Restricting Azure Resource Deployment by Region

This week, I’ve been studying some topics ahead of my 70-533 exam and one of the topics that I covered which I though would make a really relevant and hopefully not too long of a post would be the subject of restricting Azure resource deployment to specific regions.

Many organisations have considerations around data privacy and sovereignty. For me and many folks in the UK, right now that means your data is probably living in an Azure region in Europe. Either Dublin or Amsterdam. With the UK datacentres being brought online fairly recently and the available features growing month by month, it makes using those regions more appealing. With the prospect of Brexit and how your data soverignty may be effected by that shake up could potentially make those UK datacentres even more appealing in the months and years to come.

With an out of the box Azure subscription, we have the power to deploy resources to any region we like be it UK, US, South America or Asia but with these privacy and data protection concerns wouldn’t it be great if you could limit this so that even the most well trained administrators and users cannot accidently place your data on the wrong side of a pond?

Read on below the fold and I’ll explain how to create an Azure Resource Policy and how to apply that to your evironments.

Read the Full Post

The GitHub Deploy to Azure Button

This is a really quick post but one I thought was worthy of getting down somewhere.

I’m starting to use GitHub more and more as a source for content and as I find myself wanting to produce the odd piece of content as well, I figured GitHub is where everyone else is sticking their Azure Resource Manager code so I should do the same.

For anyone that has looked on the official Azure team GitHub Repositories, you will have seen the blue Deploy to Azure button which is really nice as it directly takes you from GitHub over to Azure and links back to the GitHub Repository to start deploying the Resource Manager template without you having to download it and deploy it manually first.

The Azure team have a blog post over at https://azure.microsoft.com/en-gb/blog/deploy-to-azure-button-for-azure-websites-2/ which explains how you can use the Deploy to Azure button in your own repositories or even have it on your own website with a link back to a repository. It’s a nice touch, dead simple to implement by adding a line to the readme.md file and gives you that factory feel.

Enjoy.

Azure Winter Roundup 2016

Microsoft Azure LogoWith the weather starting to warm up and the sun out for longer, the worst of winter is behind us and we have spring to look forward to so what better time to wrap up 2016 with a recap of some of the new features to drop.

What’s New in General Availability

The all important GA milestone means these services are ready for prime time so here’s what’s new in the world of Azure since Al’s last update.

Managed Disks

Azure Virtual Machine Data DiskSince the dawn of infrastructure as a service in Microsoft Azure, Storage Account management has been one of the burdens that stayed with us into the cloud. Like managing LUN mapping and disk tier balancing from on-premises SAN arrays, we had to get the right number of Storage Accounts with the right capacity and number of IOPS in each.

Managed Disks now allows us to offload that burden to Microsoft and means we can provision IaaS VMs with the storage complexity of PaaS (read none). When we provision a machine and select the option to use Managed Disks, the platform with create everything behind the scenes.

Managed Disks are available in Premium and Standard storage flavours but the gotcha here is that for standard, you pay for the fully provisioned disk size, not the thin provisioned in use size as you do with traditional Storage Accounts so some customers may wish to continue using the conventional methods for storage.

For the full story on Managed Disks, read on at https://azure.microsoft.com/en-us/blog/announcing-general-availability-of-managed-disks-and-larger-scale-sets/.

Read the Full Post

Office 365 Group License Management Preview

Sitting on the train yesterday evening, I was glancing across my Twitter feed when I noticed this beauty that I had to share.

https://blogs.technet.microsoft.com/enterprisemobility/2017/02/22/announcing-the-public-preview-of-azure-ad-group-based-license-management-for-office-365-and-more/

Granted, the feature may be in preview right now so doesn’t quite have it’s game face on just yet but it’s still really worth looking at.

You now have ability to assign Office 365 licenses based on either Azure Active Directory or on-premise synchronised Active Directory group membership (a security group to be specific). No longer do we need to assign the licenses to each user individually or use PowerShell scripts to bulk assign the membership. Simply assign the proper licenses to the group and then make sure everyone is a member of that group. When a user is added to the group, they get the licenses and when the user is removed from the group, they get the licenses taken away, simples.

This may seem like a small feature but for customers’ adopting Office 365 from scratch or for existing customers who are buying up new features or activating license sub-components as part of a progressive Office 365 rollout, this will be an invaluable time saver. You can even have multiple groups and use dynamic group membership to have the groups populated based on attributes of a user object.

I see a real use case for this group based license assignment in scenarios where you have a limited number of licenses available for a particular product and you need to re-assign them from one individual to another. A would be a great example where one department need to use Power BI Pro but another does not and as a users’ department attribute changes from Sales to Operations (as an example), the licenses get moved around. For customers automating their starter and leaver processes, no longer will you need PowerShell Cmdlets which connect to Office 365 and assign the licenses. Just make sure the user is created as a member of the relevant groups and off they go.

I look forward to seeing this feature go into general availability and being used by customers in the field.

Apply Updates on Windows Nano Server 2016

In my previous post, List Updates on Windows Nano Server 2016, I talked about reporting the updates which are installed or missing from your Nano Servers. With that information in hand, you can now move to the more powerful aspect of actually patching them.

In my environment, I don’t want my hosts going out to Microsoft Update on their own, nor do I want to run an entire WSUS server just for a couple of Nano Servers so I patch them manually and this manual patching effort is something which will possibly resonate with others so I thought I would share it.

