.264 codec is not available?

To allow use of the AVC/H.264 codec on the Windows 10 N and KN you have to download the Media Feature Pack for N and KN versions: https://www.microsoft.com/en-us/download/details.aspx?id=48231

How to enable the AVC444 mode with RDP 10 in non-RemoteFX vGPU scenarios

With the Windows 10 1511 update and the Windows Server 2016 Technical Preview 4 we added two new group policies, which can be found in the Group Policy Editor (gpedit.msc) under Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Session Host -> Remote Session Environment:

1. Prioritize H.264/AVC 444 Graphics mode for Remote Desktop connections

When enabled on the RDP Server, the H.264/AVC 444 mode will be prioritized when the RDP 10 client and server both support AVC/H.264 and support the AVC 444 mode. Note: For Remote Desktop Session Host (RDSH) environments only full desktop sessions are supported with H.264/AVC 444, RemoteApp sessions still use the proprietary codecs for now.

2. Configure H.264/AVC hardware encoding for Remote Desktop connections

This policy lets you enable hardware encoding for AVC/H.264, when used in conjunction with the AVC444 mode. When enabled, each remote desktop monitor will use up one AVC/H.264 encoder on the server. If all AVC/H.264 encoders are in use, the RDP Server will automatically fallback to using Software.

How to determine if a Remote Desktop session is using AVC444 mode and is using hardware encoding

RDP logs an event to the eventlog which helps to determine if you are running in the AVC 444 mode and whether Hardware Encoding is used:

Launch the Event Viewer in Windows on the RDP server and navigate to the following node:

Applications and Services Logs -> Microsoft -> Windows -> RemoteDesktopServices-RdpCoreTS

To determine if AVC 444 mode is used, look for Event ID 162, if “AVC Available: 1 Initial Profile: 2048” than AVC 444 is used.

To determine if Hardware Encoding is used, look for Event ID 170, if “AVC hardware encoder enabled: 1” than hardware is used

Enjoy!

Note: Questions and comments are welcome. However, please DO NOT post a request for troubleshooting by using the comment tool at the end of this post. Instead, post a new thread in the RDS & TS forum. Thank you!

Hello everyone, this is Pavithra Thiruvengadam from the Azure RemoteApp team. I am writing to let you know that Operational Management Suite (OMS) or OpsInsight is supported with the Azure RemoteApp (ARA) service.

ARA customers have repeatedly asked for a way to monitor and visualize performance counters of the VMs in their ARA deployment. OMS has a feature that collects Near-Real Time (NRT) performance data, which can be integrated with ARA. With this integration comes the capability for our customers to collect any performance counter with a sampling interval as small as 10 seconds, and visualize any of the metrics that helps them troubleshoot performance issues on ARA VMs.

Some key scenarios where this would come into play are:

1. For customers who want to tune their image and deployment for specific LOB app performance.
2. For customers who are trying to decide on billing plans based on in-session performance.
3. For customers who want to troubleshoot in-session performance after deployment.

For more information on OMS and this particular capability, pleasevisit the Operations Management Suite team blog:http://blogs.technet.com/b/momteam/archive/2015/09/01/near-real-time-performance-data-collection-in-oms.aspx

Regarding the actual integration and usage of OMS with ARA, one of our MVPs, Arjan Vroege, has documented the detailed steps and usage information in his blog:

1. Monitor your Azure RemoteApp environment with OpInsight – Part 1: http://www.vroege.biz/?p=1415#more-1415
2. Monitor your Azure RemoteApp environment with OpInsight – Part 2: http://www.vroege.biz/?p=1448#more-1448
3. Monitor your Azure RemoteApp environment with OpInsight – Part 3: http://www.vroege.biz/?p=1483
4. Monitor your Azure RemoteApp environment with OpInsight – Part 4: http://www.vroege.biz/?p=1529

In summary, the integration of OMS with ARA VMs will help customers who want to monitor all their VMs, including other VMs in their VNET that are not part of ARA, in one place.

We hope it enables admins to better manage and troubleshoot their app performance on Azure RemoteApp. Your feedback is important to us, and we look forward to continue improving your organization’s Azure RemoteApp experience.

Note: Questions and comments are welcome. However, please DO NOT post a request for troubleshooting by using the comment tool at the end of this post. Instead, post a new thread in the Azure RemoteApp discussion forum.

We are excited to announce an updated user experience for Mobile Application Management (MAM) on iOS devices that users will soon start to see rolling out across their apps. Currently, each time a user launches an iOS app that is managed by an Intune MAM policy, they see a screen notifying them that the app is “Managed by your company.” We have heard feedback that this screen was confusing for end users, and that displaying this screen at every app launch was slowing down users as they were trying to get into their apps. Based on this feedback, we are replacing this existing message with the following alert.

