Microsoft Surface Pro With 4G in Australia, and the people rejoiced!

It’s been a loooooong time coming, but it’s almost here!

A number of our clients provide Surface Pro’s for their staff, and for what seems a very long time, have been complaining about the lack of a Surface with LTE. It seems like such a simple thing, yet Microsoft haven’t released it in Australia. IT departments have gone out and purchased a number of other devices to try and meet the requirements, some have been successful, others sooo very not so, but all have added complexity or diversity to the number of devices that these departments have had to provide and support.

But the wait looks to be over, the Surface Pro with 4G is set to launch in April. You can pre-order specific hardware configurations now from the Microsoft Store, Harvey Norman and JB Hi-Fi.

Microsoft Surface Pro With 4G: Australian specifications

Microsoft Surface Pro With 4G
OS Windows 10 Pro
Dimensions (mm) 292.10 x 201.42 x 8.5 mm
Weight From 768g
Storage Solid state drive (SSD) options: 128GB, 256GB, 512GB, or 1TB
Display Screen: 12.3” PixelSense Display, Resolution: 2736 x 1824 (267 PPI), Aspect Ratio: 3:2, Touch: 10 point multi-touch
Battery life Up to 13.5 hours video playback
Processor Intel 7th Gen Core m3, i5, or i7
Graphics Intel HD Graphics 615 (m3), Intel HD Graphics 620 (i5), Intel Iris Plus Graphics 640 (i7)
Security TPM chip for enterprise security, Enterprise-grade protection with Windows Hello face sign-in
Memory 4GB, 8GB, or 16GB RAM
Wireless Wi-Fi: 802.11ac Wi-Fi wireless networking, IEEE 802.11 a/b/g/n compatible, Bluetooth Wireless 4.1 technology, LTE Advanced (optional)
Ports Full-size USB 3.0, microSDXC card reader, Surface Connect, 3.5mm Headset jack, Mini DisplayPort, Cover port
Cameras, video, and audio Windows Hello face authentication camera (front-facing), 5.0MP front-facing camera with 1080p Skype HD video, 8.0MP rear-facing autofocus camera with 1080p Full HD video, Dual microphones, 1.6W Stereo speakers with Dolby Audio Premium
Sensors Ambient light sensor, Accelerometer, Gyroscope
Warranty 12 months limited hardware warranty

Now all I need is a compatible external battery, I have been less than impressed with the support of the current 3rd party battery that was purchased.

https://arstechnica.com

https://www.lifehacker.com.au

Reducing your Risks

As I’m sure you’re all aware, there was another vulnerability advertised to the general public over the Christmas new year period, and if you’ve been following the details, the patches to fix this specific vulnerability have been recalled. The advice from Intel and other vendors currently is, “don’t deploy the patch as it can cause system instability and in some circumstances cause data loss or corruption”. Good stuff!

Update: Intel releases Spectre fix for Skylake CPUs only

Protecting against vulnerabilities like this and many other security threats is a multi-layered approach, if you’ve got these layers of protection in place, then the risk of your computers being impacted by any of these vulnerabilities is greatly reduced.

Removing Admin rights
First and foremost, to protect your network and computers, you should be granting user’s with sufficient rights to do their job, nothing more. In our opinion, users very rarely need Administrative rights over a computer. Users in an Enterprise environment shouldn’t be installing software as they please, not only does this prevent system changes from being made, intentionally or otherwise, it also allows the IT department to maintain control of your software licensing.

One issue we tend to face when suggesting or implementing the removal of Admin rights, tend to be those joyful applications that sing out in protest. Most of these well written applications may simply require write access to the local machine registry hive, or write access to the application install location. You can use tools such as ‘Process Monitor’, system instability can in some circumstances cause data loss or corruption troubleshoot these applications and then granting the users write access to the require locations. This is far more secure than granting blanket Admin rights of the entire computer, or computer fleet!

