Posts from May 2014

Microsoft Azure Spending Limits Clarification

Lots of people want to use Microsoft Azure that much is clear, but a lot of people based on threads which get started on the TechNet forum get stuck when it comes to the relationship between trial accounts, standard accounts, billing and limits so I wanted to set the record straight a little using some good old plain English.

This is in response to a thread I answered on the TechNet forum last night which you can see at http://social.msdn.microsoft.com/Forums/windowsazure/en-US/a78f28e6-3929-45ef-9c52-cee62d3ab17a/set-spending-limit-after-free-trial?forum=windowsazurepurchasing#a603ca13-5911-4cf9-a142-ec1615192e95.

Trial Accounts

When you sign up for a Microsoft Azure trial account, you are prompted to provide a payment instrument during the sign up. Payment instrument is a really horrible term for a payment method. In a nutshell, it wants you to provide a credit card. When you sign up for the free trial, you get $200 of credit available to consume over a one month period.

The $200 credit is imposed in the form of a spending limit. If you consume all $200 before your month is up, all of your services will be suspended. If you’ve got credit left at the end of the one month period you will lose it, so use make sure you use it even if it’s just to get a grasp on how to create various types of virtual machine, websites, cloud services or databases.

If you consume all $200 before the month is up and you want to resume the services that you have provisioned thus far you can remove the spending limit on the trial account which will begin placing cost incurring charges against your credit card payment instrument.

MSDN and BizSpark Accounts

If you have access to Microsoft Azure via an MSDN subscription or a BizSpark subscription you will have at your disposal $150 per month of Microsoft Azure credit included in your agreement. This entitlement lasts for the duration of the agreement and at the termination of your agreement, all services will become suspended when the final credit amount expires in your final month.

If you want to resume these services, you will need to add a payment instrument, a credit card to the account and disable the spending limit. Unlike a trial account, you are not forced to add credit card information at the point of enabling the subscription so be sure you don’t forget to add this detail.

If you are using your $150 a month entitlement but find that you could do with a little bit extra then you can opt to disable the spending limit on the subscription, add payment details in the form of a credit card and once you reach the $150 free entitlement, any excess usage of the Microsoft Azure platform will be billed to your card.

Understanding Spending Limits

Spending limits I think are the largest cause for confusion in Microsoft Azure. Spending limits are what they are called, they are a limit to prevent spending money over a given amount. They do not represent a fixed spending commitment (eg. Spending $100 a month even if you only consume $25 of services), a question I’ve seen asked on TechNet Forums on more than a few occasions.

Spending limits is not a feature which is generally available for normal subscriptions. Spending limits are only available for the Trial, MSDN and BizSpark subscription as previously mentioned. If you are an enterprise customer or a conventional pay-as-you-go customer you cannot enable a spending limit on your subscription as this option is not available.

With MSDN and BizSpark subscriptions, when you disable the spending limit, you will continue to consume your monthly or triad period entitlement to funds. The trial or monthly funds will be consumed first before any charges are levied against your credit card. Once you exhaust all of your credit, you will start being billed.

If you elect to reactivate a spending limit on an MSDN or a BizSpark subscription, you cannot customise the limit value. When you reactivate the spending limit, the limit will be restored with the same limit as was previously imposed. To re-iterate, you cannot customise the spending limit as the limit value is defined by the type of subscription that you have.

You can read the official Microsoft article on MSDN about spending limits configuration and when they are or are not available at http://msdn.microsoft.com/library/azure/dn465781.aspx.

Alternative to Spending Limits

With spending limits not available for conventional subscriptions, many people will be thinking what is there to stop me from racking up a massive bill unknowingly and then having to try and explain or justify perhaps to business partners or co-workers or such like, how you managed to spend so much. By default, nothing, there is nothing to stop you from spending an infinite amount of money. Luckily, we have a solution in the Billing Alert Service.

