Sharing of thoughts and information is what blogging is all about. This way we can learn from each other. Post A Comment!These postings are provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use.
Resident Bloggers
Hello folks,
As you may know, I’ve been travelling around the country for the Cloud and Mobility Summit. During these events we’ve been running day long “camps” or hands-on training for both “Getting Started with Microsoft Azure for IT Professionals” and “Getting Started with Identity Management & Business Mobility Enablement for IT Professionals”
During these camps a lot of questions/scenarios are discussed. Today I wanted to cover snapshots in Azure since its a topic that keeps coming back.
Before you get going, I recommend this Microsoft Virtual Academy free online training to get up to speed - Microsoft Azure IaaS Deep Dive Jump Start and if you are interested in Enterprise Mobility you HAVE to check out this webcast series.
First, let me go on record to say that I'm not a huge fan of Snapshots. Not because they don't serve a propose, but because they are regularly used as a proper backup replacement. We’ll discuss VM backups in a upcoming post. but for now let’s just keep it to VM snapshots.
In Azure we’re not taking a snapshot the same way we take snapshots/checkpoints in Hyper-v. In Azure, a blob snapshot is a read-only version of a blob that's taken at a point in time. Once a snapshot has been created, it can be read, copied, or deleted, but not modified. Snapshots provide a way to back up a blob as it appears at that moment in time.
A snapshot of a blob has the same name as the base blob from which the snapshot is taken, with a DateTime value appended to indicate the time at which the snapshot was taken. For example, if the page blob URI is http://storagesample.core.blob.windows.net/mydrives/myvhd, the snapshot URI will be similar to http://storagesample.core.blob.windows.net/mydrives/myvhd?snapshot=2011-03-09T01:42:34.9360000Z. This value may be used to reference the snapshot for further operations. A blob's snapshots share its URI and are distinguished only by this DateTime value
For the creation of a VM blob snapshot we’ll use a PowerShell script created by a friend of mine, Chris Clayton. You can download it here. Once downloaded you need to expand it to a local directory and you will have the following structure and files.
Before you go and run any scripts there are a few things to take care off.
1- Ensure you have the latest Windows Azure PowerShell Module. You can follow the step outlined here.
2- You need to download and import the certificate using the following PowerShell command. Get-AzurePublishSettingsFile and Import-AzurePublishSettingsFile
3-You need to edit the Subscription.CSV file to include the following:
the SubscriptionName (1) and the SubscriptionId (2) can be found in the Settings tab of the Azure portal
And the CertificateThumbprint (3) can be found under Settings>Management certificates.
3- Now that the info is in a place where the script can get to it, we will run the SnapshotVirtualMachine.ps1 script to capture the Blob snapshot. (the command should be on one line. It’s has been formatted to fit this page.)
./SnapshotVirtualMachine.ps1-subscriptionName "Microsoft Azure Internal Consumption"-cloudServiceName "azrsnapshot"-virtualMachineName "snapshot"-shutdownMachine –snapshotOsDisk-snapshotDataDisks
You’ll notice that the command includes –shutdownMachine . It is recommended that you shutdown the VM to perform the snapshot. Mostly because this is a storage function of Azure not a hypervisor function.
if everything goes well, you’ll get the following display.
The script ZIP file you downloaded contained several other scripts to allow you to manage your snapshots:
./GetSnapshotList.ps1 -subscriptionName "SubscriptionName" -cloudServiceName "CloudServiceName" -virtualMachineName "VMName" -maximumDays 15
The default “-maximumDays” parameter is 30 if you don't specify one. in our case we use 15 to show the command possibilities.
./DeleteOldSnapshots.ps1 -subscriptionName "SubscriptionName" -cloudServiceName "CloudServiceName" -virtualMachineName "VMName" -maximumDays 15
The date format is taken from the result of the DeleteOldSnapshots.ps1 command.
./RestoreVirtualMachine.ps1 -subscriptionName "SubscriptionName" -cloudServiceName "CloudServiceName" -virtualMachineName "VMName" -utcRestoreDate "2013-JUL-18 15:00:00" -restoreDataDisks
I hope this helps,
you can use some of this code to automate the snapshot process…. remember that a snapshot is NOT a proper replacement for a real backup strategy.
Cheers!
Pierre Roman | Technology EvangelistTwitter | Facebook | LinkedIn
Much has been covered thus far in the Group Policy series:
This post will detail the setup of a group policy that will create a standard local admin account. The inherent value addresses the support need of a user who is unable to login and/or resolving issues with the domain based login thus utilizing a local admin to troubleshoot. Having a local admin account in a domain based scenario to allow entry level techs a degree of admin control without giving them domain admin permissions is a great enabler to alleviate tasks from senior administrators.
Steps to enable said local admin account are as follows:
Once completed, a standard local admin account is now successfully created allowing a entry level tech to login to any PC on the domain.
Hello Folks,
Today I delivered one the largest “Getting Started with Microsoft Azure†camp to date. Approximately 190 people had registered for it. One question came back several times during the day.
I figured I’d answer it here
“How do I migrate a VM from on premise to Azure?â€
The easiest way is to sysprep the machine in your environment and upload the VM to Azure where you will use the uploaded VHD to create a new VM. Remember, the VHDX format is not supported in Microsoft Azure. You need to convert your disk to the VHD if you have a VHDX. todo that you can use Hyper-V Manager or the Convert-VHD cmdlet. A tutorial on this can be found here
Now that we have a VHD, here’s how we put it in Azure.
(in this section I’ll assume that you’ve already created a Storage Account in your Azure Subscription and a container in that storage account)
1- Open the Microsoft Azure PowerShell console and type the following command:
Add-AzureAccount
This command will opens a sign-in window so you can authenticate yourself.
Once logged on, From the Microsoft Azure PowerShell window you used in the previous step, type:
Add-AzureVhd -Destination "<BlobURL>/<container>/<VHDName>.vhd" -LocalFilePath <PathToVHDFile>
so in my environment the command looks like this:
-
This will run for a while since the VHD is about 10Gb. (this is a test image I’m uploading)
once uploaded the VHD will show up in the Azure UI.
After you upload the VHD, you will add it as an image to the list of custom images associated with your subscription.
From the Management Portal, click Virtual Machines and click Images.
And then click Create an Image.
In Create an image from a VHD dialogue box, enter the following: (Name, description, URL of your VHD and what OS is on it).
