Microsoft zaps dodgy Dell digital certificates

The company's security tools will remove the eDellRoot and DSDTestProvider certificates

Microsoft has updated several of its security tools to remove two digital certificates installed on some Dell computers that could compromise data.

The updates apply to Windows Defender for Windows 10 and 8.1; Microsoft Security Essentials for Windows 7 and Vista; and its Safety Scanner and Malicious Software Removal tool, according to postings here and here.

Dell mistakenly included private encryption keys for two digital certificates installed in the Windows root store as part of service tools that made its technical support easier. The tools transmit back to Dell what product a customer is using.

Security experts were alarmed by the mistake. The private keys in both of the digital certificates could be used by attackers to sign malware, create spoof websites and conduct man-in-the-middle attacks to spy on user's data.

One of the certificates is named eDellRoot and the other DSDTestProvider. Exposure to the latter certificate was likely more limited, as users had to download it, and the risky version was only available between Oct. 20 and Nov. 24, Dell has said.

The eDellRoot certificate, however, shipped with many new Dell laptop and desktop models. Also, older computers that ran the support tool, Dell Foundation Services (DFS), may also have been affected if DFS was configured for automatic updates. The dodgy certificate was issued with a DFS update in August.

Dell released updates on Tuesday to remove the certificates, and it also described how to remove the certificates manually. Microsoft's tool may help those who for one reason or another haven't either downloaded or received the updates from Dell.

Symantec wrote on Tuesday that it had seen malware samples indexed by VirusTotal that were digitally signed by the eDellRoot certificate. Malware signed with eDellRoot would allow it to bypass some security defenses.

Click here to view complete Q&A of 70-336 exam

Best Microsoft MCTS Certification, Microsoft 70-336 Training at certkingdom.com

Microsoft offers unwanted-software detection for the enterprise

Outside Building 99 in Microsoft's Redmond, Washington, campus. Credit: Microsoft
Sysadmins can now turn on the feature in System Center Endpoint Protection and Forefront Endpoint Protection

It’s time to throw adware, browser hijackers and other potentially unwanted applications (PUAs) off corporate networks, Microsoft has decided. The company has started offering PUA protection in its anti-malware products for enterprise customers.

The new feature is available in Microsoft's System Center Endpoint Protection (SCEP) and Forefront Endpoint Protection (FEP) as an option that can be turned on by system administrators.

PUA signatures are included in the anti-malware definition updates and cloud protection, so no additional configuration is needed.

Potentially unwanted applications are those programs that, once installed, also deploy other programs without users' knowledge, inject advertisements into Web traffic locally, hijack browser search settings, or solicit payment for various services based on false claims.

"These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications," researchers from the Microsoft Malware Protection Center said in a blog post.

System administrators can deploy PUA protection for the specific anti-malware product version in their organization through the registry as a Group Policy setting.

Microsoft recommends that this feature be deployed after creating a corporate policy that explains what potentially unwanted applications are and prohibits their installation. Employees should also be informed in advance that this protection will be enabled to reduce the potential number of calls to the IT helpdesk when certain applications that worked before start being blocked.

If the network is already likely to have many PUA installations, it's recommended to deploy the protection in stages to limited number of computers in order to see if any detections are false positives and to add exclusions for them. Exclusion mechanisms based on file name, folder, extension and process are supported, the Microsoft researchers said.

Click here to view complete Q&A of 70-336 exam

Best Microsoft MCTS Certification, Microsoft 70-336 Training at certkingdom.com

Exam 70-697 Configuring Windows Devices (beta)

Exam 70-697 Configuring Windows Devices (beta)

Published: September 1, 2015
Languages: English
Audiences: IT professionals
Technology Windows 10
Credit toward certification: Specialist

Skills measured
This exam measures your ability to accomplish the technical tasks listed below. The percentages indicate the relative weight of each major topic area on the exam. The higher the percentage, the more questions you are likely to see on that content area on the exam. View video tutorials about the variety of question types on Microsoft exams.

Please note that the questions may test on, but will not be limited to, the topics described in the bulleted text.