Application Whitelisting
Not all vulnerabilities or malicious code require administrative access, a user accidentally running a crypto locker application will cause more than enough headaches when all the network shares they have access to become encrypted. This is where Application whitelisting comes in. Using Group Policies AppLocker we can ensure that only authorised applications (e.g. programs, software libraries, scripts and installers) can be executed. The default rules you can create with AppLocker, allow applications installed in the ‘Program Files’ and Windows directories to run without hindrance. You can then extend these rules to allow additional applications to run as needed for your environment, and as you’ve removed Admin rights from your users, they wont have write access to these locations.

Blocking Attachments
By far the most common distribution of malware I’ve experienced has been via E-mail attachments. I’m sure, like me, you’ve lost count of the number of times you’ve told friends, family, users, don’t open emails or attachments you don’t know, but let’s face it, that’s a losing battle, especially when one of these people get infected, and then start sending out emails unknowing to their address list containing a malicious payload. Most malware I’ve seen attached to emails has been either
an executable or script directly attached to an email, or in a zip file attachment, there are very few reasons a standard user would be sending these types of attachments via email, I’d even argue that IT users should also be using alternative methods for transferring these files. It may simply be a case of changing the script file extension to txt, which then at least requires the users interaction before it will run. In the enterprise environment, I strongly suggest setting up rules in your email system to block or quarantine any email with an executable attachment (including scripts) or any zip file attachments that include executable files.

If you’d like any assistance or guidance in implementing any of these measures in your environment, feel free to contact us, we’d be happy to help.

ConfigMgr CB 1610 released

In case you missed it with all the excitement that the end of year brings, Microsoft have released the latest build of ConfigMgr 1610 to all ConfigMgr customers.

Microsoft have released information on a number of features in this release that are going to improve projects I’m currently involved with, as well as some enhancements for ConfigMgr Admins day-to-day usage;

  • Windows 10 Upgrade Analytics integration allows you to assess and analyse device readiness and compatibility with Windows 10 to allow smoother upgrades.
  • Office 365 Servicing Dashboard and app deployment to clients features help you to deploy Office 365 apps to clients as well as track Office 365 usage and update deployments.
  • Software Updates Compliance Dashboard allows you to view the current compliance status of devices in your organization and quickly analyse the data to see which devices are at risk. Monitoring > Security > Software Updates Dashboard.
  • Client Peer Cache is a new built-in solution in Configuration Manager that allows clients to share content with other clients directly from their local cache with monitoring and troubleshooting capabilities.
  • Enhancements in Software Center including customizable branding in more dialogs, notifications of new software, improvements to the notification experience for high-impact task sequence deployments, and ability for users to request applications and view request history directly in Software Center.
  • New remote control features including performance optimization for remote control sessions and keyboard translation.

This release also includes new features for customers using Configuration Manager connected with Microsoft Intune. Some of the new feature include:

  • New configuration item settings and improvements now only show settings that apply to the selected platform. We also added lots of new settings for Android (23), iOS (4), Mac (4), Windows 10 desktop and mobile (37), Windows 10 Team (7), Windows 8.1 (11), and Windows Phone 8.1 (3).
  • Lookout integration allows to check device’s compliance status based on its compliance with Lookout rules.
  • Request a sync from the admin console improvement allows you to request a policy sync on an enrolled mobile device from the Configuration Manager console.
  • Support for paid apps in Windows Store for Business allows you to add and deploy online-licensed paid apps in addition to the free apps in Windows Store for Business.

I’ve deployed the 1610 update at a couple of clients now in production use, and the upgrade has gone smoothly. Be prepared; the update can take a couple of hours to complete. I have hit one hurdle with implementing the new Office 365 Servicing Dashboard, the dashboard is stuck at loading data, this issues has been reported to Microsoft by several people and the product group is aware of it. This is unfortunate as this was one of the features that I believe will be beneficial for rolling out and managing Office 365.