In our case we already ran the sysprep. so we will click the “I have run Sysprep on the virtual machine.†checkbox.
click the folder button to launch the below dialog box
After completed, the new image is listed when you choose the Images tab and When you create a new virtual machine from the Gallery.
you can now use this new image to spin a VM with your workload already on it.
I hope this helps.
To this day, many organizations still struggle with regards to device management strategy. While email security is still a top priority, businesses are attempting to do more with these devices to further enable their employees.
This post series entitled “Device Management Strategy Planning” will endeavour to provide a planning framework in regards to device management for different use cases. The topics covered will be as follows
While I will detail business and technology challenges faced by organizations that have a mobile devices in their estate, I will also deal with specific product based solutions. So where to begin? Let’s start with understanding the problem space. This will serve as the context for the use cases that I will cover. Traditionally (can we say that yet in this space?), the MDM problem space is divided into five major segments:
From a framework perspective, we can initially focus on each of these segments independently. This will avoid confusion and minimize the number of variable that we have to deal with. Once we have six independent segment frameworks we will link them together. It may be useful to link some of these segments together to be able to develop more meaningful use cases. The most obvious linkages are between the following:
Amidst the next post in this series exploration of the segments in more detail will be done in further detail. We will start by with a list of questions to answer to help build the various use case scenarios we will deal with. It is also suggest to attend the upcoming Microsoft Virtual Academy session entitled Taming Android and iOS with Enterprise Mobility Suite to further along your strategy planning.
While delivering last week’s CANITPRO Business Mobility Camp in Calgary, a question was brought forth in regards to what specific policies can be enforced on A Samsung KNOX enabled device via Microsoft Intune. For those unaware, Samsung’s KNOX offering is additional software & hardware hardened security enabled above and beyond the traditional Android stack.
Microsoft recently furthered the support for securing and managing KNOX enabled devices. The following list is the complete policy set offered as of this writing.
More information will be made available in an upcoming Microsoft Virtual Academy module. Special thank you to the team at Samsung Canada for providing hardware for testing.
Microsoft Intune has see quite a few updates over recent months aside from its recent renaming. The changes address concerns brought forth by IT professionals looking to get a better handle on their client end deployment and management. System administrators are now empowered through Intune to not only enable email security, but also take the necessary 1st steps in attempting to unify multiple personas created to manage mobile and desktop devices into a single identity reducing complexity in device management.
The following are the top 7 new improvements found in Microsoft Intune since its November 2014 update.
All features listed are already implemented and require IT professionals to only setup the policies to take advantage of the new feature set. While this list only covers the top 7 new features found in Microsoft Intune, be sure to test the other newly added functionality here.
End of support for Windows Server 2003 is nearing quickly. To address this concern, Microsoft provides great tools to assist organizations in their migration efforts.
Windows Server Migration Tools, introduced with Windows Server 2008 R2 enables administrators to migrate server roles, features, configuration settings seamlessly from one system to another. Windows server 2012 R2 also includes this feature and in this Step-By-Step will demonstrate how it can be utilized to migrate the DHCP role.
Please note to use this method we need to install this feature in both source and destination servers.
For the demonstration I am using following setup
Server Name
Operating System
Server Roles
Networks
dhcp-2k3.canitpro.local
Windows Server 2003 R2 Enterprise x86
DHCP
Network A – 10.10.10.0
Network B – 172.16.25.0
Network C – 192.168.148.0
CANITPRO-DC2K12.canitpro.local
Windows Server 2012 R2 x64
Before start the migration process it’s important to consider on following:
Prerequisites
dhcp-2k3.canitpro.local server currently setup with 3 additional NIC to represent network A,B and C. those have configured with static ip addresses to match with relevant network it belongs to. The DHCP server host different DHCP scopes for each network.
Before we start the process we need to install the following software in windows server 2003(dhcp-2k3.canitpro.local) if it’s not there already.
Step 1: Windows Server Migration Tools installation for Windows Server 2012 R2
Step 2: Windows Server Migration Tools installation for Windows Server 2003
Step 3: Preparing the DHCP Source of Windows Server 2003 for Migration
Step 4: Removing the old DHCP roles From Windows Server 2003
Since we no longer need DHCP role running on this server we can go ahead and uninstall the DHCP service.
Step 5: Installing the DHCP Role in Windows Server 2012 R2
Step 6: Importing the DHCP Server Data into Windows Server 2012 R2
Now we completed with the restore process and I already can see its issues IP addresses.
One of the new Microsoft Azure service that was announced at TechEd Europe is Azure Operational Insight. (https://preview.opinsights.azure.com) It is an analysis service that gives IT Pros the tools to gain deep insight into their environments. It give IT Pros ways to interact with real-time and historical computer data to rapidly develop custom insights, and provides Microsoft and community-developed patterns for analyzing data.
You can use Operational Insights’ search capabilities to help with determining ad-hoc root cause analysis and automated troubleshooting across multiple data sources. Without instrumenting any code directly or having knowledge of any complex schema, IT admins can quickly receive interactive results.
With Operational Insights, you can transform machine data into operational intelligence. Specifically, you can:
Operational Insights analyzes workloads in the following operating systems and features:
And click the “Check Mark†sign on the next screen.
In the Azure Portal, click the 'New' button in the bottom left hand corner, choose 'App Services', then choose 'Operational Insights' and click 'Quick Create'.
Create a new account, enter a unique workspace name and a region and click the 'Create Workspace' button in the lower right hand corner
Once created, in the Quick Start view, under Get Started click the link 'Visit your Operational Insights account'. You will now be brought to the Operational Insights portal.
Once you’re in the Operational Insights portal. you’ll need to download and install the agents on the servers you want to collect insights from. (in my case I only have one server currently running in my lab)
In the Portal, click on “Servers and Usageâ€
On the following screen click “Configureâ€
From there you can download the agent that need to be installed on target servers.
Once downloaded, run the executable (MMASetup-AMD64.exe) and follow the prompts (it’s pretty straight forward if you can click “Nextâ€. LOL )
Follow the prompts until you get to the “Agent Setup Option†and select “connect the agent to Operational Insightâ€
In the next screen is where you will need to provide the Workspace ID and workspace key from the portal to tell the agent where to send the data.
Complete the install.
