TechNet UK

Useful tools, tips & resource for IT professionals including daily news, downloads, how-to info and practical advice from the Microsoft UK TechNet team, partners and MVP's

October, 2013

UK  TechNet Flash Newsletter
  • TechDays Online Countdown Conundrum Terms & Conditions

    1. ELIGIBILITY. This promotion is open to any person resident in the United Kingdom who is eighteen (18) years of age or older at the time of entry and who is a registered member of the Website (the "Website"). IF YOU ARE NOT A REGISTERED MEMBER OF THE WEBSITE YOUR ENTRY WILL NOT BE VALID AND YOU WILL NOT BE ABLE TO WIN A PRIZE. Follow the instructions on the Website to register.

    Employees of Microsoft or its affiliates, subsidiaries, advertising or promotion agencies are not eligible, nor are members of these employees’ families (defined as parents, children, siblings, spouse and life partners).

    2. ENTRY. To be entered into the competition you must:

    · Tune in to watch the TechDays Online webcast from during Promotion Days One or Promotion Day Two, as defined in Section 3 below;

    · During broadcast, a total of 10 (ten) individual letters on Promotion Day One, and a total of 9 (nine) individual letters on Promotion Day Two (each an “Anagram Letter”) , will be shown after each presentation session on the relveant Promotion Day as outlined in the agenda available at the above URL;

    · Each set of Anagram Letters will form a word, as chosen by Microsoft (each an “Anagram Word”);

    · Entrants must collect each Anagram Letter for a relevant Anagram Word, and compile that Anagram Word;

    · To enter, an entrant must then tweet their Anagram Word for the relevant Promotion Day, to @TechNetUK and label the tweet with the hashtag #UKTechDays.

    To the extent that entry requires the submission of user-generated content such as photos, videos, music, artwork, essays, etc., entrants warrant that their entry is their original work, has not been copied from others, and does not violate the privacy, intellectual property rights or other rights of any other person or entity.

    Entries will be ineligible for the prize draw if they:

    · are incomplete;

    · refer to an incorrect Anagram Word (that is, a word other than that chosen by Microsoft, in its absolute discretion)

    · exceed the maximum number of entries allowed per person;

    · violate the rights of any other person or entity;

    · are received outside of an Entry Period set out below; or

    · are reported to violate the terms governing use of the Website.

    Only one (1) entry per person will be accepted perEntry Period. No purchase necessary to enter the promotion. Entry constitutes full and unconditional acceptance of these Terms and Conditions. Microsoft is not responsible for lost, corrupted or delayed entries. Microsoft reserves the right to disqualify anyone who violates these Terms and Conditions.

    3. TIMING. This promotion runs from 0930 GMT on 7th November 2013 until 1530 GMT on 8th November 2013 (inclusive) (the “Promotion Period”). This Promotion Period consists of two distinct Promotion Days (a “Promotion Day”) during which Anagram Letters will be revealed, as defined below:

    · “Promotion Day One” – 0930 GMT on 7th November 2013 until 1615 GMT on 7th November 2013 (inclusive)

    · “Promotion Day Two” – 0930 GMT on 8th November 2013 until 1530 GMT on 8th November 2013 (inclusive)

    Each Promotion Day provides one  entry opportunity (each an “Entry Period”), as defined below:

    · “Entry Period One” – 1605 GMT on 7th November 2013 until 1635 GMT on 7th November 2013 (inclusive)

    · “Entry Period Two” – 1540 GMT on 8th November 2013 until 1545 GMT on 8th November 2013 (inclusive)

    Timings subject to change dependent upon session running time and release time of final Anagram Letter. Each Entry Period will be the duration stated above from the point at which the final Anagram Letter is released during broadcast on the relevant Promotion Day.

    4. USE OF YOUR ENTRY. Personal data which you provide when you enter may be used for future Microsoft marketing activity if you indicate your consent to such activity (if applicable). Otherwise your personal data will be used by Microsoft and agents acting on Microsoft’s behalf only for the operation of this promotion.

    5. SELECTION OF WINNERS. All valid entries will be judged as a finalist.

    Winning entries for each Entry Period will be determined by a panel of judges with at least one independent judge on the day that the Entry Period closes, as detailed below.

    The fastest correct entry received during Entry Period One will be selected by the judges at 1610 on 7th November 2013 (Promotion Day One). In the event that there are multiple entries received at exactly the same time, those entries will be entered into a random draw conducted by Microsoft with an independent adjudicator, in order to ensure there is one fastest entry selected, as required.

    All correct entries received during Entry Period One will also be eligible for one of three possible Runner Up prizes, which will be determined by a random draw conducted by Microsoft Limited on at 1610 on 7th November 2013 and will be supervised by an independent adjudicator. Chances of winning depend on the number of entries received.

    The fastest correct entry received during Entry Period Two will be selected by the judges at 1525 on 8th November 2013 (Promotion Day Two). In the event that there are multiple entries received at exactly the same time, those entries will be entered into a random draw conducted by Microsoft with an independent adjudicator, in order to ensure there is one fastest entry selected, as required.

    All correct entries received during Entry Period Two will also be eligible for one of three Runner Up prizes, which will be determined by a random draw conducted by Microsoft Limited on at 1525 on 8th November 2013 and will be supervised by an independent adjudicator. Chances of winning depend on the number of entries received.

    Judging will be based on:

    · Use of all available Anagram Letters;

    · Correct Anagram Word;

    · Adherence with the entry method as per Section 2.0.