Do you have feedback about the relevance of the skills measured on this exam? Please send Microsoft your comments. All feedback will be reviewed and incorporated as appropriate while still maintaining the validity and reliability of the certification process. Note that Microsoft will not respond directly to your feedback. We appreciate your input in ensuring the quality of the Microsoft Certification program.

If you have concerns about specific questions on this exam, please submit an exam challenge.

Manage identity (13%)
Support Windows Store and cloud apps
Install and manage software by using Microsoft Office 365 and Windows Store apps, sideload apps by using Microsoft Intune, sideload apps into online and offline images, deeplink apps by using Microsoft Intune, integrate Microsoft account including personalization settings
Support authentication and authorization
Identifying and resolving issues related to the following: Multi-factor authentication including certificates, Microsoft Passport, virtual smart cards, picture passwords, and biometrics; workgroup vs. domain, Homegroup, computer and user authentication including secure channel, account policies, credential caching, and Credential Manager; local account vs. Microsoft account; Workplace Join; Configuring Windows Hello

Plan desktop and device deployment (13%)
Migrate and configure user data
Migrate user profiles; configure folder location; configure profiles including profile version, local, roaming, and mandatory
Configure Hyper-V
Create and configure virtual machines including integration services, create and manage checkpoints, create and configure virtual switches, create and configure virtual disks, move a virtual machine’s storage
Configure mobility options
Configure offline file policies, configure power policies, configure Windows To Go, configure sync options, configure Wi-Fi direct, files, powercfg, Sync Center
Configure security for mobile devices
Configure BitLocker, configure startup key storage

Plan and implement a Microsoft Intune device management solution (11%)
Support mobile devices
Support mobile device policies including security policies, remote access, and remote wipe; support mobile access and data synchronization including Work Folders and Sync Center; support broadband connectivity including broadband tethering and metered networks; support Mobile Device Management by using Microsoft Intune, including Windows Phone, iOS, and Android
Deploy software updates by using Microsoft Intune
Use reports and In-Console Monitoring to identify required updates, approve or decline updates, configure automatic approval settings, configure deadlines for update installations, deploy third-party updates
Manage devices with Microsoft Intune
Provision user accounts, enroll devices, view and manage all managed devices, configure the Microsoft Intune subscriptions, configure the Microsoft Intune connector site system role, manage user and computer groups, configure monitoring and alerts, manage policies, manage remote computers

Configure networking (11%)
Configure IP settings
Configure name resolution, connect to a network, configure network locations
Configure networking settings
Connect to a wireless network, manage preferred wireless networks, configure network adapters, configure location-aware printing
Configure and maintain network security
Configure Windows Firewall, configure Windows Firewall with Advanced Security, configure connection security rules (IPsec), configure authenticated exceptions, configure network discovery

Configure storage (10%)
Support data storage
Identifying and resolving issues related to the following: DFS client including caching settings, storage spaces including capacity and fault tolerance, OneDrive
Support data security
Identifying and resolving issues related to the following: Permissions including share, NTFS, and Dynamic Access Control (DAC); Encrypting File System (EFS) including Data Recovery Agent; access to removable media; BitLocker and BitLocker To Go including Data Recovery Agent and Microsoft BitLocker Administration and Monitoring (MBAM)

Manage data access and protection (11%)
Configure shared resources
Configure shared folder permissions, configure HomeGroup settings, configure libraries, configure shared printers, configure OneDrive
Configure file and folder access
Encrypt files and folders by using EFS, configure NTFS permissions, configure disk quotas, configure file access auditing Configure authentication and authorization

Manage remote access (10%)
Configure remote connections
Configure remote authentication, configure Remote Desktop settings, configure VPN connections and authentication, enable VPN reconnect, configure broadband tethering
Configure mobility options
Configure offline file policies, configure power policies, configure Windows To Go, configure sync options, configure Wi-Fi direct

Manage apps (11%)
Deploy and manage Azure RemoteApp
Configure RemoteApp and Desktop Connections settings, configure Group Policy Objects (GPOs) for signed packages, subscribe to the Azure RemoteApp and Desktop Connections feeds, export and import Azure RemoteApp configurations, support iOS and Android, configure remote desktop web access for Azure RemoteApp distribution
Support desktop apps
The following support considerations including: Desktop app compatibility using Application Compatibility Toolkit (ACT) including shims and compatibility database; desktop application co-existence using Hyper-V, Azure RemoteApp, and App-V; installation and configuration of User Experience Virtualization (UE-V); deploy desktop apps by using Microsoft Intune