Intelligence Packs are a collection of Logic, visualization and data acquisition rules that address key challenges.
from the Portal, select “Intelligence Packsâ€
Add the packs that you want to use. (I recommend reading the pack descriptions and select the appropriate ones). For our test we picked 3:
Just select it from the portal and click “Addâ€
That’s it. The servers will send the data to the Insight Service, It will in turn apply the rules and logic from the Intelligence Packs and allow you to visualize the state of your own environment.
I hope this wa of value.
Pierre RomanTwitter | Facebook | LinkedIn
The age of Shadow IT was introduced not so long ago via the plethora of devices (smartphones / tablets / notebooks) brought by employees into their respected organizations. With employee hopes of being able to use said device to address both work and personal needs all but dashed by IT’s possible lack of knowledge or then inability to secure said device, some end users took it upon themselves to find a way to enable that device and circumvent IT all together. The dangers of this meant no one in the organization other than the employee was aware of the data being consumed on the unauthorized device. Should that device become lost or stolen, there would be no means for IT to lock that device.
In this new cloud era, Shadow IT no longer maliciously enables just hardware, but unauthorized SaaS applications as well. In a report recently published by Gigaom entitled Shadow IT: data protection and cloud security, it is estimated that 70 percent of unauthorized data access is committed by an organization’s own employees. Like the introduction of unauthorized devices, SaaS applications are being introduced into organizations at a staggering rate. IT professionals tasked with testing and possibly approving use of said SaaS apps cannot keep up with the demand and so employees install and use these apps without the telling the rest of the organization.
Microsoft, through Azure Services, has introduced solutions to better support IT professionals in their quest to enable fellow employees use desired SaaS applications. Azure Active Directory provides the means to enable Single Sign-On (SSO) service to 2400+ SaaS applications ranging from storage apps to social apps to even education, health and of course productivity apps through pre-integrated templates. Integration of Azure Active Directory SSO consists of four parts:
Once steps have been followed to enable Azure Active Directory Authentication, all that is required is for the IT professional is to select from the 2400+ template made available to allow for SSO enablement.
To reach this point, one must:
Be sure to complete the Microsoft Virtual Academy jumpstart entitled, Azure IaaS for IT Pros, to further extend knowledge around Azure Active Directory Services.
In a previous post, Group Policy: Introducing Consistency Into Your Infrastructure, we covered some basic orientation in the Group Policy interface. We discussed the layout of Group Policy, some of the terms and locations and we covered a way of creating our first group policy. In this part of the intro we will see another way to create a Group Policy.
This second way, and my personally preferred method, is to create a brand new policy and link it directly to its OU. To do this you navigate to the OU to which you wish to link new policy, right click and select “Create a GPO in this domain and link it here”. This will open a new window which prompts you for a name (choose something descriptive as you will need to find it again at some point). Then you see the window below:
You can browse the structure here. Please note that there are hundreds (if not thousands) of settings that can be controlled. The first thing to do is decide if this is a computer or a user setting. Once you know that you can start to navigate the tree. Doing a bit of research first is advised for us newbies since it can be quite overwhelming. Just opening the “Password Policy” entry listed above shows us that there are 6 settings in this one policy so there is a VERY high degree of granularity here. Pick one of the settings and change it – voila: you just created your first policy
For this next bit we will see some of the structures in question. The first part to keep in mind is if you are creating a computer policy or a user policy. Computer policies will only apply to the given machine (or group of machines) and user policy will follow the user (or group of users)
You already know how to create a new GP as described in the previous Group Policy post so I will skip that here but instead go to the next step: the linking. So the first thing to do is create the policy then edit it. This will open the GP management GUI.
From here you will see a new structure. This is where you will need to know what type of policy you are creating: user or computer. When you navigate the high-level folders (software settings, windows settings and administrative templates) you will that there is a lot of similarity until you dive deep. Notice that the “Control Panel” sections have different policies under them.
So now that we know how to create a new policy and navigate the layout I will give you some guidance when testing policies. First, be careful: it is entirely possible to lock yourself out of the system so proceed with caution. There are 2 things that you can do to minimize this risk (well, three if you include asking a senior tech). You do not have to link a policy. This means that you can create a new policy but not link it to any OU. An unlinked GP will not affect your environment. The second thing you can do is disable the policy.
Here we see that this GP (accessed via properties) is enabled and from here we can disable it. If you want to create the policy but not risk it affecting your environment then this is a great step to try
So that is the intro. You should now know where to find Group Policy, how to navigate the structure and how to create a new policy. One quick parting note is link order. When you have multiple policies set the policies are applied from the bottom to the top and the top takes precedence. It should also be said that the options in group policy are almost endless. In order to find the policies you need for a given situation a quick search on Bing will point you in the right direction! Alternatively, you can also visit Microsoft Virtual Academy and complete the Windows Server 2012 R2 training.
A couple weeks ago, I delivered a talk about Microsoft Azure to a group of IT Pros in Halifax Nova Scotia. (I always enjoy going back there). After the day was over I ended up having some sizing discussion with some of the attendees that stuck around for a bit. “How do we match the performance we have on premise?” one asked. That simple question started the conversation. Performance of a virtual machine is not just a function of CPU and cores. “Rightsizing” your VMs can be very important is you want to get the performance your expecting.
This article will not look at the complete sizing exercise. We’ll limit ourselves to IOPS (Input/Output Operations Per Second) a common performance measurement used to benchmark computer storage devices.
Before diving into this. I do recommend the following MVA modules as primer.
I can’t tell you how many IOPS your workloads will require. Only the app vendor can do that or you can monitor any existing deployment of the workload you want to move to the cloud and configure your target virtual machine to match or exceed that requirement.
Azure virtual Machines come in three Type A, D and now recently announced, G. Each of these have multiple sizes. (depicted in the tables below, except for the G machines. you can find the specs here. but no info on the maximum data disks).
On any of these machines the target IOPS is 500 per disk. For these test I created a VM based on a Standard_A4 (8 cores, 14 GB memory). In the first test I attached 1 standard disk
and configured a Storage pool using that disk
From that machine I downloaded and installed SQLIO from http://www.microsoft.com/en-ca/download/details.aspx?id=20163. SQLIO is a free tool provided by Microsoft which can also be used to determine the I/O capacity of a given configuration. So using this tool I tested the IO profile of the server with one standard drive.
To test, I used the following command:
SQLIO -kRW -s60 -o8 -b8 f:\testfile.dat
The -k option, which specifies the I/O type (R for read operations and W for write operations)
The -s option to specify the test duration in seconds.