    A maximum of one prize per entrant is allowed throughout the Promotion Period. Winners will be notified through the Website on the day that the winning entry for relevant Entry Period is drawn. If a potential winner has not confirmed receipt of the notification within TEN (10) days after the first attempt, an alternative winner will be selected on the same basis as described above (either at random for prize draws or according to the same judging criteria for competitions). Winners may be asked to provide identification proving their eligibility before they are entitled to receive the prize. Winners may be asked to participate in further publicity or advertising.

    6. PRIZE(S). There will be twelve (12) prize(s) in total. The prize(s) will be as follows:

    Entry Period One

    · First Place – One (1) Microsoft Xbox One package, consisting of: 1 Xbox One Games Console, 2 Xbox Games (Fifa 14 and Call of Duty: Ghosts) and one control pad (£525.00 approximate value)

    · Runners Up – Three (3) Microsoft Xbox One Onesies (£50.00 approximate value)

    Entry Period Two

    · First Place – One (1) Microsoft Xbox One package, consisting of: 1 Xbox One Games Console, 2 Xbox Games (Fifa 14 and Call of Duty: Ghosts) and one control pad (£525.00 approximate value)

    · Runners Up – Three (3) Microsoft Xbox One Onesies (£50.00 approximate value)

    Prizes are as stated and are not transferable. No cash alternatives available. Microsoft reserves the right to substitute the prizes with prizes of equal or greater value. All prizes will be sent by Microsoft or its agent no later than 3 months after the prize draw has been made by Microsoft (or such later date as is reasonable, taking into account the availability of Xbox One consoles following the release date). Unless otherwise stated, all prizes are subject to their manufacturer's warranty and/or terms and conditions.

    Prizes may be considered as a taxable benefit to the winners. Winners will be directly responsible for accounting for and paying to HMRC, or other relevant tax authority, any tax liability arising on their prize. Please contact for any query related to the taxable amount for reporting to HMRC, or other relevant tax authority.

    7. WINNERS LIST. Each winner consents to his/her surname being made publicly available upon request. Winners’ names will be available for a period of 28 days after the selection of winners by written request to

    8. OTHER. No correspondence will be entered into regarding either this promotion or these Terms and Conditions. In the unlikely event of a dispute, Microsoft’s decision shall be final. Microsoft reserves the right to amend, modify, cancel or withdraw this promotion at any time but only before the delivery of prizes, without notice.

    Participants in this promotion agree that Microsoft will have no liability whatsoever for any injuries, costs, damage, disappointment or losses of any kind resulting in whole or in part, directly or indirectly from acceptance, misuse or use of a prize, or from participation in this promotion. Nothing in this clause shall limit Microsoft’s liability in respect of death or personal injury arising out of its own negligence or liability arising out of Microsoft’s fraud.

    Microsoft cannot guarantee the performance of any third party and shall not be liable for any act or default by a third party.

    9. SPIRIT OF THE COMPETITION. If an entrant attempts to compromise the integrity or the legitimate operation of this promotion by hacking or by cheating or committing fraud in ANY way, we may seek damages from that entrant to the fullest extent permitted by law. Further, we will disqualify that entrant’s entry to this promotion and may ban the entrant from participating in any of our future promotions, so please play fairly.

    Promoter: Microsoft Limited (“Microsoft”), Microsoft Campus, Thames Valley Park, Reading, RG6 1WG, England.

  • Windows XP を 2014 年 4 月のサポート終了後も使い続けることのリスク

    本記事は、Microsoft Security のブログ “The Risk of Running Windows XP After Support Ends April 2014 (2013 8 15 日公開) を翻訳した記事です。

    今年の 4 月、私は Windows XP のサポート終了に関する「カウントダウン開始: Windows XP のサポートは 2014 年 4 月 8 日に終了」というタイトルのブログを投稿しました。それ以来、話す機会のあった多くのお客様が、所属組織で Windows XP から Windows 7 や Windows 8 などの最新オペレーティング システムへの移行を完了したか、または現在移行作業を進めています。

    実際のところ、事態は切迫しています。というのも、2014 年 4 月 8 日以降、Windows XP Service Pack 3 (SP3) ユーザーには、新しいセキュリティ更新プログラム、セキュリティ以外の修正プログラム、無償/有償の支援サポート オプション、オンライン技術コンテンツの更新は提供されなくなるからです。つまり、Windows XP のサポート終了後に新しい脆弱性が発見されても、マイクロソフトは新しいセキュリティ更新プログラムでの対処を行わないということです。それでも何らかの理由により、4 月 8 日までに Windows XP からの移行を完了するのが困難だというお客様もいます。さらに、Windows XP を実行しているハードウェアが故障するまで移行するつもりがないというお客様もいます。

    Windows XP をサポート終了後も使い続けることのリスクにはどのようなものがあるでしょうか?  第 1 のリスクは、攻撃者が優位に立つことです。実際、Windows XP ユーザーよりも攻撃者のほうが Windows XP の脆弱性情報をより多く入手できます。その理由を説明しましょう。

