Azure Storage TLS: Changes are coming! (…and why you care)

by | Sep 23, 2020 | Azure, Technology, Uncategorized

This article is contributed. See the original author and article here.

Microsoft is updating Azure services in a phased manner to use TLS certificates from a different set of Certificate Authorities (CAs) beginning August 13, 2020 and concluding approximately on October 26, 2020. We expect that most Azure Storage customers will not be impacted; however, your application may be impacted if you explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”)This change is limited to services in public Azure cloud and US Government cloud. There are no changes in other sovereign clouds like Azure China. 

This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements. This was reported on July 1, 2020 and impacts multiple popular Public Key Infrastructure (PKI) providers worldwide. Today, most of the TLS certificates used by Azure services are issued from the “Baltimore CyberTrust Root” PKI.  

Azure Storage services will remain chained to the Baltimore CyberTrust Root*, but the TLS server certificates will be issued by new Intermediate Certificate Authorities (ICAsstarting October 26, 2020. 

 

If any client application has pinned to an Intermediate CA rather than the Baltimore CyberTrust Root, immediate action is required to prevent disruption to connectivity to Azure Storage 

 

* Other Azure service TLS certificates may be issued by a different PKI. 

 

Certificate Renewal Summary 

The table below provides information about the certificates that are being rolled. Depending on which certificate your service uses for establishing TLS connections, action may be needed to prevent loss of connectivity.  

  

Certificate 

Current 

Post Rollover (Oct 26, 2020) 

Action 

Root 

Thumbprint: d4de20d05e66fc53fe1a50882c78db2852cae474 
Expiration: Monday, May 12, 2025, 4:59:00 PM 
Subject Name: 
CN = Baltimore CyberTrust Root 

OU = CyberTrust 
O = Baltimore 
C = IE  

 

 

 

Not Changing 

None 

Intermediates 

Thumbprints: 

 

CN = Microsoft IT TLS CA 1 

Thumbprint: 417e225037fbfaa4f95761d5ae729e1aea7e3a42 

—————————————————————-—————– 

CN = Microsoft IT TLS CA 2 

Thumbprint: 54d9d20239080c32316ed9ff980a48988f4adf2d 

—————————————————————-—————– 

CN = Microsoft IT TLS CA 4 

Thumbprint: 8a38755d0996823fe8fa3116a277ce446eac4e99 

—————————————————————-—————– 

CN = Microsoft IT TLS CA 5 

Thumbprint: Ad898ac73df333eb60ac1f5fc6c4b2219ddb79b7 

—————————————————————-—————– 

 

Expiration: ‎Friday, ‎May ‎20, ‎2024 5:51:28 AM 

Subject Name:  

OU = Microsoft IT 

O = Microsoft Corporation 

L = Redmond 

S = Washington 

C = US 

Thumbprints:  

 

CN = Microsoft RSA TLS CA 01 

Thumbprint: 703d7a8f0ebf55aaa59f98eaf4a206004eb2516a 

—————————————————————-—————- 

CN = Microsoft RSA TLS CA 02 

Thumbprint: b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75 

—————————————————————-—————- 

 

Expiration: ‎Tuesday, ‎October ‎8, ‎2024 12:00:00 AM;  
Subject Name:  

O = Microsoft Corporation 

C = US 

Required 

Note: Intermediate certificates are expected to change frequently. We recommend not taking dependencies on them and instead pinning the root certificate as it rolls less frequently.  

 

Action Required 

  1. Search your source code for the thumbprint, Common Name, and other cert properties of any of the Microsoft IT TLS CAs listed above. hereIf there is a match, then your application will be impacted, immediate action is required:  
    1. To resolve this problem, update the source code to include the new intermediate CAs. To continue pinning intermediaries, replace the existing certificates with the new intermediates CAs: 
      1. Microsoft RSA TLS CA 01  
        (Thumbprint: 703d7a8f0ebf55aaa59f98eaf4a206004eb2516a) 
      2. Microsoft RSA TLS CA 02  
        (Thumbprint: b0c2d2d13cdd56cdaa6ab6e2c04440be4a429c75) 

 

Validation 

We recommend performing some basic validation to mitigate any unintentional impact to your applicationWe will provide a test environment on demand for your convenience to try out before we roll these certificates in production environments. 