The -o, which indicates the number of I/Os that can be outstanding in a single thread. In this case, I’ve specified 8, so each thread can support up to eight outstanding I/O requests.Next we come to the -b option. This is the I/O block size in kilobytes (KB). In the example, I specified 64.
The last option in the command is -F, which points to the configuration file and the parameters defined within it. When you run the command, it creates the test file on the target drive and returns details about the execution, as shown in the following results:
To contrast the test with a sigle disk. I created a new VM with the exact same specs, to witch I attached the maximum number of disks to it (4) and created a storage pool with all 4 drives as a stripe set. After running the same IO test with SQLIO. I got the following results.
So, as stated in Microsoft Azure documentation we did get approximately 500 IOPS on a single disk target and 1130 IOPS for a stripe set across 4 disks.
At TechEd Europe Microsoft announces Azure Premium Storage. This will be a new type of SSD-based storage, designed to support I/O intensive workloads. That means that you will be able to provision a persistent disk and configure the size and performance characteristics that will meet your requirements.
Just like we did today, you’ll be able to attach several persistent disks to a VM, stripe across them and deliver to your applications up to 32 TB of storage per VM with more than 50,000 IOPS per VM at less than one millisecond latency for read operations.
I can’t wait to test premium storage. should be fun.
Windows Server 2012 R2, when deployed in core mode, provides the smallest installation footprint thus thwarting attacks via the GUI and other payloads not installed in this instance. Core mode is not for everyone, and while it is possible to add GUI functionality, some still prefer the familiarity of GUI utilization. With that being said, there are ways to reduce the footprint while allowing the GUI to stay in tact.
Features On Demand, available in Windows Server 2012 R2, addresses the attack footprint concern while leaving the GUI intact. When installing features on a Windows Server 2012 R2 deployment, payloads are retrieved from the server itself to install the required features. With these payloads available on the server, even though they may not be active, are still susceptible to malicious attacks.
To view what payloads are available, simply open a PowerShell window on said server, type and run:
Get-WindowsFeature
After running the cmdlet, a report is provided detailing all the features available for installation. To remove the payloads for the features not utilized, simply enter the following:
Get-WindowsFeature | Where-Object InstallState -EQ "Available" | Uninstall-WindowsFeature -Remove -Restart
Once completed, all feature payloads will switch from Available to Removed.
Payloads can be restored via Windows Server 2012 R2 media provided via DVD, Network Share, and/or Windows Update on demand when installing said features.
Be sure to complete Migrating to Windows Server 2012 made available on Microsoft Virtual Academy to learn additional functionality in securing and enabling your deployment.
As you may be aware, support for both Windows Server 2003 and 2003 R2 is coming to end on July 14th 2015. With this in mind, IT professionals are in midst of planning migration. This guide will provide steps on migrating AD CS from Windows Server 2003 to Windows Server 2012 R2.
In this demonstration I am using following setup.
canitpro-casrv.canitpro.local
AD CS ( Enterprise Certificate Authority )
Step 1: Backup Windows Server 2003 certificate authority database and its configuration
1. Log in to Windows 2003 Server as member of local administrator group
2. Go to Start > Administrative Tools > Certificate Authority
3. Right Click on Server Node > All Tasks > Backup CA
4. Then it will open the “Certification Authority Backup Wizard” and click “Next” to continue
5. In next window click on check boxes to select options as highlighted and click on “Browse” to provide the backup file path location where it will save the backup file. Then click on “Next” to continue
6. Then it will ask to provide a password to protect private key and CA certificate file. Once provided the password click on next to continue
7. In next window it will provide the confirmation and click on “Finish” to complete the process
Step 2: Backup CA Registry Settings
1. Click Start > Run and then type regedit and click “Ok”
2. Then expand the key in following path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc
3. Right click on “Configuration” key and click on “Export”
4. In next window select the path you need to save the backup file and provide a name for it. Then click on save to complete the backup
Now we have the backup of the CA and move these files to the new windows 2012 R2 server.
Step 3: Uninstall CA Service from Windows Server 2003
Now we have the backup files ready and before configure certificate services in new Windows Server 2012 r2, we can uninstall the CA services from windows 2003 server. To do that need to follow following steps.
1. Click on Start > Control Panel > Add or Remove Programs
2. Then click on “Add/Remove Windows Components” button
3. In next window remove the tick in “Certificate Services” and click on next to continue
4. Once its completed the process it will give the confirmation and click on “Finish”
With it we done with Windows Server 2003 CA services and next step to get the Windows Server 2012 CA services install and configure.
Step 4: Install Windows Server 2012 R2 Certificate Services
1. Log in to Windows Server 2012 as Domain Administrator or member of local administrator group
2. Go to Server Manager > Add roles and features
3. It will open up “Add roles and feature” wizard and click on next to continue
4. Then next window select “Role-based or Feature-based installation” and click next to continue
5. From the server selections keep the default selection and click on next to continue
6. In next window click on tick box to select “Active Directory Certificate Services” and it will pop up with window to acknowledge about required features need to be added. Click on add features to add them
7. Then in features section will let it run with default. Click next to continue
8. In next window, it will give brief description about AD CS. Click next to continue
9. Then it will give option to select roles services. I have selected Certificate Authority and Certification Authority Web Enrollment. Click next to continue
10. Since Certification Authority Web Enrollment selected it will required IIS. So next window it will give brief description about IIS
11. Then in next window it gives option to add IIS role services. I will leave it default and click next to continue
12. Next window will give confirmation about service install and click on “Install” to start the installation process
13. Once installation completes you can close the wizard.
Step 5: Configure AD CS
In this step will look in to configuration and restoring the backup we created.
1. Log in to server as Enterprise Administrator
2. Go to Server Manager > AD CS
3. In right hand panel it will show message as following screenshot and click on “More”
4. It will open up window and click on “Configure Active Directory Certificate Service ……”
5. It will open role configuration wizard, it gives option to change the credential, in here I already log in as Enterprise administrator so I will leave the default and click next to continue
6. In next window it asking which service you like to configure. Select “Certification Authority”, “Certification Authority Web Enrollment” options and click next to continue
7. It will be Enterprise CA so in next window select the Enterprise CA as the setup type and click next to continue
8. Next window select “Root CA” as the CA type and click next to continue
9. The next option is very important on the configuration. If its new installation we will only need to create new private key. But since it’s a migration process we already made a backup of private key. So in here select the options as highlighted in screenshot. Then click on next to continue
10. In next window click on “Import” button
11. In here it will give option to select the key we backup during the backup process from windows 2003 server. Brows and select the key from the backup we made and provide the password we used for protection. Then click ok
12. Then it will import the key successfully and in window select the imported certificate and click next to continue
13. Next window we can define certificate database path. In here I will leave it default and click next to continue
14. Then in next window it will provide the configuration confirmation and click on configure to proceed with the process
15. Once its completed click on close to exit from the configuration wizard
Step 6: Restore CA Backup
Now it’s comes to the most important part of the process which is to restore the CA backup we made from Windows Server 2003.