    マイクロソフトがセキュリティ更新プログラムをリリースすると、セキュリティ研究者やサイバー犯罪者は即座にリバース エンジニアリングを行い、その更新プログラムが解決する脆弱性を含むコードの具体的な場所を特定します。 脆弱性を特定すると、セキュリティ更新プログラムをインストールしていないシステムを悪用するためのコードを開発します。さらに、同一または同様の機能を持つ他の製品にも同じ脆弱性がないか特定しようとします。たとえば、あるバージョンの Windows で脆弱性が解決された場合、研究者は他のバージョンの Windows にも同じ脆弱性がないかどうか調査します。同様の調査を行う攻撃者からユーザーを保護するため、マイクロソフト セキュリティ レスポンス センター (MSRC) は通常、影響を受けるすべての製品のセキュリティ更新プログラムを同時にリリースしています。これによりユーザーは、攻撃者がリバース エンジニアリングを行う前に、影響を受けるすべての製品のセキュリティ更新プログラムを入手できるため、攻撃者よりも優位に立つことができます。

    しかし、2014 年 4 月 8 日以降も Windows XP を使い続ける組織は、こうした攻撃者に対する優位性を失ってしまいます。マイクロソフトが、サポートされているバージョンの Windows のセキュリティ更新プログラムをリリースすると、攻撃者はひと月もたたないうちにリバース エンジニアリングを行って脆弱性を特定し、Windows XP にも同じ脆弱性があるかどうかを調べあげてしまいます。同じ脆弱性があった場合、攻撃者は悪用コードを開発し、Windows XP の脆弱性に付け込もうとします。これらの脆弱性に対する Windows XP 用セキュリティ更新プログラムはもはやリリースされないため、Windows XP は「ゼロ デイ」脆弱性を永久に抱えることになります。このような事態はどのくらいの頻度で起こるのでしょうか?  2012 年 7 月から 2013 年 7 月の間、Windows XP は 45 件のマイクロソフト セキュリティ情報で影響を受ける製品として記載されました。うち 30 件では、Windows 7 と Windows 8 も影響を受ける製品でした。
    私が相談を受けたユーザーの中には、Windows XP にはセキュリティ緩和策が組み込まれているため、悪用される危険性は低いと指摘する人もいます。また、ウイルス対策ソフトウェアにより攻撃をブロックし、感染を除去することも可能です。しかし問題なのは、システムのコンピューティング ベースを信頼できるかどうかがわからないことです。攻撃者は Windows XP のゼロ デイ エクスプロイトに関する公開情報を握っており、システムに侵入して任意のコードを実行できる可能性があるのです。さらに、このような状況下で、ウイルス対策ソフトウェアが使用するシステム API が信頼できるのかという問題もあります。一部のユーザーにとっては、システムの完全性に自信を持てなくても問題ないかもしれませんが、多くのユーザーにとって、これは受け入れられるものではありません。

    また、Windows XP Service Pack 3 に組み込まれたセキュリティ緩和策は、数年前の開発当初は確かに最新のものでした。しかし、マイクロソフト セキュリティ インテリジェンス レポートのデータによると、Windows XP に組み込まれたセキュリティ緩和策は、最新の攻撃からの保護には不十分です。Windows オペレーティング システムのマルウェア感染率データによると、Windows XP の感染率は、Windows 7 や Windows 8 などの最新オペレーティング システムと比べて飛躍的に高くなっています。

    図 1: 2012 年第 4 四半期のオペレーティング システムおよびサービス パック別の感染率 (CCM)、マイクロソフト セキュリティ インテリジェンス レポート第 14 版より


    私は最近、悪用活動の調査結果についてまとめた「ソフトウェアの脆弱性悪用の傾向 - 脆弱性悪用のパターンに対するソフトウェア緩和策の影響に関する調査結果」を発表しました。この 7 年間にわたる調査によると、攻撃者は、Windows XP の主なセキュリティ緩和策であるデータ実行防止 (DEP) を打ち破るよう、攻撃を進化させてきました。図 3 は、DEP が有効化された場合に緩和されたエクスプロイトを持つ Common Vulnerabilities and Exposures (CVE) の数と、DEP をバイパスしたエクスプロイトを持つ CVE の数を比較したものです。2007 年と 2008 年を除いて、エクスプロイトを遡及して無効化する DEP の機能は明らかに低下傾向になっています。この傾向は、DEP の効果がなくなったのではなく、DEP があらかじめ有効化されていて、多大なコストと複雑性を要する環境に合わせた変化を攻撃者が強いられたことを示しています。DEP をバイパスしたエクスプロイトを持つ CVE の数がこの証拠です。

    図 2 (左): 特定の悪用技術を使用して悪用された CVE の数; 図 3 (右): DEP が有効化された場合に緩和されたエクスプロイトを持つ CVE の数と、DEP をバイパスしたエクスプロイトを持つ CVE の数の比較



    この新しいデータは、個人および組織が現在直面する主な脅威が、Windows XP Service Pack 3 リリース時とは大きく異なることを示しています。Windows XP Service Pack 2 以降のオペレーティング システムで Windows ファイアウォールを有効化したことで、攻撃者は攻撃を進化させることを余儀なくされました。攻撃者は現在、リモート サービスを積極的にターゲットにすることよりも、Web ブラウザーやドキュメント リーダーなどのクライアント アプリケーションの脆弱性を悪用することに目を向けています。さらに攻撃者は、より効果的に脆弱性を悪用できるようにするために、独自のツールや技術を過去 10 年にわたり改良し続けています。そのため、Windows XP に構築されたセキュリティ機能は、現在の脅威を防ぐには十分ではありません。図 4 が示すように、Windows 8 は Windows XP よりもはるかに優れたセキュリティ緩和策を備えています。Windows 8 に組み込まれた新しいセキュリティ緩和策の詳細については、前述の調査資料をご覧ください。