The alert will communicate to the end user that the app is managed by IT, and the user will be able to get more information on TechNet about the management of their app by tapping “Learn More.” The user can also tap the “Don’t Show Again” option to skip this notification on future app launches so they can get to their work faster.

Additional resources:

• Submit feedback and suggestions to the Intune engineering team
• Find technical resources for Intune in the TechNet library
• Register to watch the enterprise mobility webinar series
• Sign up for a free trial of Microsoft Intune
• Subscribe to the Intune blog RSS feed
• Follow us on Twitter and Facebook
  

Today’s update (version 844) of the Remote Desktop Preview client for Windows 10 adds support for both Windows 10 Mobile devices and Continuum for phone for compatible devices like the Lumia 950 or 950 XL. The client is still in development as we continue adding more key features including support for Azure RemoteApp. It’s been great seeing all the feedback and excitement for using this client on Windows 10 Mobile and on Continuum. This is a great time for you to make feature requests or report bugs and other issues you might have with the client as we prepare to come out of preview.

Read on to learn more about the changes we’ve made in this new update.

Connect from anywhere using your Windows 10 Mobile device

Once the update is available in the Store, you’ll be able to install it on your Windows 10 Mobile devices. Remote Desktop Preview is a Universal Windows App. The UI should be familiar if you’ve used our client on a Windows PC. We’ve adapted the UI to handle devices of all sizes. This means that you’ll now have the option to connect to a remote PC (optionally through a Remote Desktop Gateway), access Remote Resources (see below), manage a list of credentials and Gateways, and change global settings from your phone, PC, or tablet.

Figure 1: Connection Center where you can view and manage your desktops

Figure 2: Adding a desktop with advanced settings

Figure 3: Settings page where you can manage credentials and gateways

Figure 4: Connection to a remote PC

Note that the main app UI can be used in either portrait or landscape modes. However, for now the in-session experience is limited to landscape mode when running on mobile devices. Expect to see support for portrait mode in-session in a future update.

Use your mobile device like a PC with Continuum so you can access any apps

If you own a Lumia 950 or 950XL, you can use the Remote Desktop Preview client on a larger monitor or TV with Continuum. Continuum enables you to connect a capable mobile device to any screen with the Microsoft Display Dock or a Miracast capable device, and power a PC-like experience on that screen. You can attach a Bluetooth keyboard and mouse to your mobile device or a USB keyboard and mouse to the dock before connecting to a remote PC and using any apps (including Win32) that you have available in the remote session.

This is a great way to be productive from your mobile device when you can extend your work to an additional larger screen.

Access RemoteApp and desktops published by your admin

On top of connecting to a personal PC, we’ve also recently enabled the ability to connect to Remote Resources (aka RemoteApp and Desktop Connections) that have been published by your administrator. This allows you to access specific apps or full desktops based on what configuration your admin selected from anywhere while keeping the enterprise data safe in the datacenter.

Figure 5: Adding an item

Figure 6: Adding Remote Resources

Figure 7: RemoteApp programs on the Connection Center

Figure 8: WordPad running as a RemoteApp on Windows 10 Mobile

Figure 9: Switching between RemoteApp programs

Sending keyboard commands to the remote PC

If you are familiar with the Remote Desktop Connection client (mstsc.exe) on Windows desktop, you know about the option to send additional key combinations to the remote PC. These include pressing the Windows key, combos with Windows + (Example: Windows + X), Alt+Tab and Alt+F4.

This latest update enables similar functionality in the Windows 10 client and can be configured under Settings.

Figure 10: Keyboard commands options under settings

While this is really useful and helps make the experience more seamless, you may prefer to have these combinations remain local in some cases so 3 options are provided:

• My remote session when it’s in full screen (Default)
  • Sends the keys to the remote PC only when running full screen
• My remote session when it’s in use
  • Send the keys to the remote PC any time the client is in focus, even when windowed
• My local PC only
  • Never send the keys to the remote PC

Note that the Remote Desktop client can only receive input while it is selected, no matter what option you chose above.

Try it today

I encourage you to download the Remote Desktop Preview client from the Windows store and try out the new features.

The Remote Desktop client is also available on your other devices running Windows Phone 8.1, Windows 8.1, iOS, Mac OS X, and Android.

We would love to hear your comments about this new capability. Are you excited about the ability to use Remote Desktop with Continuum?

Note: Questions and comments are welcome. For troubleshooting requests, post a new thread in the Remote Desktop clients forum. Thank you!

David Bélanger | Senior Program Manager | Remote Desktop team