1. Go To Server Manager > Tools > Certification Authority
2. Then right click on server node > All Tasks > Restore CA
3. Then it will ask if it’s okay to stop the certificate service in order to proceed. Click ok
4. It will open up Certification Authority Restore Wizard, click next to continue
5. In next window brows the folder where we stored backup and select it. Then also select the options as I did in below. Later click next to continue
6. Next window give option to enter the password we used to protect private key during the backup process. Once its enter click next to continue
7. In next window click “Finish” to complete the import process
8. Once its completed system will ask if it’s okay to start the certificate service again. Please proceed with it to bring service back online
Step 7: Restore Registry info
During the CA backup process we also backup registry key. It’s time to restore it. To do it open the folder which contains the backup reg key. Then double click on the key.
1. Then click yes to proceed with registry key restore
2. Once completed it will give confirmation about the restore
Step 8: Reissue Certificate Templates
We have done with the migration process and now it’s time to reissue the certificates. I had template setup in windows 2003 environment called “PC Certificate” which will issue the certificates to the domain computers. Let’s see how I can reissue them.
1. Open the Certification Authority Snap-in
2. Right click on Certificate Templates Folder > New > Certificate Template to Reissue
3. From the certificate templates list click on the appropriate certificate template and click ok
Step 9: Test the CA
In here I already had certificate template setup for the PC and set it to auto enroll. For the testing purposes I have setup windows 8 pc called demo1 and added it to canitpro.local domain. Once it’s loaded first time in server I open certification authority snap in and once I expanded the “Issued Certificate” section I can clearly see the new certificate it issued for the PC.
So this confirms the migration is successful.
On a recent post entitled, Step-By-Step: Migrating a Windows Server 2003 file server, NTFS and Share Rights to Windows Server 2012 R2, a question was asked as to why Microsoft File Server Migration Toolkit 1.2 was not utilized. As you know PowerShell is an IT professional’s best friend as it can substantially reduce the time it takes to complete certain tasks. However, there is nothing wrong with completing tasks via a graphical interface and utilization of the Microsoft File Server Migration Toolkit is a great example.
The Microsoft File Server Migration Toolkit assists system administrators migrate shared folders between servers running Windows operating systems. The toolkit utilizes the Distributed File System (DFS) and is capable of maintaining Universal Naming Convention (UNC) paths thus providing a simplified migration process.
Step 1: Installation and Preparation
Step 2: Migration
Be sure the click View Report…. should any errors arise with said migration. The report will detail the shares and or files which failed migration. Also, visit Microsoft Virtual Academy and complete the Windows Server 2003 End Of Life module to learn of other migration tools available.
We all want things to run smoothly, yet day-to-day operations sometimes get the better of us. As IT professionals we want to bring consistency to our role which we know is very seldom the case. Proper utilization of Group Policy found in Windows Server 2012 R2 can enables further regularity. Setting up a system by which all computers are created equally is such a time saver during the build and long into the support life as well.
Group Policy can seem intimidating at first (I know it scared me at first). So the first thing we need to do to conquer our fear is to see is where we go to open the management interface (see below). It is located in the Control Panel -> Admin Tools -> Group Policy Management. For this series I will be using screen shots from Windows Server 2012 R2 but the locations and terms are almost the same (some have been and a few removed but learning on one platform is highly portable to any other).
Once opened the first thing you will see is that the structure looks a lot like what you see in Active Directory. Group Policy works with AD. The policies you create here are tied to objects (groups but not containers) from Active Directory. That is one of the main strengths of Group Policy – it is tied to so many other tools you already know (or are surely looking to learn). What you see in the screen shot below is a mirror of AD on the same server. Notice that there is one Group Policy already listed (called “Default Domain Policy”). This is created by default. Other policies can be created and linked to other groups.
To see a list of all the group policies you have created you can open the “Group Policy Objects” group. You can see when the policy was last modified and if it is enabled. A disabled policy will not affect anything. In order for a policy to be effective it must be enabled and tied to an OU.
To create a new Group Policy you can right click on the root OU and click “New”
Or you can navigate to the OU to which you want to link the policy
So far we have covered where to find Group Policy and some of the ways to create policies but one of the remaining questions is how to know what the policy does.
There are of course multiple ways to do this. This first way is the best when the policy exists. Try this: go to the “Group Policy Objects” and click on any policy. There is a wealth of information here but for now just go to the “Settings” tab. Here you will see a structure that mirrors Group Policy itself. You can expand the sections to see what settings are controlled by the given policy.
The following topic is another one of those features that has been requested so many times by IT pros I’ve talked to in the past. Finally some said, we now support multiple network interface cards (NICs) on VMs in Azure so you can bring your own networking and security appliances such as load balancers and firewalls in your virtual cloud environment. Multi-NIC capabilities can also provide you more capability to manage your network traffic. You can isolate traffic between the frontend NIC and backend NICs, or separating data plane traffic from the management plane communication.
In our Azure subscription I created a virtual network with 2 subnets. a front end subnet (FE) and a backend subnet (BE).
Here is a view of the exported XML network definition file.
At this time, Multi-NIC has the following requirements and constraints:
The VM size determines the number of NICS that can be created for a VM
Small (1 core) & Medium (2 cores)
Large (4 cores)
ExtraLarge (8 cores)
A8/A9
First step is to refresh your installation of the Azure PowerShell module. The PowerShell module are updated regularly.