    図 4: 下の表で Windows XP Service Pack 3 上の Internet Explorer 8 でサポートされる緩和機能と、Windows 8 上の Internet Explorer 10 でサポートされる緩和機能を比較しています。 この表が示すように、Windows 8 上の Internet Explorer 10 は、Windows XP 上の Internet Explorer 8 には適用されない多くのプラットフォーム セキュリティ改善


    組織は、システムの完全性について一定の安心感を必要とします。この安心感は、サポートされないオペレーティング システムを実行するシステムの数を可能な限り少なくすることで得られます。Windows XP のサポートは 2014 年 4 月 8 日に終了します。

    Trustworthy Computing (信頼できるコンピューティング) 部門
    Tim Rains (ティム・レインズ)

  • Lab Ops - Stop Press Windows Server 2012R2 Evaluation edition released

    I have just got back to my blog after a few days at various events and I see the Evaluation edition of Windows Server 2012R2 has been released.  I need this for my lab ops because I am building and blowing away VMs for er… evaluations and I don’t want to have to muck about with license keys. For example I have a script to create FileServer1 VM but if I use the media from MSDN for this and I don’t add in a license key to my answer file, the machine will pause at the license key screen until I intervene.  Now I have the Evaluation Edition I can build VM’s that will starter automatically and when they are running continue to configure them. For example for my FileServer1 VM I created in earleir posts in this series  I can add a line to the end of that script while will run on the VM itself once it is properly alive after its first boot..

    invoke-command -ComputerName $VMName -FilePath 'E:\UK Demo Kit\Powershell\FileServer1 Storage Spaces.ps1'
    ..and this will go away and setup FileServer1 with my storage spaces.

    Note both the script to create FileServer1 (FileServer1 Setup.ps1) and the xml it uses to add features into that VM (File server 1 add features.xml) and the File Server1 Storage Spaces.ps1 script referenced above are on my SkyDrive for you to enjoy.

    One good use case for executing remote PowerShell  scripts remotely like this is when working on a cluster. Although I have put the Remote Server Administration Tools (RSAT) on my host and to have access to the Failover Clustering  cmdlets I get a warning about running these against a remote cluster..

    WARNING: If you are running Windows PowerShell remotely, note that some failover clustering cmdlets do not work remotely. When possible, run the cmdlet locally and specify a remote computer as the target. To run the cmdlet remotely, try using the Credential Security Service Provider (CredSSP). All additional errors or warnings from this cmdlet might be caused by running it remotely.

    While on the subject of new downloads the RSAT for managing Windows Server 2012R2 from Windows 8.1 is now available, so you can look after your servers from the comfort of Windows 8.1 with your usual tools like Server Manager, Active Directory Administrative Console, Hyper-V manager and so on On my admin VM I have also put on the Virtual Machine Manger Console ad SQL Server Manager and a few other admin tools..



    Before you ask me the RSAT tools you put on each client version of Windows only manage the equivalent version of server and earlier.  For example you can’t put the RSAT tools for managing Windows Server 2012R2 onto Windows 8 or Windows 7.

    So using my lab ops guides or the more manual guides on TechNet, you can now get stuck into playing with Windows Server 2012R2, as a way of getting up to speed on the latest Windows Server along with the R2 courses on the Microsoft Virtual Academy.

  • 新セキュリティ インテリジェンス レポート、新データ、新たな視点

    本記事は、Microsoft Malware Protection Center のブログ “New Security Intelligence Report, new data, new perspectives” (2013 年 10 月 29 日公開) を翻訳した記事です。

    本日、マイクロソフトは マイクロソフト セキュリティ インテリジェンス レポート (SIRv15) (英語版) の第 15 版を公開しました。このレポートは、世界中の莫大な数のシステム、および幾つかのインターネットの活発なオンライン サービスのデータに基づいて、マルウェア、悪用について分析しています。

    昨年中、私達はセキュリティ インテリジェンス レポートの第 15 版について企画していました。お客様に提供するガイダンスの範囲、および正確性を向上するためにはどうすれば良いのか考慮したため、過去のレポートで提供したデータ以上にマルウェアの蔓延率を最も良く示すにはどうしたら良いかについて熟慮しました。


    私達は、既に、感染率については悪意のあるソフトウェアの削除ツール (MSRT) を 1,000 回実行した場合に駆除を受けたコンピューターの数を示す Computers Cleaned per Mille (CCM) と呼ばれる測定基準を使用して報告しています。これにより、感染がいかに広範に広がっているのか説明することが可能です。


    例えば、昨年中の遭遇率、および感染率による分析で浮上したキーとなる発見の 1 つは、Windows XP を稼働しているコンピューターが Windows 7 を稼働しているコンピューターと同程度のマルウェアに遭遇していたというものでした。Windows XP を使用するコンピューターは、その他のオペレーティング システムに比べてより多くの感染に見舞われていました。実際、Windows XP の感染率は Windows 8 と比べて 6 倍も高かったのです。


    図 1: Windows オペレーティングシステムにおける感染率、および遭遇率

    今後、私達は 2014 年 4 月 8 日のサポート終了日を踏まえ、Windows XP についてより深い分析を行ったブログを公開します。Tim Rains も、この問題について 最新のブログ (英語情報)でさらに解説しています。 