 

Support 

If you have any technical questions on implementing these changes or help in performing validation in the test environment, please open a support request with the options below and a member from our engineering team will get back to you shortly. 

  • Issue Type: Technical 
  • Service: Azure Storage 
  • Problem type: Connectivity 
  • Problem subtypeDropped or terminated connections 

 

Additional Information 

Microsoft wide communications: To broadly notify customers, Microsoft had sent a Service Health portal notification on Aug 3rd, 2020 and released a public document that includes timelines, actions that need to be taken, and details regarding the upcoming changes to our Public Key Infrastructure (PKI). 

Continue your Ignite learning journey with FastTrack and adoption videos

by | Sep 23, 2020 | Uncategorized

This article is contributed. See the original author and article here.

We hope that you’re enjoying Microsoft Ignite, our annual flagship conference for technology professionals, from September 22-24, 2020. This year, the conference is being offered as a virtual experience, free of charge and accessible to attendees around the world.

 

Continue your Microsoft Ignite learning journey in the new Virtual Hub, where you engage with experts, find links to on-demand technical depth videos, interactive demos, customer use cases, Microsoft Learn learning modules and certification programs. In the Hub, you can view on-demand videos for FastTrack for Microsoft 365 and Adoption, where deployment and adoption experts will present solutions to help IT professionals meet today’s challenges, such as how to support the increasing demands of a newly remote workforce.

 

If you’re new to FastTrack, check out our video highlighting FastTrack for Microsoft 365 and App Assure. FastTrack provides remote guidance for security, identity and compliance, Teams and other Microsoft 365 Apps, Windows 10, and Microsoft Edge. Beginning October 1, 2020, Teams Rooms will be added to the FastTrack benefit, where qualified customers can get remote guided assistance on select rooms at no additional charge.

 

We also encourage you to learn about the FastTrack data migration benefit in this video, which includes a demo of the streamlined Migration Hub portal (coming soon) that provides eligible tenants with a self-service onboarding model that allows for more flexibility in creating and managing migrations.

 

There are also several other videos, focusing on managing and securing devices and apps for today’s hybrid workforce, adoption, champion programs, security and compliance, and more.

 

FastTrack and adoption video links:

Need help deploying Microsoft 365? Hear how we can help.

Simplify email and data migration to Microsoft 365 with Microsoft’s migration service

Build your foundation for modern security and compliance with Microsoft 365 deployment assistance

Securing and managing devices and apps for today’s hybrid workforce

Embrace and manage change with Champions

Modern Collaboration Architecture (MOCA) – Learn ‘which tool when’

Succeed with remote productivity through adoption best practices – Microsoft partner discusses a customer engagement

 

How do I get started with FastTrack?

To take advantage of remote deployment guidance for Microsoft 365 from FastTrack, visit www.microsoft.com/FastTrack and sign-in to submit a Request for Assistance. FastTrack is available for eligible Microsoft 365 plans with 150+ licenses.

Microsoft Information Protection SDK 1.7: Now Available

by | Sep 23, 2020 | Uncategorized

This article is contributed. See the original author and article here.

We’re pleased to announce that the Microsoft Information Protection SDK version 1.7 is now generally available via NuGet and Download Center.

 

Highlights

In this release of the Microsoft Information Protection SDK, we’ve focused on quality updates, adding support for new languages and platforms, and additional support for Double Key Encryption (DKE).

  • Public Preview available for Java on Windows and Ubuntu 18.04.
  • .NET Core now fully supported on Windows.
  • Public preview support for .NET Core on Ubuntu 18.04.
  • Full SDK support for Ubuntu 18.04.

For a full list of changes to the SDK, please review our change log.