As it stands, the script requires you to fetch the updates yourself. I am going to work on something using Invoke-WebRequest in PowerShell to automate that step too, but that’s a small price to pay given the minimal number of updates Nano Server requires. Use the Microsoft Update Catalog at https://catalog.update.microsoft.com to obtain any updates you need. Something that was pointed out by Thomas Maurer in his Nano Server updates post at http://www.thomasmaurer.ch/2016/10/how-to-install-updates-on-nano-server/, there is an update for your Nano Servers which is not actually listed and this is the Servicing Stack Update for Windows 10 Version 1607, KB3176939 which you can download from http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3176936. This update is designed to be installed first and it improves the reliability and stability of the servicing stack in Windows which is used by the update process.

Read the Full Post

List Updates on Windows Nano Server 2016

Windows Server 2016 introduced the new SKU, Nano Server. Nano Server is an extremely low footprint operating system designed for micro services and rapid deployment and provisioning and currently supports roles including Failover Clustering, Hyper-V, File Server, Web Server and DNS Server.

With Nano Server being completely headless and at this moment in time, not supporting a Configuration Manager agent for managing operating system patches, there needs to be a way for you to to track and manage patching on them. At home I run two Nano Server hosts using Hyper-V to host some virtual machines and a third running inside a VM for some testing workloads. I decided I wanted to script a way of at least going some way to automate the patching.

The first script below lists the updates that your Nano Server has installed already for reporting purposes. The second lists the updates which are available and require installation. It’s worth noting that for this to work, your Nano Server machines will need access to an update service to find out what updates are available, be it Microsoft Update or WSUS. If you are reading this thinking that you didn’t know Nano Server could use WSUS, well sure it can, you just need to populate the same registry keys you would on a normal Windows machine.

The code for returning the list of updates comes direct from the Microsoft Blog at https://blogs.technet.microsoft.com/nanoserver/2016/10/07/updating-nano-server/ however this assumes a manual process so I have wrapped this up to provide a level of automation.

Read the Full Post

Philips Hue Scene Control with Vera Z-Wave Scenes

For a little while now, I have been buying Philips Hue light bulbs for home. I haven’t gone too overboard just yet but one of the starting factors was being able to set some coloured lighting in the living room and in the kitchen to be able to provide a bit of flashing light action for those long summer nights with a drink or two and friends.

At Christmas, I was able to get myself a Vera Edge Z-Wave controller as I really wanted to start making better use of the Hue bulbs and integrating it with Z-Wave to setup some nice home automation scenarios. After getting Vera online and getting the Hue2 plugin installed and control of the bulbs, I started to struggle. What I quickly noticed was that when trying to use Z-Wave Scenes in Vera to operate groups of Hue bulbs, I wasn’t able to and instead had to chain up actions which had an undesired effect of each bulb turning on in order with a second or so delay between each. Compared with Hue scenes where you press it and the whole room lights up, this wasn’t great.

Tonight however, I managed to find the answer and get it working just so with a little bit of effort here and there. I wasn’t able to find this information easily on the MiCaseVerde forums so I thought I would post it here in the hope that someones Google search turns it up for them.

Read the Full Post

RDS and the Case of the Mistaken PKI OID

Earlier this morning, I was working with our support team to work out an issue they were having in an environment where Remote Desktop Services had stopped working. Trying to connect to a server via RDS simply failed with a Network Level Authentication warning, strange, given it was a domain environment and everything should be trusted and all good. The issue started life as support seeing Event ID 1058 and Event ID 36870 errors in the event log and they had been looking at https://blogs.technet.microsoft.com/askperf/2014/10/22/rdp-fails-with-event-id-1058-event-36870-with-remote-desktop-session-host-certificate-ssl-communication/ for guidance to this point with no success.

I quickly discovered that a GPO had recently been implemented that enforced NLA for RDS and also assigned a certificate template to use for Remote Desktop instead of the default self-signed version. I hopped onto the certificate authority to check out the certificate template that had been configured and compared it to the recommendations of the Microsoft article for assigning certificates to RDS sessions at https://blogs.technet.microsoft.com/enterprisemobility/2010/04/09/configuring-remote-desktop-certificates/ as this is an article I have referred to before and know it works.

Read the Full Post

Working Hard on Web Security

As anyone who visits my site on a regular basis may have noticed, I’ve been working hard on securing up this blog to make it follow more best practices and more in keeping with modern web security given it’s been quite a while since I’ve touched that side of the site, and there have been numerous things that I have implemented and I thought I would give a little run down of them.

Read on after the fold for the low down on each of the features and how it works.

Read the Full Post

Hunting and Decrypting EFS Encrypted Files

At home last week, I started doing some preparations for upgrading my home server from Windows Server 2012 R2 to Windows Server 2016. This server was originally installed using Windows Server 2012 R2 Essentials and since, I have performed a Standard edition, edition upgrade on the machine which means that the host has ADDS, ADCS, NPS and some other roles installed as part of the original Essentials server installation. We all know that unbinding ADDS and ADCS can be a bit of a bore which is why nobody in the age of virtualization should be installing ADDS and ADCS on a single server together but that’s by the by.

When I started looking at decommissioning the ADCS role, I noticed that an EFS certificate had been issued to my domain user account. I’ve never knowingly used EFS but the presence of a certificate for that purpose lead me to believe there may be some files out there so I started looking.

EFS was a technology that appeared circa Windows XP to allow users to encrypt files before BitLocker was a thing. It was a nice idea but it was troubled and flawed in that it was enabled by default and users could self-encrypt files without IT having implemented the proper tools to allow them to recover the files when disaster struck.

Read the Full Post