    私達の全体像分析では、深刻度に基づいて、望ましくない可能性がある悪質なソフトウェアからマルウェアを除外しています。重要/深刻な脅威は、製品が自動的にこれらの脅威をコンピューターから除去するのに十分な程深刻であるため、この区別は重要です。警告/注意の脅威は、この SIR では望ましくない可能性がある悪質なソフトウェアに分類しており、隔離するか除去するかはユーザー次第です。


    地域別に脅威を見ていくと、分析の多くの部分で深刻度が上昇した国が分かります。2012 年下半期、2013 年の上半期の間、トルコの遭遇率は13 % 以上も上昇しました。世界のその他の地域と比べた場合に、トルコでは悪用、さまざまなトロイの木馬、およびワームのすべてにより高いレベルで遭遇していました。トルコと他国の調査結果に関する詳細は SIR 第 15 版でご覧いただけます。


    図 2: 2013 年第 2 四半期において、検出を報告しているコンピューターでの、全世界、および 10 地域での脅威別の蔓延率。それぞれの地域での合計は、1 カテゴリ以上について脅威を報告しているコンピューターもあるため、100 % を超える場合もあります。


    私達は最も蔓延しているランサムウェア ファミリーを追跡し、Win32/Reveton (英語情報) および Win32/Tobfy (英語情報) が世界レベルで蔓延が上昇傾向にあることが分かりました。

    これらは、最新のレポートに含まれる、たくさんのキーとなる調査結果のほんの一部です。マイクロソフト セキュリティ インテリジェンス レポート 第 15 版(英語版)をダウンロードするには、 をご覧ください。

    SIR をご覧いただき、他の人にも読むようにすすめ、アクションを実行して、コンピューター、および組織を悪意のあるソフトウェアから保護するためのリソースとして使用いただくことを願っております。

    Vidya Sekhar


  • New infection rate data for unprotected computers

    ​In the previous Microsoft Security Intelligence Report, SIRv14, we introduced a new metric to measure the infection rate for computers protected with real-time antimalware software (protected computers) in comparison to computers that were not protected with up-to-date security software (unprotected computers).  Using this new data, we wrote a feature story about the risks of running unprotected. Our customers told us that providing this data really helped measure the value of running real-time antimalware software. It clearly showed that security software can provide a significant contribution to a computer’s protection level. 

    With Windows 8, we’ve made further improvements to help keep customers protected.

    For example, Windows Defender is automatically activated when the Windows 8 device is turned on for the first time, and will only deactivate if another antimalware program is running. If there is no other antimalware software installed, Windows Defender will be enabled. If another antivirus application is activated later, Windows Defender will automatically disable itself.  Windows Action Center monitors Windows Defender, and if it is turned off, Action Center will show a notification and provide an option to turn it back on. We’ve done all of this to help ensure that all Windows customers are protected.

    What happens when another antimalware product is installed, but then stops receiving updates or the license expires? 

    Like a computer without antimalware protection, this computer is also considered as being in an unprotected state.

    At the MMPC, we closely monitor why people fall into an unprotected state.  Joe Blackbird and Bill Pfeifer presented on this topic at Virus Bulletin this year with The global impact of anti-malware protection state on infection rates. They found that more than half of the Windows 8 customers listed as unprotected are in that state because their antivirus has expired.

    After assessing the telemetry on why customers were staying unprotected, a few updates were made in Windows 8.1 to help customers make a safe choice to stay protected.  Now, after prompting a customer about their unprotected state and giving the choice to renew or see other options at the Windows Store, a final prompt helps the customer get back into a protected state even if they do not choose to renew.  If you really don’t want to have protection enabled, you can still disable it– it’s your choice.  The feature simply makes the safe choice really easy, and the less safe choice a bit more work.

    During the past year I’ve talked to a lot of people who are just as passionate about keeping our customers protected as we are.  So, I’m happy to report that we now measure protected/unprotected data on a quarter-by-quarter basis as a standard part of the Microsoft Security Intelligence Report.

    As shown in the following chart, our research reveals that every quarter, about 25 percent of computers are not completely protected. This includes computers that are both unprotected and intermittently protected. We count a computer as intermittently protected for the quarter if it reports being unprotected for one month. We’d like to move the number of computers in both categories closer to zero. 

    We also found that computers that never had protection were 7.1 times more likely to be infected with malware than computers that always had protection.

    worldwide protected computers - 3Q12–2Q13

    Figure 1: Percentage of computers worldwide protected by real-time security software, 3Q12–2Q13

    For more data and analysis on protected and unprotected computers, including how we calculate this data, see SIRv15.

    Stay protected folks!

    Holly Stewart


  • Service Manager 2012 R2 – Fixes included

    Thomas Ellermann posted a great breakdown on the updates in R2 for Service Manager 2012. The focus in R2 for Service Manager was to tackle some of the critical customer and MVP collected bugs. Service Managers R2 release saw no major performance improvements but we are targeting Console and Portal performance in the next update (UR) cycles. With that in mind a few of the R2 fixes are associated to improving console and workflow stability, and that can help a great deal with performance.

    You can find Thomas’s post here:


    Christian Booth (ChBooth) | Sr. Program Manager | System Center

    Program Lead: System Center: Cloud & Datacenter MVP

  • Infection rates and end of support for Windows XP

    In the newly released Volume 15 of the Microsoft Security Intelligence Report (SIRv15), one of the key findings to surface relates to new insight on the Windows XP operating system as it inches toward end of support on April 8, 2014.