Manage updates and recovery (10%)
Configure system recovery
Configure a recovery drive, configure system restore, perform a refresh or recycle, perform a driver rollback, configure restore points
Configure file recovery
Restore previous versions of files and folders, configure File History, recover files from OneDrive
Configure and manage updates
Configure update settings, configure Windows Update policies, manage update history, roll back updates, update Windows Store apps

Click here to view complete Q&A of 70-697 exam

Best Microsoft MCTS Certification, Microsoft 70-697 Training at certkingdom.com

Microsoft risks IT ire with Windows 10 update push

Its OS-as-a-service could create headaches for shops used to a slower upgrade pace

Microsoft has made it clear that it will take on a greater role in managing the Windows update process with Windows 10. The company has also made it clear that it will aggressively push users -- both consumers and businesses -- to upgrade from Windows 7 and Windows 8 to its latest OS. With that in mind, it's hard to image either predecessor hanging around anywhere near as long as Windows XP.

The decision to not only push updates out, but also ensure that all Windows 10 devices receive them in a timely fashion, fits well with the concept of Windows as a service. The change may even go unnoticed by many consumers. IT departments, however, are keenly aware of this shift -- and many aren't happy about it.

Managing Windows updates -- old vs. new
Traditionally, Microsoft has given IT the final word on patches and updates. While most departments do roll out critical patches and major updates, they do so on their own time frame and only after significant testing in their specific environment. This ensures that an update doesn't break an app, a PC configuration or cause other unforeseen issues. If an update is required that could introduce problems, IT can then develop a plan to address the issue in advance of deployment. Some updates might even be judged as unneeded and never get deployed.

With Windows 10, Microsoft is adopting a service-and-update strategy based on a series of tracks known as branches. In this model, both security and feature updates are tested internally and made available to Windows Insiders. When Microsoft feels the updates are ready for primetime, they're pushed to the Current Branch (CB). CB devices, predominantly used by consumers, receive the updates immediately through Windows Update.

Businesses and enterprises typically fall under the Current Branch for Business (CBB). Like CB devices, CBB hardware will be able to receive updates as soon as they are published, but can defer those updates for a longer period of time. The rationale for this extra time is two-fold. First, the updates will have received extra scrutniy because they have been tested internally, by Windows Insiders and by consumers via the CB so any issues will likely be resolved, or at least identified, during that time. Second, it gives IT shops time to test the updates and develop strategies to deal with potential problems before those updates become mandatory.

Complicating the situation: There are still unknowns about how IT departments will handle the CBB update cadence and process. Microsoft has yet to complete Windows Update for Business (WUB), a set of features and tools that will be made available to organizations that have adopted the CBB update pace. There is also the possibility of using other tools, including Windows Server Update Services (WSUS), Microsoft's System Center Configuration Manager (dubbed "Config Manager"), or a third-party patching product that can handle longer postponements.

IT pros aren't happy
This marks a massive transition in how Windows is deployed, updated and managed in enterprise environments. Many longtime IT pros won't be comfortable ceding this much control to Microsoft. Susan Bradley, a computer network and security consultant known in Windows circles for her expertise on Microsoft's patching processes, has become a voice for those IT workers.

In August, Bradley kicked off a request on the matter using Microsoft's Windows User Voice site asking for a more detailed explanation of the Windows 10 update process. Last month, she upped the ante by starting a Change.org petition demanding additional information from Microsoft as well as a change to how it will deliver updates. As of this week, the petition has more than 5,000 signatures; some signers have noted that they will refuse to move their organizations to Windows 10 unless changes are implemented.

Change.org petition for Windows 10 Change.org
A Change.org petition that has collected 1,600 signatures asks Microsoft CEO Satya Nadella to make his Windows 10 team provide more information to users about updates, and give customers more control over what they install on their PCs.

The impact of the petition remains to be seen. Microsoft has already established that it views its new Windows-as-a-service model, with frequent incremental updates using the branch system, as the future. Windows 10 has already passed the 132-million PC mark and Microsoft appears unapologetic about its plans to pressure users into upgrading to the new OS. All of these factors make it unlikely the company is going reverse course.

This isn't entirely new territory
The new approach to update management is striking compared to the process for previous Windows releases, but it isn't exactly a new model. iOS, Android and Chrome OS all limit IT's ability to manage the update process to one degree or another.

Apple has always placed the user at the center of the iOS upgrade process. When an update becomes available, users can download and install it on day one. iOS 9 introduced the ability for IT to take some control over the process, but only in the opposite direction -- allowing IT to require that devices be updated, a move designed less to ensure IT management of the overall process and more to ensure that iPhones and iPads are running to latest, and therefore most secure, version of iOS.

Things are a bit murkier with Android because each manufacturer and carrier generally has to approve the updates and make them available to users, though ultimately it remains up to the user to upgrade when an update becomes available. The update challenge for Android in the enterprise is less about preventing an update and more about the uncertainty of when (or if) devices can be updated.

Chrome OS is essentially updated by Google across all of the devices running it. This is the most apt comparison to Microsoft's plans for Windows 10. The big difference is that Chromebooks are little more than the Chrome browser and are designed primarily for working with data in cloud-based services. Although the devices do have local storage and support for some peripherals, they are extremely uniform compared to any other major platform (which makes them easier to manage than rivals).

This isn't to say that IT professionals have always been happy about these platforms or their upgrade processes. iOS and Android were met with skepticism and even hostility by many IT departments. As the platforms have matured into true enterprise tools and it's become clear they are a necessary part of the enterprise computing landscape, IT has had to adapt to the realities associated with supporting, securing, and managing them.

Part of that adaptation is to the way these platforms get updated.
iOS is a great example of how IT departments already deal with being shut out of a platform's update process.

With iOS, IT gets very limited lead time about major updates (typically about the three months between Apple's Worldwide Developers Conference in June and the public release later that same fall). Many IT shops now realize that the next version of iOS will arrive for their organizations the day it's released. As such, it's common practice to download and test the developer preview builds through that period to ensure smooth operation on day one. Similarly, many IT departments keep up to date on the previews of minor iOS releases throughout the year.

Microsoft's update process is going to require a similar adjustment. If Microsoft won't back down on its position that regular cumulative updates of Windows is the future, IT will need to take a similar approach to Windows that it uses with other platforms.

Windows is not iOS
One major difference between iOS and Windows 10 is that Microsoft still allows updates to be deferred by IT. This means that IT departments have greater lead time for testing and developing plans to address potential pitfalls. Even if IT shops rely solely on the CB release, there is expected to be up to eight months to prep before an update becomes mandatory for CBB PCs and devices. Windows Insiders will get an even longer lead time, since they will have access to updates before public release. In effect, Microsoft is striking a middle ground between Apple's approach and the approach used in previous Windows versions.

That longer lead time, of course, isn't a luxury. Windows deployments can be significantly more complicated than those for iOS or Android and almost universally there are more PCs than mobile devices in an organization. Still, using an iOS update strategy as a blueprint is a good starting point for figuring out how to approach Microsoft's planned Windows 10 update process at work.

It's also worth noting that IT departments do have some time to develop that strategy. Although Microsoft is clearly ushering anyone and everyone it can onto Windows 10, there's little need for enterprises to make the switch from Windows 7 immediately -- particularly for those that only recently made the jump from XP to 7. Delaying a transition or focusing only on a proof-of-concept or pilot project allows IT departments to get a handle on everything related to Windows 10 before rolling it out, including how to handle updates.

Ignoring Windows 10 isn't an option
Although it's possible to delay a Windows 10 transition, perhaps even for years, enterprises are eventually going have to bite the bullet.

Putting off the move is perfectly logical, particularly until the core capabilities to manage Windows 10 and its update process are established. That doesn't mean, however, that this is a time to be complacent and ignore it completely. Sooner or later, virtually every organization will need to reckon with Windows 10 (or perhaps migrate to non-Windows platforms, which would pose an entirely different set of challenges).

Preparing for that reality, even while pushing back against Microsoft's current plans, is critical to eventually making a smooth transition.

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com