 

Java Support

We’re happy to announce that the MIP SDK Java Wrapper is in public preview for both Windows and Ubuntu Linux. At this stage we’ll be providing only a JAR file, available at https://aka.ms/mipsdkbins, as well as the platform-specific DLLs required to call in to the native wrapper on each platform. It’s important to note that this JAR file is not portable to other platforms due to the native dependencies which are platform specific. Based on your feedback, we’ll decide how and where to invest in future platform support.

 

The current preview does not support streams. You’ll be required to pass in files directly. Check back for samples and blogs on the Java wrapper in the coming weeks. The Java binaries do ship with an included sample application that we encourage you to check out and build.

 

.NET Core Support

A common question we’ve received since shipping support for .NET has been “is .NET Core supported?” In this release, we’re pleased to report that you can now install the MIP File SDK NuGet package on .NET Core projects in both Windows and Ubuntu 18.04. Install via NuGet today!

 

Windows

Ubuntu 18.04

 

Microsoft Authentication Library

We’ve updated our samples to use the Microsoft Authentication Library (MSAL) for obtaining auth tokens from Azure Active Directory (AAD) or Active Directory Federation Service (ADFS).

We encourage you to update your own applications to MSAL, as the Active Directory Authentication Library (ADAL) has been recently deprecated and will be unsupported after June 30, 2022.

Currently, we have no details to share around MSAL support on C++ for any platform. We recommend that you use MSAL for Python, where appropriate, or investigate implementing your authentication delegate by making direct REST calls to the Microsoft identity platform.

 

SDK Support and Questions

The questions, feedback, and engagement from the MIP development community on Tech Community Yammer, and Stack Overflow have been outstanding. In an effort to ensure that questions are easily discoverable for all, that we receive notifications, and that we can better categorize questions and responses to improve our documentation and samples, please post future technical questions on Stack Overflow under the Microsoft Information Protection tag.

 

We’ve found that using the great forum and framework provided by Stack Overflow helps us to ensure that Q&A are at the top of search engine results, enables us to track issues, provide responses in a timely manner, and, overall, help us to serve the community better and improve the quality and features in the SDK.

 

-Tom Moser

 

How do you Teach with Developer Tools?

How do you Teach with Developer Tools?

by | Sep 23, 2020 | Uncategorized

This article is contributed. See the original author and article here.

WSL, Windows Terminal, and PowerToysWSL, Windows Terminal, and PowerToys

 

The Windows for Developers team is interested in learning more from STEM educators on what tools are used and recommended in the classroom.  The team has released tools like Windows Subsystem for Linux (WSL), Windows Terminal, Windows Package Manager (WinGet), and PowerToys to better improve the developer experience on Windows, and we want to know what other tools and improvements are top of mind for educators when it comes to developer tool needs in the classroom.

 

If you teach in any capacity, we are interested in hearing from you!  Please take some time to fill out our 3-minute survey.  If you are interested in an opportunity to chat with team, there is an option at the end of the survey to provide us with your email so we can follow-up with you.

 

 

 

SHA-2 signing enforcement on Windows 7 and Windows Server 2008 R2 is almost here!

by | Sep 23, 2020 | Uncategorized

This article is contributed. See the original author and article here.

The deadline is fast approaching — we mentioned in a previous blog that any customers running Microsoft Defender for Endpoint on Windows 7 or Windows Server 2008 R2 must take the following actions or their agents will stop sending data:

 Before November 2, 2020, do the following: 

  1. Install the SHA-2 signing Windows updates as described in 2019 SHA-2 Code Signing Support requirement for Windows and WSUS
  2. Update to the latest version of the Log Analytics Windows agent (Windows 64-bit agent or Windows 32-bit agent)

You can find the relevant devices in your environment using an advanced hunting query. You can use the following that is available on GitHub: https://github.com/anthonws/MTPAHQueries/blob/master/Log_Analytics_Agent_SHA2_Support.txt

 

Learn more information about SHA-2 signing enforcement in the documentation.

 

For any other questions, please feel free to reach out Microsoft Defender for Endpoint Support.  

 

Thank you, 

The Microsoft Defender for Endpoint team