    In this post we want to highlight our Windows XP analysis and examine what the data says about the risks of being on unsupported software. In the SIR, we traditionally report on supported operating systems only. For this analysis we examined data from unsupported platforms, like Windows XP SP2, from a few different data points:

    • Malware encounters (newly introduced in SIRv15) in comparison to infections.
    • Infection rates for supported and unsupported operating systems.
    • Impact of antimalware protection on supported and unsupported operating systems.

    Malware encounters and malware infections

    Earlier today we published a blog post that discussed a new metric for analyzing malware prevalence which was introduced in the latest report. This new metric, called the encounter rate, measures the percentage of computers protected with Microsoft real-time antimalware products that come into contact with malware. It is important to note encounters do not equate to infections. Although some computers do report active malware, the vast majority of these encounters represent blocked infections reported by our antimalware products. Another recent blog explained our metrics in more detail.

    You can think of the encounter rate as a way to measure what percentage of computers are exposed to malware. In comparison, the infection rate (CCM) measures how many computers out of 1,000 scanned by the Microsoft Malicious Software Removal Tool (MSRT) actually got infected. What’s really fascinating about these data points is when you compare the two.

    The following chart shows the encounter rate in comparison to the infection rate by operating system and service pack. While Windows XP SP3 computers encountered almost as much malware as other platforms, computers running Windows XP as a whole experienced a much higher infection rate. For example, although Windows 8 computers may encounter a similar amount of malware as Windows XP, people who use Windows XP are six times more likely get infected.

    Malware Infection and encounter rates

    Figure 1: Malware Infection and encounter rates for Windows operating systems during 2Q13

    A few possible reasons for the higher infection rate on Windows XP are:

    • Antimalware protection may not be active or up to date (more on this hypothesis in the last section).
    • Older technology lacks the protective measures built into more recently introduced operating systems, and therefore is challenged to defend against some attacks.

    Windows XP was built more than 12 years ago and was architected to include security technologies that were innovative at the time. For example, Windows XP SP2 was released in 2004 and introduced Data Execution Prevention. However, the threat landscape has changed quite a bit since then and technologies that were built a decade ago, like DEP, are now commonly bypassed. A paper released earlier this year from Trustworthy Computing: Software Vulnerability Exploitation Trends helps illustrate this point. The paper also provides a comparison of security mitigations built into Windows 8 and compares them against the mitigations built into Windows XP.

    Newer operating systems are not vulnerable to many of the exploitation techniques that are still widely used and remain effective against older platforms. Newer operating systems include a number of security features and mitigations that older versions were simply not designed for at the time.

    Infection rates on unsupported operating systems

    Once support ends, if Windows XP SP3 follows a trend similar to prior Windows XP versions which are unsupported now, we can expect infection rates to rise.

    For example, support for Windows XP SP2 ended on July 13, 2010 (support notification). The dashed blue line in the following chart represents its infection rate after that time.

    XP SP2 infection rates

    Figure 2: Windows XP SP2 infection rate after end of support

    In the first two years after Windows XP SP2 went out of support, the infection rate disparity between the supported (Windows XP SP3) and unsupported (Windows XP SP2) service packs grew. In fact, the infection rate of the unsupported version was, on average, 66 percent higher than the supported version (Windows XP SP3).

    After support ends, Microsoft security updates are no longer provided to address new vulnerabilities found, but that does not mean that new vulnerabilities won’t be discovered and exploited by attackers. For example, it will be possible for attackers to reverse-engineer new security updates for supported platforms to identify any that may exist in unsupported platforms. Tim Rains talked about the potential impact of doing so in his blog post this morning.

    Impact of malware protection on supported and unsupported operating systems

    One question I hear a lot when discussing unsupported versions of the OS is "So, won’t antivirus help protect my computer?" We absolutely encourage everyone to use real-time antimalware to help protect themselves against cybercriminal activity. In fact, the latest report shows that during the last quarter unprotected computers were 7.1 times more likely to be infected than protected computers.

    That said, our data also tells us that running antimalware on out-of-support systems is not an equitable solution to protect against threats. The following chart compares the monthly infection rates for protected and unprotected computers on Windows XP SP2 and Windows XP SP3 in the last half of 2012 (this data for Windows XP SP3 was reported in the "Running unprotected" section of SIRv14).

    The data shows that protected systems on Windows XP SP2 are twice as likely (2.2 times, to be exact) to be infected in comparison to protected Windows XP SP3 computers. Unprotected computers show a similar trend: you’re 2.5 times as likely to be infected on Windows XP SP2 in comparison to Windows XP SP3 when neither have up-to-date antimalware protection. 

    Average infection rates

    Figure 3: Average infection rate for computer with and without antimalware protection

    As past Microsoft Security Intelligence Reports have shown, running a well-protected solution means running up-to-date antimalware software, regularly applying security updates for all software installed and using a more modern operating system that has increased security technologies and mitigations. This advice remains consistent with the new data in SIRv15.

    Of course this blog highlights just one of the many key findings in the latest report.   I encourage you to download the report today to learn all about the latest trends in the threat landscape.

    Holly Stewart

  • New Security Intelligence Report, new data, new perspectives

    Today, Microsoft released volume 15 of the Microsoft Security Intelligence Report (SIRv15). The report analyzes malware, exploits and more based on data from more than a billion systems worldwide and some of the Internet’s busiest online services.