The Azure Billing Alert Service is currently in preview although it has been around for a while now and I expect it to stay due to the lack of spending limits for conventional subscriptions. Although the Azure Billing Alert Service does not explicitly stop you from spending too much money, it does allow you to configure warnings and alerts before you spend too much money and allow you a chance to react to potential billing spikes such as shutting down services or virtual machines.

I have previously written a show post on how to enable and configure the Azure Billing Alert Service which you should take a look out to find out more how to configure this your own subscription.

I hope that this post clarified the meaning of spending limits in Microsoft Azure, when you can and cannot use them and how to access the Azure Billing Service alternative.

Repairing a Damaged SQL Azure Sync Group

As a follow-up to my TechNet Guide published previously on Configuring a Windows Azure SQL Sync Group, in this post, I will explain how to repair a broken sync group.

Firstly, let me explain how I broke it. I have two SQL Azure databases in sync: one database in the North Europe region and another in the West Europe region. Following some security advice for WordPress, I decided I wanted to change the table prefixes for my database from the defaults of wp_. I made all of the required change to the config.php file, on the database tables and all the other changes required as per the article guide I used at http://wpcanada.ca/2009/how-to-change-wordpress-table-prefix/. After doing this, I couldn’t do anything to the blog: edit posts, author new posts, delete posts. I busted out SQL Server Management Studio to manually delete the post I was trying to clear out and I got an error message that there was a problem with the trigger.

I’m not a SQL expert so I hadn’t encountered triggers before but I could tell from the trigger name, wp_posts_dss_delete_trigger what this was. The trigger was based on the old wp_ table prefixes and now my prefixes are different. I logged into Windows Azure Management console and tried to update the database schema through the Sync Group configuration which succeeded but nothing was working still.

After much T-SQL research and experimentation, I got the fix.

Backup Everything

I can’t stress this point enough which is why it is in red, a colour which I normally try to avoid at all costs.

If you chose to follow this post to help recover a broken SQL Azure Sync Group and a potentially broken application trying to use that database, please make sure you back everything up. The changes we will make to the database in the following steps have the potential to ruin your day if done improperly and I can’t be responsible for any data loss as a result.

The easiest way to backup a SQL Azure database is from the Windows Azure Management portal which allows you to generate a .bacpac file which is an export of the entire database schema and table contents. This .bacpac file will be written to a Windows Azure Storage BLOB Container of your choice.

Clear and Delete the Sync Group

Firstly, you need to clear out the Sync Group. Full instructions for this are on Windows Azure MSDN at http://msdn.microsoft.com/en-us/library/windowsazure/jj991914.aspx but in a nutshell, remove any reference databases from the Sync Group first, leaving only the Hub database. Once this is done, delete the Sync Group, leaving you with standalone, non-communicative databases.

Next, login to your SQL Azure database using either the Windows Azure SQL Management console or via SQL Server Management Studio from your own machine. You should be connecting to the database which was formerly the Hub database as this is our primary and the one which needs rescuing. We’ll deal with the Reference databases at the end of the process.

Drop the Sync Group Database Tables

View the tables in the database and you should see a number of tables which have the prefix DataSync instead of the usual dbo. There are four tables as standard for all databases which have the following names:

  • DataSync.provision_marker_dss
  • DataSync.schema_info_dss
  • DataSync.scope_config_dss
  • DataSync.scope_info_dss

There will also be other DataSync tables which match you existing pre-change table names. Drop all of the DataSync tables. The T-SQL query for this is as follows:

DROP TABLE DataSync.provision_marker_dss
DROP TABLE DataSync.schema_info_dss
DROP TABLE DataSync.scope_config_dss
DROP TABLE DataSync.scope_info_dss

Repeat this process for your custom name DataSync tables. In my case these were WordPress table names such as DataSync.wp_posts_dss_tracking.

Drop the Sync Group Triggers

This was the hardest part for me to find information on and complete. With all of the tables dropped, we’re halfway there but the triggers are the actual problem not the tables. Each table has three associated triggers for INSERT, UPDATE and DELETE actions. The triggers are what tells the Sync Group that the Hub database has a change that needs to be replicated to other copies of the database.