Once the PowerShell Module is installed use the following command to create the new VM with multiple NICs. to do that we will use PowerShell. (I ran each section separately)
# Create Windows Azure Storage Account and set it as defaultNew-AzureStorageAccount -StorageAccountName "vmmultinic1" -Label "VM-Multi-NICs" -AffinityGroup "VMstorage"
Set-AzureSubscription –SubscriptionName "Windows Azure MSDN - Visual Studio Ultimate" -CurrentStorageAccount vmmultinic1
# Set the "Windows Server 2012 Datacenter, October 2014" as the image for the new VM$imagename = @( Get-AzureVMImage | where-object { $_.Label -like "Windows Server 2012 Datacenter, October 2014" } ).ImageName$image = Get-AzureVMImage -ImageName $imagename
# Define the VM config$vm = New-AzureVMConfig -Name "VM2nics" -InstanceSize "Large" -Image $imagename
# Add the credential for the machine creationAdd-AzureProvisioningConfig –VM $vm -Windows -AdminUserName “sysadmin†-Password “Passw0rd!â€
# Set the configuration of the “default†NICSet-AzureSubnet -SubnetNames "FE" -VM $vmSet-AzureStaticVNetIP -IPAddress "10.2.1.111" -VM $vm
# Add additional NICs to the VM configurationAdd-AzureNetworkInterfaceConfig -Name "Ethernet2" -SubnetName "BE" -StaticVNetIPAddress "10.2.2.222" -VM $vm
# create the VM – the servicename is the cloud service name I already have created Azure - -VNetName is the Virtual Network I already created as per the XML definition aboveNew-AzureVM -ServiceName "pr-net1" –VNetName “VNet1†–VM $vm
Once complete, you will be able to connect to the VM through the portal and once logged on, you can validate the configuration of the multiple NICs.
That’s it. We now have a VM with multiple NICs running in our Azure Virtual Network.
With time ticking in regards to end of support on Windows Server 2003, most IT professionals are in the midst of planning their migration. While most are focusing on migrating Active Directory and DHCP, some have expressed interest in migrating file services as well. Windows Server 2012 R2 provides a robust solution in terms of file services for organizations to take advantage of. Hence the creation of this Step-By-Step to further assist the process.
Step 1: Prepping the new Windows Server 2012 R2 machine
Step 2: Generating the necessary PowerShell files for Windows Server 2003
Step 3: Completing the migration
After completing the 2 previous posts entitled, Step-By-Step: Enabling A Primary AD FS Server in Azure for Office365 Single Sign-On and Step-By-Step: Enabling A Secondary AD FS 3.0 Server in Azure for Office365 Single Sign-On, you now have our two AD FS 3.0 servers setup in the same cloud service and installed into an AD FS farm configuration. Next step would be to load balance them. Azure has a load balancer built into the product and just requires configuration. Please note that you will want to use the Azure internal load balancer and not want these servers to have an external end point. Follow the process below, so that you can configure the ILB, servers and endpoints.
Goals
1. Connect to Windows Azure with PowerShell
2. Create Azure Internal Load-Balanced Set
3. Add Servers to the Internal Load-Balanced Set
4. Add End Points to the Internal Load-Balanced Set
5. Test
Assumptions:
Connect to Windows Azure with PowerShell
If you are unsure how to or have never connected to Windows Azure with PowerShell, please reference the following article. This will guide you to install the tools and connect with PowerShell
Create the Internal Load-Balanced Set Instance
Below is a script that will set the variables, create the end points and update the Virtual Machines with the configuration.
$svc="ConceppsADFS"
$ilb="ConceppsADFS-ILB"
$prot="tcp"
$locport=443
$pubport=443
$epname="ADFS01"
$vmname="ConceppsADFS01"
Get-AzureVM –ServiceName $svc –Name $vmname | Add-AzureEndpoint -Name $epname –LBSetName “ADFS-SSL” -Protocol $prot -LocalPort $locport -PublicPort $pubport –DefaultProbe -InternalLoadBalancerName $ilb | Update-AzureVM
$epname="ADFS02"
$vmname="ConceppsADFS02"
Now that we have our farm configured and the servers are load balanced, we need to ensure that the clients can get to them using the virtual IP of the Internal Load-Balanced Set.
In the steps above we created an Internal Load-Balanced set with the IP of 10.0.0.8. We now need to create an A record in the internal DNS, with a name of STS that points to the VIP. In my case sts.office365supportlab.com points at 10.0.0.8
Shutdown the AD FS Servers one at a time and check that you can still access AD FS with each server offline. This will test the failure of losing one of the servers in the ILB set.
We are now setup with a highly available AD FS solution for all internal users. Continue on with the series to setup the Web Application Proxies (AD FS Proxy) so that the external users have access. Be sure to view Expanding Office 365 with Enterprise Mobility Suite on Microsoft Virtual Academy as a great next step.
I’m sitting here reviewing my notes from the Azure IT Camps we have been running in the last quarter, and I keep seeing one recurring theme. A lot of attendees wanted to know if there was a way to assign a public IP address directly to the a VM instead of the cloud service. Doing so would make these VM directly addressable without having to map an endpoint for access.
This is called Instance-Level Public IPs and it’s I preview right now., you can enable scenarios such as running FTP servers in Azure and monitoring virtual machines directly using their IPs. This doesn’t take the place of the VIP that is assigned to your cloud service. Rather, it’s additional IP address that you can use to connect to your VM. You can assign one PIP for each VM.
While in Preview release, you can do this for 2 VMs within a subscription. After GA that limitation will be removed.
A VIP (Virtual IP address) is the public IP address assigned to the cloud service. A DIP (an internal IP assigned by Windows Azure with DHCP) is the IP address assigned to the VM for communicating within Windows Azure. We covered before the way of assigning a static IP address to a VM (well, not really a static address, there is no such thing in Azure. But an address with a very long reservation) Step-By-Step: Assigning VMs with Static IP addresses in a Virtual Network.
But now we can request a PIP.
the PIP gives you difference scenarios. By having a PIP on your VM, you can receive traffic on just about any port, you will not have to open up an endpoint to receive traffic. This enables scenarios where the ports are chosen dynamically. The other scenario is to allow for outbound traffic originating from the VM goes out with PIP as the source and this uniquely identifies the VM to external entities.
Once the PowerShell Module is installed use the following command to set a new PIP to the VM
Get-AzureVM -ServiceName pr-net1 -Name vnet1-app-1 | Set-AzurePublicIP -PublicIPName Appip | Update-AzureVM
where “ServiceName†is the cloud service where your VM is deployed, “Name†is the name of the VM and “PublicIPName†is the name or the public IP.
once this succeeds you can retrieve the IP address by using the following command
Get-AzureRole -ServiceName pr-net1 -Slot Production -InstanceDetails
that’s it. now you can access that machine directly using that IP address.