    During the past year, as we were planning this volume of the Security Intelligence Report, and as we considered how to improve the breadth and accuracy of guidance given to our customers, we gave a lot of thought on how best to represent malware prevalence beyond the data provided in past reports.

    We need to establish a metric that measured the impact of malware based on our real-time protection products.

    We already report on infection rates using a metric called computers cleaned per mille (CCM), which represents the number of computers cleaned for every 1,000 executions of the Malicious Software Removal Tool (MSRT). This helps us describe how widespread an infection is.

    To better understand the range of threats that affect computers today, it’s increasingly valuable to consider infection attempts, including attempts that never result in infection. This data, which can only be provided by real-time security products, is measured by our new metric – the encounter rate. The encounter rate is the percent of computers running Microsoft real-time security products that come across, or encounter malware. When viewed together, the infection rate and the encounter rate provide different lenses to look at the malware landscape, assembling a picture that can contribute to a more informed risk assessment.

    For example, one key finding to surface from the analysis of platforms by encounter rate and infection rate during the past year, was that computers running Windows XP encountered about as much malware as Windows 7. However, Windows XP computers experienced many more infections than other operating systems. In fact, Windows XP had an infection rate that was six times higher than Windows 8.  

    Infection and encounter rates by operating system

    Figure 1: Infection and encounter rates for Windows operating systems

    Later today we will publish another blog which will dive deeper into the analysis of Windows XP, in light of the upcoming end of support date – April 8, 2014. Tim Rains also talks more about this issues in his latest blog.  

    In our analysis of the landscape we also separate out malware from potentially unwanted software, based on severity. This distinction is important, since high/severe threats are serious enough that our products will remove these threats from computers automatically. Moderate/low threats, which we categorize as potentially unwanted software in this SIR, depend on user action to quarantine or remove.

    We also show trends for countries with the highest and lowest encounter rates for malware and potentially unwanted software. Some countries appear on highest and lowest lists for potentially unwanted software and not for malware. This helps draw conclusions about the effect of potentially unwanted software on certain regions, as well as helping zero-in on the severe threats facing different locations.

    As we look at threats regionally, we see one country that rose to significance in many parts of our analysis. Between the second half of 2012 and the first half of 2013, Turkey’s encounter rate increased by more than 13 percent.  Exploits, miscellaneous trojans and worms were all encountered at higher levels in Turkey when compared with other regions globally. You can read further on our findings for Turkey and other countries in SIRv15.


    Encounter rates by country

    Figure 2: Threat category prevalence worldwide and in the 10 locations with the most computers reporting detections in 2Q13. Totals for each location may exceed 100 percent because some computers reported threats from more than one category.

    We also took a peek at the growing issue of ransomware - a type of malware designed to render a computer or its files unusable until the computer user pays a certain amount of money to the hacker. Often disguised as an official-looking warning from a well-known law enforcement agency, it accuses the computer user of committing a computer-related crime and demands that the user pay a fine via electronic money transfer to regain control of the computer.

    We tracked the top ransomware families and found Win32/Reveton and Win32/Tobfy trending upward globally.

    These are just a few of the many key findings contained in the latest report.  To download the Microsoft Security Intelligence Report Volume 15, visit

    We hope you will read it, pass it on to others to read and use it as a resource to take action and help protect your computer and your organizations’ systems from malicious software.

    Vidya Sekhar

  • Upgrade your Windows and get a new view on your world!


      By Alan Richards, Senior Consultant at Foundation SP and SharePoint MVP.



    This time last year the computing worlds view of Microsoft Windows changed forever, Windows 8 changed the way we interact with not only our PC’s but also our laptops, phones and tablet devices. Windows 8 was not only a new operating system for your PC but it was also a new way of working, a single consistent interface across all your Windows based devices with the ability to have all your settings, document, images & videos accessible from any Windows device you logged onto.


    Now that was the really cool bit, suddenly all my Windows devices were personal to me, I took a photo on my Windows phone and it was immediately available on all my other devices, no more emailing it to myself. This was just cool, no other description for it.

    So a year on, everything has settled down and the release of Windows 8.1 has been and gone, have you made the move yet? Perhaps, it’s now time you took that step and upgrade all your devices to Windows 8. Let’s look at your options in three distinct areas; hardware requirements, ways to upgrade & licensing

    Hardware Requirements

    The hardware requirements for Windows 8 varies depending on what device you want to run it on; do you want touch, do you want game level graphics or do you simply want a device to get some work done.

    The basic hardware requirements are very reasonable, in fact if you have a device that runs Windows 7 it will quite easily run Windows 8.

    The table below shows the system requirements for Windows 7 & 8

    Windows 8

    Windows 7

    · 1 gigahertz (GHz) or faster with support for PAE, NX, and SSE2

    · 1 gigabyte (GB) (32-bit) or 2 GB (64-bit)

    · 16 GB (32-bit) or 20 GB (64-bit)

    · Microsoft DirectX 9 graphics device with WDDM driver

    · 1 gigahertz (GHz) or faster 32-bit (x86) or 64-bit (x64) processor

    · 1 gigabyte (GB) RAM (32-bit) or 2 GB RAM (64-bit)

    · 16 GB available hard disk space (32-bit) or 20 GB (64-bit)

    · DirectX 9 graphics device with WDDM 1.0 or higher driver

    If you still have Windows XP and are looking to upgrade you may very well need to buy a new Windows 8 device, of which there are numerous choices as you can see from the images scattered around this article. From normal PC’s & laptops to convertible devices, from tablet devices to all in one computers.