First, we need to find all of your triggers. The following code is courtesy of Joe Stefanelli on Stack Overflow athttp://stackoverflow.com/questions/4305691/need-to-list-all-triggers-in-sql-server-database-with-table-name-and-tables-sch.

SELECT sysobjects.name AS trigger_name 
    ,USER_NAME(sysobjects.uid) AS trigger_owner 
    ,s.name AS table_schema 
    ,OBJECT_NAME(parent_obj) AS table_name 
    ,OBJECTPROPERTY( id, 'ExecIsUpdateTrigger') AS isupdate 
    ,OBJECTPROPERTY( id, 'ExecIsDeleteTrigger') AS isdelete 
    ,OBJECTPROPERTY( id, 'ExecIsInsertTrigger') AS isinsert 
    ,OBJECTPROPERTY( id, 'ExecIsAfterTrigger') AS isafter 
    ,OBJECTPROPERTY( id, 'ExecIsInsteadOfTrigger') AS isinsteadof 
    ,OBJECTPROPERTY(id, 'ExecIsTriggerDisabled') AS [disabled] 
FROM sysobjects 

INNER JOIN sysusers ON sysobjects.uid = sysusers.uid 

INNER JOIN sys.tables t ON sysobjects.parent_obj = t.object_id 

INNER JOIN sys.schemas s ON t.schema_id = s.schema_id 

WHERE sysobjects.type = 'TR'

This will output a query result with a list of all of the triggers on the database, the trigger name and the table for which it is registered. Right click the trigger_name header in the query result and select the Copy option. Open a New Query window and paste the output into the query window which now gives you a list of all of the triggers. On the first line, prepend the syntax DROP TRIGGER to the line then copy the DROP TRIGGER syntax down onto the start of each line.

For me, this gave me the following query ready to execute (for WordPress remember):

DROP TRIGGER wp_term_taxonomy_dss_insert_trigger
DROP TRIGGER wp_term_taxonomy_dss_update_trigger
DROP TRIGGER wp_term_taxonomy_dss_delete_trigger
DROP TRIGGER wp_commentmeta_dss_insert_trigger
DROP TRIGGER wp_commentmeta_dss_update_trigger
DROP TRIGGER wp_commentmeta_dss_delete_trigger
DROP TRIGGER wp_terms_dss_insert_trigger
DROP TRIGGER wp_terms_dss_update_trigger
DROP TRIGGER wp_terms_dss_delete_trigger
DROP TRIGGER wp_comments_dss_insert_trigger
DROP TRIGGER wp_comments_dss_update_trigger
DROP TRIGGER wp_comments_dss_delete_trigger
DROP TRIGGER wp_usermeta_dss_insert_trigger
DROP TRIGGER wp_usermeta_dss_update_trigger
DROP TRIGGER wp_usermeta_dss_delete_trigger
DROP TRIGGER wp_links_dss_insert_trigger
DROP TRIGGER wp_links_dss_update_trigger
DROP TRIGGER wp_links_dss_delete_trigger
DROP TRIGGER wp_users_dss_insert_trigger
DROP TRIGGER wp_users_dss_update_trigger
DROP TRIGGER wp_users_dss_delete_trigger
DROP TRIGGER wp_options_dss_insert_trigger
DROP TRIGGER wp_options_dss_update_trigger
DROP TRIGGER wp_options_dss_delete_trigger
DROP TRIGGER wp_postmeta_dss_insert_trigger
DROP TRIGGER wp_postmeta_dss_update_trigger
DROP TRIGGER wp_postmeta_dss_delete_trigger
DROP TRIGGER wp_posts_dss_insert_trigger
DROP TRIGGER wp_posts_dss_update_trigger
DROP TRIGGER wp_posts_dss_delete_trigger
DROP TRIGGER wp_term_relationships_dss_insert_trigger
DROP TRIGGER wp_term_relationships_dss_update_trigger
DROP TRIGGER wp_term_relationships_dss_delete_trigger

Ensuring that your query is pointed at the correct database if you are using the SQL Server Management Studio, now press the Execute button to execute the query. You should get the response Command(s) completed successfully.

Testing the Database

With this done, the triggers are now history which should bring your database back to life. Either use your application which drives the database or if you are comfortable doing so, try some INSERT or UPDATE queries against the database to verify this. If you get any errors it means you either missed a table or a trigger during the drop phases. If your database works then congratulations, your application is no longer a brick but we now need to restore the Sync Group functionality.

Delete the Reference Database(s) (Optional)

This step is optional but I did it for cleanliness. As we’ve basically just completely doctored with the schema and operation of a database, I didn’t like the idea that my Reference replica of the database was in an even worse state. I elected to delete the Reference database and create a new database in it’s place. You can either delete the database from the Windows Azure Management portal or from SQL Server Management Studio while connected to the SQL Server.

Please make sure you delete the Reference Database and not the Hub database if you do this though as if you delete the Hub by accident then you’ve just deleted the database which we spent the time fixing up.

Recreate the Sync Group

Recreating the Sync Group to get you back in business for resilient SQL Azure databases services means following the steps in my previous post Configuring SQL Azure Sync Groups. The only thing which you need to account for is the fact that your SQL Servers already exist and your Hub database already exists. Assuming you performed the optional step above to delete the Reference databases, you’ll need to do the following:

  1. Create new Reference databases.
  2. Create a new Sync Group.
  3. Configure the Hub and Reference partnership for the Sync Group.
  4. Scan the database schema and select the options to Sync.
  5. Enable automatic time based sync (if you are using this mode).

The previous post has the full details and screenshots should you need it for referral.

Hopefully you’re all back in business now and this post has helped you get out of a hole. The lesson I learnt here is that if you are making major changes to a database which is configured in a SQL Azure Sync Group then consider removing the databases from the Sync Group and deleting the Sync Group first then, once all your changes to the schema and table names are complete, then you can re-create the Sync Group and get your resiliency back on.

Microsoft User Experience Virtualization (UE-V) 2.0 Review

In this post I’m going to show you Microsoft User Experience Virtualization (UE-V) 2.0 which is a really nice product from Microsoft for customers with access to Microsoft Desktop Optimization Pack (MDOP). MDOP is available as a free entitlement to customers with Software Assurance on their Windows Enterprise Desktop licenses. UE-V is designed as a 21st century replacement to Roaming Profiles.

Roaming Profiles Backstory

I’ve been a long time fan of Roaming Profiles whether you use them as a means to deliver virtual desktop infrastructure (VDI), a means to allow users to logon to multiple conventional desktops throughout a business or as a crude method to centrally backup user data so that if their laptop or other computing device fails, simply logon to a new machine and you get back the same experience.

Lots of people have hated on Roaming Profiles for their misgivings which they do indeed have: slower logon times, issues with the synchronisation of the profile between multiple machines and the occasional profile corruption issues. Some of the stigma with Roaming Profiles is alleviated when you combine it with folder redirection, another technology which I am a fan of however it’s still not perfect.

Roaming Profiles and Windows 8.1

Roaming Profiles have defiantly taken a back seat in Windows 8 and Windows 8.1. Log in to a Windows 8 or Windows 8.1 machine using a domain account that is setup with a Roaming Profile and you will quickly see that even when you connect a Microsoft Account (MSA) that some things just don’t work properly. Despite all my attempts to correct it, the OneDrive immersive UI app just never worked properly and Sync Settings between multiple PCs is completely disabled with all of the options greyed out to prevent their use.

I wasn’t too bothered about the lack of Sync Settings previously. This is mainly because of the fact that I work from home on a machine joined to my home domain with my other PC, a Surface Pro tablet connected to the same domain with the same roaming profile so my settings would sync in that manner but in a scenario where I could be using a work computer joined to a work domain means I wouldn’t have any sync activity between home and work. If you use a Surface RT or a Surface 2 running Windows RT you are in the same situation as even on the same network, you cannot domain join Windows RT leaving you with no sync options.

The lack of the OneDrive app did leave me feeling a little bit at a loss but not so much as I could quickly access OneDrive using the website and OneDrive worked just fine on my Windows Phone but the real kicker arrived with Windows Phone 8.1 Preview and tab sync for Internet Explorer. I’m a tab abuser and I commonly am known to have in the region of 20 tabs open all for various work and non-work related things all in various states of read and unread so being able to sync these tabs between my desktop from day job, my Surface for intensive evening browsing or my Windows Phone for casual pickup browsing hurt.

Introducing UE-V

User Experience Virtualization (UE-V) came to my attention a year or so ago when I was working with Application Virtualization (App-V), also from MDOP but I’d never seen the reason to try it out when Roaming Profiles worked for me but with the now lack of Internet Explorer tab sync between my devices, it made me want to have a go and see if it could improve my roaming experience by any amount.

Whereas Roaming Profiles captures the entire Application Data Roaming folder from the user profile and copies the changes back and forth between the clients and the server hosting the profile share and logon and logoff, UE-V works with a client-side agent which reads application data from a UE-V User Settings share at application runtime and writes back changes at application close.

Features of UE-V

The changes are captured per-application and not for the profile as a whole which means the change delta sync is very fast to converge, isn’t dependant on the user logging on or off whilst connected to the corporate network and working in tandem with Offline Files sync provider on the client allows for users to make changes to application settings which get written back to the share as soon as the agent detects a connection to the network making this a technology which could work really well with DirectAccess remote access technologies. This silo approach to sync also means that in the rare event of any corruption occurring whilst synchronising would be limited to only effecting one application and not your whole profile. All of these settings are sent back to the server in small files with the format .pkgx and are structured in an easy to understand hierarchy per application.

UE-V User Settings Packages

Because UE-V works not by operating at a roaming profile but instead as a man in the middle, monitoring your applications, tracking changes to settings and recording them to the central store, it doesn’t interrupt the way Windows handles profile state. For Windows 8 and Windows 8.1 users this means that you can connect an MSA to a domain user account and the options for Sync Settings are available and work and also that native apps like the OneDrive app work and sync properly which was my main driver for taking UE-V for a test drive.

UE-V Agent

This per-application nature of UE-V is perhaps also it’s Achilles heel dependant on the nature of your user base. Because UE-V works with applications and not profiles, it needs to know about your applications. For default Microsoft applications such as Notepad, WordPad, Calculator and Windows 8 immersive UI applications such as Weather, Sports, Finance and the like you can enable and disable the sync of settings for these applications out of the box either via the client manually or with a Group Policy Object using the UE-V ADMX file from the Microsoft Desktop Optimization Pack Group Policy Administrative Templates download. UE-V natively supported Office 2007 and 2010 also however Office 2013 is not natively supported but more on that in a minute.

To support custom applications including Office 2013, you need XML files to provide application definitions. These definition files can either be generated by you as an administrator for your custom line of business (LOB) applications using the Microsoft User Experience Virtualization Generator application or you can download XML files generated by others from the TechNet Gallery and hope that they fit your need. Microsoft thankfully provide an official set of XML files for Office 2013 for UE-V 2.0 which you can get from the TechNet Gallery in the form of either the Microsoft Authored Office 2013 (32-bit) UE-V Template or the Microsoft Authored Office 2013 (64-bit) UE-V Template. Standard community issued XML files can be obtained from the main list on the TechNet Gallery here.

Deploying UE-V

Deploying UE-V is really simple and because the .pkgx files generated for each application are typically very small and are transmitted across the network in a much friendlier approach that a giant squirt of traffic as you would have observed with Roaming Profiles it required little planning or infrastructure on either your SMB file share server or your network capacity.

The UE-V agent is installed using an .msi file which means you can install it via a Group Policy Software Installation policy, using a Computer Configuration startup script from a Group Policy Object, via System Center Configuration Manager or any other deployment toolkit which can accept an .msi file. You could even use System Center Updates Publisher (SCUP) 2011 to generate a custom update for the .msi file and deploy it using Windows Server Update Services (WSUS) if you have that implemented instead of a full product suite like SCCM and the GPO approach doesn’t take your fancy.

Configuration of the agent is done via Group Policy ADMX settings with settings that can be applied on a per computer or a per user basis allowing you to hone your deployment as you see fit for the business needs. If you are using System Center Configuration Manger you could use the System Center 2012 Configuration Pack for Microsoft User Experience Virtualization download from Microsoft to fully integrate the management of UE-V and SCCM into a single pane of glass.

In terms of the SMB file shares, in it’s simplest form, you need two shares. One for user settings packages and one for your XML custom templates. Permissions on the custom templates share simply need to be read for Domain Computers as the client runs in the context of the computer. Permissions on the user settings packages share where user data will be written requires similar permissions to a Roaming Profiles share: Permissions for your users, Domain Users for arguments sake to Create Folders at the root of the share and then Full Control for Creator Owner for sub-folders to allow users to own their own folder.

Creating custom XML files is pretty simple and painless so long as you have a reference computer with the applications you want to capture settings for installed. A simple event of launching the application to allow UE-V to monitor registry and file locations accessed by the application, close the application and then save your XML file is about as hard as it really gets.

UE-V XML Generator

Deployment of the XML files to the agents is a simple case of copying the files into the share you created earlier.

UE-V Template Store

Microsoft had the foresight also to include an option in the UE-V ADMX Group Policy extension which allows you to enable sync for either an administratively controlled list of Windows immersive UI apps or you can enable the setting to include all unlisted Windows immersive UI apps so that any app the user installs from the Windows Store or any app you develop as a business and sideload using your Enterprise rights for sideloading will be tracked too.

UE-V ADMX Settings

With a suitable selection of XML files imported into the Template Store, the client will on it’s next schedule, sync with the store and begin to include any new templates as I previously eluded to as shown below.

Roaming Profiles and UE-V Co-Existence

UE-V and Roaming Profiles can co-exist perfectly which makes migration super simple. In any environment, you can simply roll out the UE-V agent to your clients, setup your Group Policy with the appropriate settings to point users to the correct SMB file shares for both their own personal settings to be stored and a second share for your custom XML definitions. Once deployed, you can let UE-V sync application settings for users whilst the Roaming Profile is still in effect and when you have decided that you’ve let the overlap run it’s course, pull away the Roaming Profile attribute from a users Active Directory User Object. The profile for that user will be converted back from a Roaming Profile to a Local Profile and UE-V will have already captured all their application settings and will now operate as the single version of authority for application settings.

For me personally, I’m not the kind of user with a long list of applications. I found with some monitoring that I had all the applications I needed for UE-V to be successful for me in sync within about a week of normal working practice. One the week was up, I pulled the Roaming Profile attribute from my user object, free of the Roaming Profile logon delay and associated lack of Sync Settings in Windows 8.1 to be left with a Local Profile and all the Sync Settings I could ever want available.

In an environment with a long list of applications you may need a month or more to successfully overlap the deployment of the two but either way, it’s totally achievable and with the right amount of overlap your users probably won’t event notice the change. I’m still using Folder Redirection with Offline Files to keep my Documents are other vital folders protected but I think that feature will be a given for any company, it’s the profile that’s the real issue here.

The Future for UE-V

Microsoft have just recently made the UE-V 2.1 Beta available via Microsoft Connect. I haven’t yet tried this as it was made available only a few days after I deployed UE-V 2.0 here but I will be looking at it soon. The release notes promise better control over some of the settings requested through customer feedback from UE-V 2.0 and includes native support for Office 2013 so you don’t need the custom XML templates for it any longer.

UE-V certainly has a good future and if you are in the market for a Roaming Profiles replacement I would definitely look at it.

Hide Quick Launch in SharePoint 2013

In SharePoint 2010, we had a method for hiding the Quick Launch on a SharePoint site to clean the interface look and feel if you are building out a site which doesn’t benefit from having a quick launch.

In SharePoint 2010, we did this using a Content Editor Web Part and editing the source HTML code of the Web Part to include some custom CSS however in SharePoint 2013, those same CSS Selectors don’t work because Microsoft have changed the names of some of the CSS Selectors. In SharePoint 2013 to hide the Quick Launch we now do it using the following approach.

Add a Script Edit Web Part from the Media and Content category.

Once you’ve added the Web Part, Edit the Web Part and add the following code snippet.

<style>
#contentBox {margin-left:0px}
#contentRow {margin-left:19px}
</style>

If you want to take this a step further and hide the top navigation links, you can add an additional line of inline CSS code to achieve this. Edit the Web Part and add the following line in addition to the code already specified for the Quick Launch.

.ms-core-navigation {display:none}

Microsoft EMET 4.1 Review

Microsoft Enhanced Mitigation Experience Toolkit (EMET) is something which has seemingly been around for years, a little known and less travelled piece of Microsoft software. In this post, I’m going to explore what EMET is, what it has to offer and briefly how it works.

What is Microsoft EMET

Microsoft EMET (Enhanced Mitigation Experience Toolkit) is a piece of software which can be deployed to assist in a defence-in-depth strategy to protect computers running Microsoft Windows. EMET employs deep hooks into applications monitoring them as they run looking for suspicious activities. Because EMET monitors code activity for patterns common to attacks, it is heuristic in it’s nature which means there are no definitions to keep up to date like anti-virus software which work by protecting against known attacks. EMET isn’t looking for the known but instead, for the unknown.

Believe it or not, EMET has been around for sometime although it’s largely never heard of. Even me as a Microsoft bigot hadn’t heard of EMET until about six months ago when I accidently stumbled upon it.

EMET has been available since 2009 in the dawn of Windows XP with new versions slipping out on a regular basis. The current general availability release is version 4.1 Update 1 and there is a version 5.0 available in Technical Preview. The current version 4.1 Update 1 supports operating systems from Windows XP Service Pack 3 all the way up to Windows 8.1 and Windows Server 2012 R2. Version 5.0 Technical Preview only supports Windows Vista Service Pack 2. Whether this is down to the end-of-support for Windows XP and therefore a purely commercial withdrawal from Windows XP is unknown but in that EMET is a 32-bit process even on 64-bit installations of Windows, it would be nice to think that there is some evolution happening and not just iteration.

Who is Microsoft EMET Designed For

EMET is not designed for home use due to the potentially complex nature of it’s configuration. You could safely deploy EMET at home if you left it in it’s default state protecting Office, Adobe Reader and Java but I probably wouldn’t recommend it without knowing what you are doing. EMET is designed for enterprises who want to add an additional layer of defence and protection to their client computers in addition to anti-virus and firewall software.

What Does Microsoft EMET Protect

Out of the box, EMET will protect Internet Explorer, Microsoft Office, Adobe Reader and Oracle Java but due to the way in which EMET is built, it can be extended to protect any application you desire but this needs to be taken with caution. Enabling certain mitigation hooks can cause applications to crash if EMET believes a certain operation is malicious when in fact it is desired behaviour. Microsoft have a list of known issues with EMET and application compatibility at http://support.microsoft.com/kb/2909257. There are various threads on the TechNet Forum discussing other compatibility issues with EMET.

The key takeaway is that you need to test EMET thoroughly before widespread deployment. Enabling mitigations in EMET can easily break an application or a whole system if you enable mitigation for an application which is key to hardware or operating system function (such as the known issue with ATI Video Drivers for example).

Reading the Microsoft Security Research and Defence Blog at http://blogs.technet.com/b/srd/ you can read some pretty complex and deep dive information on how that various mitigations in EMET work, how EMET has been able to thwart some of the more recent exploits from day zero. I for one don’t at this moment in time understand the what SEHOP means or how that protects me, I just know that it does although I do intend to read up on these various protection types.

What Does Microsoft EMET Cost

Nothing, it’s free for anyone who wants to download and install it. It’s worth noting that currently, only EMET version 3.0 is available for support through the Microsoft support channel of Microsoft Premier Support for enterprises. This is a very good reason to make sure you test the deployment of new mitigations in EMET before deploying them but I would consider whether deploying EMET 3.0 is the right thing to do regardless of support. EMET 3.0 is quite an old version and misses out on the newest certificate trust pinning feature.

Microsoft EMET Client Deployment

Microsoft EMET is installed using a traditional .msi file which can be manually installed or can be deployed with Group Policy Software Installation, System Center Configuration Manager or a third-party application management solution.

Microsoft EMET 4.1

The client when launches shows the current status for the four main protection types, DEP, SEHOP, ASLR and Pinning. DEP is a protection type which should be quite common for most system administrators as a Windows feature since Windows XP however SEHOP and ASLR will likely require some research. Pinning is a new feature in EMET 4.1 which allows you to protect against certificate man in the middle attacks. EMET locks the signature of trusted certificates such as those for Microsoft Windows Live, Office 365, Skype, Facebook and Twitter. This is a really nice feature and one that I’m personally a fan of although I would like to see more certificates listed by default such as Google.

If you opt for the EMET 5.0 Technical Preview, there are additional new features also but being a Technical Preview, you are even further beyond the scope of support so do this at your own risk for sure.

Microsoft EMET 4.1 Custom Certs

The Apps configuration list allows you to enable and disable mitigations for specific applications as well as define custom applications to be protected by EMET.

Microsoft EMET 4.1 Custom Apps

Microsoft EMET Client Configuration

When configuring EMET you have a number of options. You can either do this per client manually, using Group Policy with the provided ADMX file or with a configuration export. A configuration export gives you the most flexibility however it requires you to have a reference computer configured with EMET to your current specification. Once configured, you can export the configuration to a file which you can then import to other EMET clients automatically using System Center Configuration Manager for example.

Configuration using Group Policy is simple and allows you to control almost everything such as the status for system-wide protections and to configure user-defined application protections including which mitigations to apply for them however it does not appear to allow you to configure the certificate trust pinning. I’ve used Group Policy in my scenario as it was the easiest for me to implement and administer.

Microsoft EMET 4.1 GPO

Is Microsoft EMET Worth Deploying

This is a good question and one I considered before I deployed it at home for myself and I came to the conclusion of yes. Windows 8.1 is a good operating system with lots of protections included out of the box such as Windows Defender and Windows Firewall. It is regularly updated and patched to address performance, security and other issues by Microsoft closing holes as they are found and the success of the Windows Update service means that this patching is commonplace and reliable. System Center Endpoint Protection 2012 R2 which I use as my anti-virus protect does a great job of scanning for known viruses but as was said in a recent interview with a top dog from Symantec, anti-virus is “dead” (http://www.engadget.com/2014/05/06/symantec-declares-antivirus-dead/). Protecting systems at as many other levels as is viable and logical to do so therefore makes a lot of sense and a product which is free from Microsoft can only help to do this.

On my PC at home I have EMET running in the recommended security configuration and the process is consuming 14.9MB of memory. On my fairly standard desktop PC with 8GB or my Surface Pro tablet with 4GB RAM, 14.9MB is nothing to even think twice about and for that little bit of memory consumption, it’s a little extra piece of mind keeping me safe at all times.

If you try out EMET for yourself or if you have used it previously, please get in touch and let me know what your personal experiences are. I’d like to hear from anyone with previous experience with EMET due to the somewhat unknown nature of this product.