Let me know if you have any scenarios you are looking into.
With the end of support date looming regarding Windows Server 2003, most readers of this blog remember a previous post entitled Step-By-Step: Building Your Own Lab on Windows Server 2012 enabling those to test in lab the new capabilities offered by Windows Server 2012 R2. During today's CANITPRO camp, the question was put forward regarding what would one do should they not have access to hardware to run Microsoft's newest server offering. These steps will detail the ability to test Windows Server 2012 R2 on Azure free for 30 days.
Step 1: Sign-up for a new Microsoft Account ( previously known as Windows Live ID )
A Microsoft Account allows the ability for IT professionals to both sign-up for a free Windows Azure Trial, as well as sign-in to the Windows Azure Management Portal to provision and manage Cloud resources. Many IT Pros prefer to sign-up for a unique account to better track Windows Azure resources even if they already have a pre-existing Microsoft Account.
Note: Country and Postal Code: When completing this form, please be sure to accurately reflect your country ( Canada ) and Postal code
Step 2: Navigate to the FREE Trial Page
Found here: Windows Server 2012 R2 on Azure Evaluation Page Select Try it now to continue.
Step 3: Register for the FREE Windows Azure Trial
On the page following the Windows Server 2012 R2 evaluation page, register for a Windows Azure FREE Trial subscription by clicking on the TRY IT NOW button.
Step 4: Submit the Trial Registration Form for Windows Azure
Complete each field on the registration form and click the SIGN UP button. Note: A valid Credit Card will be requested when completing the form for the Windows Azure Trial Registration in Section 3 of the form. This information is securely processed for validating your individual identity. The supplied credit card will not be charged during the trial subscription period. You must provide approval to convert your trial subscription to a paid subscription. This comes as common practice as most cloud providers generally require credit card information to validate the identity of individuals when signing up for trial programs of their offering. Step 5 - Build Your Windows Server 2012 R2 Virtual Machine
At this point you should now have an active Windows Azure Trial Subscription to use for building your cloud-based lab environment. To build your Windows Server 2012 R2:
This lab setup will take you less time then downloading, installing and setting up a lab allowing IT professionals to learn Windows Server 2012 R2 practices and capabilities that much quicker. To take your learning to the next level, be sure to visit the Microsoft Virtual Academy and review the What's New in the Windows Server 2012 R2 Jump Start session.
On July 14th 2015, Windows Server 2003 will reach end of life. While some organizations are still catching their breath from a Windows XP end of life, as of this writing, there are only 265 days left of Microsoft technical support with regards to Windows Server 2003. So what does that really mean? Here are some considerations in planning next steps on behalf of your organization.
Under Extended Support last calendar year (2013), Microsoft released 37 critical updates for Windows Server 2003/R2. No new updates will be developed or released after July 14th, 2015.
Lack of compliance with various regulatory and industry standards and regulations can have a huge impact on an organization For example, lack of compliance with the Payment Card Industry (PCI) Data Security Standards might mean that your organization can no longer accept major credit cards without using a third party (which might prove costly if not inconvenient).
Both virtual and physical instances of Windows Server 2003/R2 and Microsoft Small business Server (SBS) 2003 are vulnerable and would probably not pass a compliance audit.
Microsoft estimates that at the enterprise level, the average server migration take approximately 200 days of elapsed time and the average application migration takes close to 300 days. Of course these numbers are not based on level of effort but from project start to finish (consider project planning, needs analysis, procurement, testing, etc.).
So how do we make best use of the time we have left? I would hope that as we are fresh from our Windows XP migrations, we have learned some lessons that we can apply to accelerate our Windows Server 2003/R2 migrations. Two key learnings that I’d like to explore in this post are application compatibility and application deployment.
The biggest issues that most organizations will face will be around application compatibility. What we have found in our Windows XP migrations is that there is a class of applications that no matter what you do cannot be made compatible without some recompiling at a minimum. The applications I am referring to are 16-bit applications. The reason for this is based on the implementations of Windows-on-Windows (WoW):
These same issues will present themselves with Server 2003/R2 migrations. However; if you are moving to Windows Server 2012/R2 (and why wouldn’t you?) – there is no 32-bit version available. Applications that are susceptible to these compatibility issues need o be dealt with in a different manner. Perhaps a small pool of 32-bit Windows Server 2008 servers. You will have until 2020 until extended support for Server 2008 runs out.
As part of migrating and existing application or deploying a new application, best practices would recommend having at a minimum of three segregated environments:
Virtualization has made this much more economical and accessible to smaller organizations. One of the issues I see is moving applications between the environments. I can be time consuming and error prone. One way to minimize the level of effort and increase the accuracy is to use Server App-V. Server App-V (part of System Center Virtual Machine Manager) is a technology that enables virtualization of server applications. With Server App-V, you can create a package that contains all of the required elements of an application (including configuration information) and deploy it simply by “copying” the package to the target server. No changes (registry, service, COM, DCOM, COM+, WMI, etc.) are required on the target server. Server App-V addresses the full lifecycle of an application including deployment, updating, and retiring.
Server App-V is can be used with or without SCVMM but the greatest advantage to the technology comes from integrating packages into VMM Service Templates.
To further assist in your migration, be sure to complete the Windows Server 2003 End of Support Migration Overview available on Microsoft Virtual Academy.
Last week in Toronto during a delivery of our “Getting Started with Microsoft Azure for IT Professionals†IT Camp there was a great discussion about disks and maximum IOPS available to VMs in Azure. So I decided to write up a summary of that discussion for everyone’s benefit.
Before you get going, I recommend these 2 Microsoft Virtual Academy free online training to get up to speed:
First, we need to define what the default disk configuration of a virtual machine in Azure. By default when you create a new VM 2 disks are attached to that VM. The first one, is a persistent disk that will hold data even after a reboot of the VM. It’s registered as a SATA drive and labeled as the C drive. This disk has a maximum capacity of 127 GB. When Azure creates an operating system disk, three copies of the disk are created for high durability. Additionally, if you configure the virtual machine for geo-replication, your VHD is also replicated. Second is a temporary disk automatically created for you. On Windows virtual machines, the temporary disk is labeled as the D drive. On Linux virtual machines, the disk is typically /dev/sdb and is formatted and mounted to /mnt/resource by the Azure Linux Agent. Don’t store data on the temporary disk. This disk provides temporary storage for applications and processes and is used to store data that you don’t need to keep, such as page or swap files
for more information on the available sizes and options for the virtual machine-based compute resources you can use to run your apps and workloads. These resources are available to you as Azure Virtual Machines (sometimes called “IaaS virtual machines†or “persistent virtual machinesâ€), and Cloud Service role instances (web roles and worker roles). This topic also provides deployment considerations to be aware of when planning to use these resources. please refer to this page: Virtual Machine and Cloud Service Sizes for Azure
*** The link above is where you will find the IOPS stats for each type of virtual machines.***
You can attach new or existing “data†disks to your VM for storing persistent data. Here is how we do it.
Click Virtual Machines, and then select the appropriate virtual machine. and on the command bar, click Attach, and then select Attach Empty Disk
On the next dialogue box you need to configure the size you need for that disk (Max 1023gb or just shy of a 1TB drive) and the host cache preference. Host Cache Preference settings for an operating system disk or for a data disk improves performance under some circumstances. Host caching is off by default for both read and write operations for data disks. Host-caching is on by default for both read and write operations for operating system disks.
once it completes, You will now see the data disk listed on the dashboard of the virtual machine.
Of course you can attach an existing disk to your VM. But that requires that you have a .vhd available in a storage account. You can use the Add-AzureVhd cmdlet to upload the .vhd file to the storage account or other tools like the Azure Storage Explorer found on CodePlex.
After you've created and uploaded the .vhd file, you can attach it to a virtual machine. In the same way as the new disk but you will need to select “attach disk†instead of “attach empty diskâ€.
After you add a new data disk, you'll need to log on to the virtual machine and initialize the disk so the virtual machine can use the disk for storage. Connect to the virtual machine, and open Server Manager, in the left pane, expand File and Storage Services, and then click Disk. and select the new disk.
Right click it and select “Initializeâ€. (you will get a warning that the disk will be wiped)
and in the Volumes pane, create a new volume
There you go. a new persistent drive you can use to store your data.
In upcoming weeks I’ll explore how these disks and azure storage in general can bring huge value to your deployments.
Last August i wrote about using automation to help manage your Azure environment in a post called “Step-By-Step: Automating Azure with Runbooksâ€.
It can be a little intimidating and time consuming to create your own runbooks. That is why the Azure team as put together a new feature in Azure called the Azure Automation Runbook Gallery. The Runbook Gallery is a new feature for Azure Automation that puts existing Automation sample, utility, and scenario runbooks right at your fingertips to help you get up and running quickly with your automation tasks. The Runbook Gallery allows you to browse and import runbooks to your Automation account without having to leave the Azure Management Portal.
To access the runbook gallery all you need is to go through the portal. click the button in the action bar at the bottom and select App Services > Automation > Runbook > From Gallery.
Once you’re in the gallery you can browse it by category to find the runbook that most likely fits your bill and use the documentation section to see what it does you can use and modify it to fit the goal you are trying to achieve.
Once you find it click the link on the upper right and it will take you to the script center repository where you can find the code itself.
or click the lower right right-arrow to review runbook definition.
From there in the last page of the dialogue box, you can import the runbook in your own automation setup.
That’s it folks…. go automate stuff…
I encourage you to try your hand at writing your own runbooks and harness that power.
Until next time I’m off for a few days on a much needed vacation.
Now that the first AD FS server is setup and federated with Office365, additional servers can be introduced into the AD FS farm. The process itself can be repeated on one or many more servers depending on user base load balanced against the number of servers needed in the AD FS farm to support it.
1. Build the Azure virtual machine
2. Install the AD FS 3.0 role
3. Add the secondary AD FS 3.0 server to the AD FS Farm
- Azure account is setup
- Directory Sync is activated, setup and running
- Valid SSL certificate is available (with private key)
- VPN connection setup from Azure to your on-premise network
- Primary AD FS server is setup (see previous post in this series)
Click New -> Compute -> Virtual Machine -> From Gallery
Select Windows Server 2012 R2 Datacenter
Click Next
Enter the Virtual Machine Name
Select the Tier
Select the Size
Choose the Cloud Service that the first AD FS Server is installed in (setup earlier in the BLOG series)
Verify Subnet
Choose the Availability Set that was created when we provisioned the first AD FS server
Wait for the Virtual Machine to be provisioned and then continue
Please reference this BLOG post on how to install the AD FS 3.0 Role on the virtual machine and then import the SSL certificate
Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
Open Server Manger
Select AD FS
Click More… where it says Configuration required for Active Directory Federation Servers at…
Click Configure the federation service… action on the Post-Deployment Configuration
Select Add a federation server to a federation server farm
Enter credentials for a user that has domain administrator permissions. This is used to complete the install, it’s not used as the AD FS service account
Specify the Primary Federation Server
Select the SSL certificate that was imported earlier (the same certificate that was installed on the primary AD FS server)
Note: Since I am using a multi-name certificate, the name of the certificate does not match my AD FS farm name. In production I always recommend that you use a single name certificate to keep things simple. If that’s the case then the certificate name should match the AD FS farm name e.g. sts.domain.com
Select the AD FS service account (the same account that was used in the setup of the primary AD FS server in the farm)
Enter the password
When the pre-requisites are completed
Click Configure
Success
We now have a two node AD FS server farm setup in Windows Azure. Keep in mind that you have to continue to the next post to setup load balancing for the servers. This too will help greatly with regards to the number of devices users can now use to access their organization's Office 365 resource. Be sure to view Expanding Office 365 with Enterprise Mobility Suite on Microsoft Virtual Academy as a great next step.
With the recent release of iOS 8, many IT Professionals have been wondering how said devices with the now upgraded OS offering would be managed via existing Mobile Device Management (MDM) solutions. Some also wonder the length of time till an update is pushed down from said MDM vendor to address the change.
Microsoft has gone through great lengths to ensure their cloud based MDM offering, Intune, would support iOS 8 management on day of launch. Intune also furthers compatibility to take advantage of the nuances provided by the updated OS. Martin Booth and Wally Mead present a great overview of Microsoft Intune within Microsoft Virtual Academy highlighting the advantage of this MDM cloud offering and it extends over a multitude of OS offerings.
The new iOS 8 offering enables additional policy sets providing further control via Intune. These specific features include:
These features are added to the plethora of additional policies made available via previous versions of iOS supported by Intune.