    Upgrading To Windows 8

    So you are going to take the plunge and get your new view on the world, personalise your device experience and why not, upgrading is easy. Let’s look at the options; if you are simply upgrading your personal device then you can simply get an anytime upgrade if you have a compatible current Windows OS, or you could go out and buy the DVD and install it on to your device. If you want to check in advance then why not use the Windows 8 upgrade advisor, a nifty little tool supplied by Microsoft, check out the page here

    If you are a large organisation then you have a few more choices because, let’s face it, running around 100’s of devices with a DVD is not really an option.Surface Pro 2 RHS

    Network Install

    This one is a bit like a DVD install but you upload the contents of your volume licensed Windows 8 media and do an in place upgrade of your current version of Windows, assuming of course that your current version has a direct upgrade path (use the upgrade advisor to find out) Only really any good for a small number of devices, I really wouldn’t recommend this for 100’s of devices.

    Microsoft Deployment Toolkit

    This toolkit brings together various pieces of software such as the Windows Automated Installation to provide a system which can capture and deploy images of Windows to both bare bones devices & devices that already have a Windows installation. The toolkit is downloadable from Microsoft for free using this link.

    Install it onto a server with Windows Deployment Services and you have a system from which you can create base devices, sysprep them, capture the image over the network and then deploy the image to multiples of devices.

    The toolkit also has the ability to preload drivers to ensure the Windows installation goes without a hitch, all you need is the driver software to load up to the management interface of the toolkit.

    All of the deployment options are configured using scripts which you can adjust to meet your needs. You can have a deployment that asks the end user all the usual installation questions right the way up to a completely zero touch installation.

    System Center

    This beast of a piece of software is the installation gold standard. In essence it gives you the same functionality as the Deployment Toolkit in that you can capture & deploy images and do it all using scripts. However the big difference is the functionality and control you have over the installation. System Center gives you so much more, allowing you to send packages to the machines once they are installed. Automating the installation of applications & service packs, allowing you to view the hardware of devices, check upgrade statuses.

    If you are licensed for its use then System Center should be your choice for full control over your devices.


    Unfortunately something this good doesn’t come free but Microsoft licensing makes it fairly simple to get your hands on Windows 8. How you license your copy of Windows will depend on your personal circumstances; individual, business or education.

    For individuals you can purchase an upgrade version of Windows 8 asclip_image007[3] long as you are currently using a licensed version of a previous version of Windows. If you currently don’t use Windows or are using a version that doesn’t fulfil the upgrade requirements you will need to purchase the full versions from an IT store.

    Businesses & education have a multitude of ways to purchase Windows 8, you can purchase the full version or upgrade in the same way that individuals can, however, they can also use their current licensing arrangements to purchase their upgrade to Windows 8. Volume licensing with software assurance allows you access to the latest software for your organisation and so upgrading to Windows 8 is as simple as checking your hardware meets the requirements and then downloading the install package. Do remember though that software assurance only allows you to install an upgrade version of Windows and so the device you are installing it to must already have a fully licensed previous version of Windows.

    Windows 8.1 has now been released, so we should look at the licensing arrangements around the latest upgrade. Well the simple answer is - its free!!

    If you are a personal user already running Windows 8, then simply update your device to the latest Windows 8.1 version.

    If you are a business or education customer who buys copies of windows outright then the same process applies as per an individual user however if you have a volume licensing agreement with software assurance you can download the Windows 8.1 upgrade to install as an ISO onto your devices, remembering of course that they must have a fully licensed copy of a previous version of windows.

    In Summary

    Windows 8 is new, it’s different, and it’s personal. Now all your files and settings follow you from device to device. There are also plenty of new devices ready to take advantage of the greatest features of Windows 8. However with the reasonable hardware specifications it’s easy for you to use your current device and upgrade clip_image004[3]to Windows 8 using any of the easy to access licensing methods, whether that’s as an individual, business or education.

    So in summary, go out and get rid of that old version of Windows and upgrade to Windows 8 and open up a new view in your world.





  • Some thoughts about System Center 2012 R2

    imageAs I’m sure everyone is aware, last week we released System Center 2012 R2. With this new release, I thought it would be a good idea to call attention to a great article written by Steve Bucci, one of our top Senior Support Escalation Engineers here on our System Center team. He wrote the article back in February of this year and it talks about how System Center is a team of products, and how it’s important to remember that all these separate components were designed to work better together. To borrow a phrase from Aristotle, it’s one of those things where the whole is greater than the sum of the parts. Steve’s article brings up points that you may want to reconsider with the release of System Center 2012 R2 so if you get a free minute sometime this week I’d invite you to give it a quick read.

    System Center Assemble! Create your team of heroes with System Center 2012 SP1

    J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

    Get the latest System Center news on Facebook and Twitter:

    clip_image001 clip_image002

    System Center All Up:
    System Center – Configuration Manager Support Team blog:
    System Center – Data Protection Manager Team blog:
    System Center – Orchestrator Support Team blog:
    System Center – Operations Manager Team blog:
    System Center – Service Manager Team blog:
    System Center – Virtual Machine Manager Team blog:

    Windows Intune:
    WSUS Support Team blog:
    The AD RMS blog:

    App-V Team blog:
    MED-V Team blog:
    Server App-V Team blog:

    The Forefront Endpoint Protection blog :
    The Forefront Identity Manager blog :
    The Forefront TMG blog:
    The Forefront UAG blog: