MDT

New Security Intelligence Report, new data, new perspectives

Today, Microsoft released volume 15 of the Microsoft Security Intelligence Report (SIRv15). The report analyzes malware, exploits and more based on data from more than a billion systems worldwide and some of the Internet’s busiest online services.

During the past year, as we were planning this volume of the Security Intelligence Report, and as we considered how to improve the breadth and accuracy of guidance given to our customers, we gave a lot of thought on how best to represent malware prevalence beyond the data provided in past reports.

We need to establish a metric that measured the impact of malware based on our real-time protection products.

We already report on infection rates using a metric called computers cleaned per mille (CCM), which represents the number of computers cleaned for every 1,000 executions of the Malicious Software Removal Tool (MSRT). This helps us describe how widespread an infection is.

To better understand the range of threats that affect computers today, it’s increasingly valuable to consider infection attempts, including attempts that never result in infection. This data, which can only be provided by real-time security products, is measured by our new metric – the encounter rate. The encounter rate is the percent of computers running Microsoft real-time security products that come across, or encounter malware. When viewed together, the infection rate and the encounter rate provide different lenses to look at the malware landscape, assembling a picture that can contribute to a more informed risk assessment.

For example, one key finding to surface from the analysis of platforms by encounter rate and infection rate during the past year, was that computers running Windows XP encountered about as much malware as Windows 7. However, Windows XP computers experienced many more infections than other operating systems. In fact, Windows XP had an infection rate that was six times higher than Windows 8.  

Figure 1: Infection and encounter rates for Windows operating systems

Later today we will publish another blog which will dive deeper into the analysis of Windows XP, in light of the upcoming end of support date – April 8, 2014. Tim Rains also talks more about this issues in his latest blog.  

In our analysis of the landscape we also separate out malware from potentially unwanted software, based on severity. This distinction is important, since high/severe threats are serious enough that our products will remove these threats from computers automatically. Moderate/low threats, which we categorize as potentially unwanted software in this SIR, depend on user action to quarantine or remove.

We also show trends for countries with the highest and lowest encounter rates for malware and potentially unwanted software. Some countries appear on highest and lowest lists for potentially unwanted software and not for malware. This helps draw conclusions about the effect of potentially unwanted software on certain regions, as well as helping zero-in on the severe threats facing different locations.

As we look at threats regionally, we see one country that rose to significance in many parts of our analysis. Between the second half of 2012 and the first half of 2013, Turkey’s encounter rate increased by more than 13 percent.  Exploits, miscellaneous trojans and worms were all encountered at higher levels in Turkey when compared with other regions globally. You can read further on our findings for Turkey and other countries in SIRv15.

 

Figure 2: Threat category prevalence worldwide and in the 10 locations with the most computers reporting detections in 2Q13. Totals for each location may exceed 100 percent because some computers reported threats from more than one category.

We also took a peek at the growing issue of ransomware - a type of malware designed to render a computer or its files unusable until the computer user pays a certain amount of money to the hacker. Often disguised as an official-looking warning from a well-known law enforcement agency, it accuses the computer user of committing a computer-related crime and demands that the user pay a fine via electronic money transfer to regain control of the computer.

We tracked the top ransomware families and found Win32/Reveton and Win32/Tobfy trending upward globally.

These are just a few of the many key findings contained in the latest report.  To download the Microsoft Security Intelligence Report Volume 15, visit www.microsoft.com/sir.

We hope you will read it, pass it on to others to read and use it as a resource to take action and help protect your computer and your organizations’ systems from malicious software.

Vidya Sekhar
MMPC

Categories: MDT

New Security Intelligence Report, new data, new perspectives

The Deployment Guys - Tue, 10/29/2013 - 06:00

Today, Microsoft released volume 15 of the Microsoft Security Intelligence Report (SIRv15). The report analyzes malware, exploits and more based on data from more than a billion systems worldwide and some of the Internet’s busiest online services.

During the past year, as we were planning this volume of the Security Intelligence Report, and as we considered how to improve the breadth and accuracy of guidance given to our customers, we gave a lot of thought on how best to represent malware prevalence beyond the data provided in past reports.

We need to establish a metric that measured the impact of malware based on our real-time protection products.

We already report on infection rates using a metric called computers cleaned per mille (CCM), which represents the number of computers cleaned for every 1,000 executions of the Malicious Software Removal Tool (MSRT). This helps us describe how widespread an infection is.

To better understand the range of threats that affect computers today, it’s increasingly valuable to consider infection attempts, including attempts that never result in infection. This data, which can only be provided by real-time security products, is measured by our new metric – the encounter rate. The encounter rate is the percent of computers running Microsoft real-time security products that come across, or encounter malware. When viewed together, the infection rate and the encounter rate provide different lenses to look at the malware landscape, assembling a picture that can contribute to a more informed risk assessment.

For example, one key finding to surface from the analysis of platforms by encounter rate and infection rate during the past year, was that computers running Windows XP encountered about as much malware as Windows 7. However, Windows XP computers experienced many more infections than other operating systems. In fact, Windows XP had an infection rate that was six times higher than Windows 8.  

Figure 1: Infection and encounter rates for Windows operating systems

Later today we will publish another blog which will dive deeper into the analysis of Windows XP, in light of the upcoming end of support date – April 8, 2014. Tim Rains also talks more about this issues in his latest blog.  

In our analysis of the landscape we also separate out malware from potentially unwanted software, based on severity. This distinction is important, since high/severe threats are serious enough that our products will remove these threats from computers automatically. Moderate/low threats, which we categorize as potentially unwanted software in this SIR, depend on user action to quarantine or remove.

We also show trends for countries with the highest and lowest encounter rates for malware and potentially unwanted software. Some countries appear on highest and lowest lists for potentially unwanted software and not for malware. This helps draw conclusions about the effect of potentially unwanted software on certain regions, as well as helping zero-in on the severe threats facing different locations.

As we look at threats regionally, we see one country that rose to significance in many parts of our analysis. Between the second half of 2012 and the first half of 2013, Turkey’s encounter rate increased by more than 13 percent.  Exploits, miscellaneous trojans and worms were all encountered at higher levels in Turkey when compared with other regions globally. You can read further on our findings for Turkey and other countries in SIRv15.

 

Figure 2: Threat category prevalence worldwide and in the 10 locations with the most computers reporting detections in 2Q13. Totals for each location may exceed 100 percent because some computers reported threats from more than one category.

We also took a peek at the growing issue of ransomware - a type of malware designed to render a computer or its files unusable until the computer user pays a certain amount of money to the hacker. Often disguised as an official-looking warning from a well-known law enforcement agency, it accuses the computer user of committing a computer-related crime and demands that the user pay a fine via electronic money transfer to regain control of the computer.

We tracked the top ransomware families and found Win32/Reveton and Win32/Tobfy trending upward globally.

These are just a few of the many key findings contained in the latest report.  To download the Microsoft Security Intelligence Report Volume 15, visit www.microsoft.com/sir.

We hope you will read it, pass it on to others to read and use it as a resource to take action and help protect your computer and your organizations’ systems from malicious software.

Vidya Sekhar
MMPC

Categories: MDT

Some thoughts about System Center 2012 R2

Microsoft Deployment Toolkit Team Blog - Mon, 10/28/2013 - 15:44

As I’m sure everyone is aware, last week we released System Center 2012 R2. With this new release, I thought it would be a good idea to call attention to a great article written by Steve Bucci, one of our top Senior Support Escalation Engineers here on our System Center team. He wrote the article back in February of this year and it talks about how System Center is a team of products, and how it’s important to remember that all these separate components were designed to work better together. To borrow a phrase from Aristotle, it’s one of those things where the whole is greater than the sum of the parts. Steve’s article brings up points that you may want to reconsider with the release of System Center 2012 R2 so if you get a free minute sometime this week I’d invite you to give it a quick read.

System Center Assemble! Create your team of heroes with System Center 2012 SP1

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: MDT

Some thoughts about System Center 2012 R2

The USMT team blog - Mon, 10/28/2013 - 15:44

As I’m sure everyone is aware, last week we released System Center 2012 R2. With this new release, I thought it would be a good idea to call attention to a great article written by Steve Bucci, one of our top Senior Support Escalation Engineers here on our System Center team. He wrote the article back in February of this year and it talks about how System Center is a team of products, and how it’s important to remember that all these separate components were designed to work better together. To borrow a phrase from Aristotle, it’s one of those things where the whole is greater than the sum of the parts. Steve’s article brings up points that you may want to reconsider with the release of System Center 2012 R2 so if you get a free minute sometime this week I’d invite you to give it a quick read.

System Center Assemble! Create your team of heroes with System Center 2012 SP1

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: MDT

Some thoughts about System Center 2012 R2

As I’m sure everyone is aware, last week we released System Center 2012 R2. With this new release, I thought it would be a good idea to call attention to a great article written by Steve Bucci, one of our top Senior Support Escalation Engineers here on our System Center team. He wrote the article back in February of this year and it talks about how System Center is a team of products, and how it’s important to remember that all these separate components were designed to work better together. To borrow a phrase from Aristotle, it’s one of those things where the whole is greater than the sum of the parts. Steve’s article brings up points that you may want to reconsider with the release of System Center 2012 R2 so if you get a free minute sometime this week I’d invite you to give it a quick read.

System Center Assemble! Create your team of heroes with System Center 2012 SP1

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: MDT

Some thoughts about System Center 2012 R2

The Deployment Guys - Mon, 10/28/2013 - 15:44

As I’m sure everyone is aware, last week we released System Center 2012 R2. With this new release, I thought it would be a good idea to call attention to a great article written by Steve Bucci, one of our top Senior Support Escalation Engineers here on our System Center team. He wrote the article back in February of this year and it talks about how System Center is a team of products, and how it’s important to remember that all these separate components were designed to work better together. To borrow a phrase from Aristotle, it’s one of those things where the whole is greater than the sum of the parts. Steve’s article brings up points that you may want to reconsider with the release of System Center 2012 R2 so if you get a free minute sometime this week I’d invite you to give it a quick read.

System Center Assemble! Create your team of heroes with System Center 2012 SP1

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: MDT

Our protection metrics - September results

Microsoft Deployment Toolkit Team Blog - Fri, 10/25/2013 - 21:08

Earlier this year, we started publishing a new set of metrics on our portal – An evaluation of our protection performance and capabilities. These metrics show month over month how we do in three areas: coverage, quality, and customer experience in protecting our customers.

And, since we started to publish the results on this page, I've had many great conversations with customers and partners alike, discussing what the results mean for their organization and their protections. In this post, I want to cover some of the most common taxonomy questions I was asked during those conversations and also discuss the results for September 2013.

First, let's dive into what the terms we use really mean:

  1. Coverage – the infection metric

    This is how we measure threat misses and infections. If we block a threat, that means we've protected our customers as expected and that's a win. Misses and infections show up as a red dot and the bar chart in red.

    Misses are threats we had early warning detections on (non-blocking detection), but by the time we determined it to be a threat, the threat had either disappeared or changed into a different file on the computer.

    Infections are threats we detected and then had to remediate (instead of a block). We call these active because, according to our telemetry, they appeared to have some active running component when we detected them. On the positive side, our real-time protection detected and worked to remove the active threat. We continue to work on methods to determine the ways in which threats become active, for example, through vulnerability exploits, through another program that drops the malware, or through credential-based attacks so that we can further address these active threats and provide actionable information to customers about how to protect themselves.

    Here's why that's important. Many threats, like Conficker, show up as active because the threat uses passwords or exploits that were effective in compromising the system for a very brief moment in time. For example, 85% of Conficker infections on Windows 7 happen through credential-based attacks (read more about this Conficker case in SIRv12). When we detect a Conficker infection that was delivered this way (which happens immediately), we identify it as active because it was written by a system process compromised through a credential-based attack.

  2. Quality – Incorrect detections

    Incorrect detections happen when antimalware products incorrectly flag and misclassify a file as malware or unwanted software. The yellow dot and the other bar chart represent incorrect detections. In any given month, only an extremely small number of programs are incorrectly detected. In most months in 2013, for example, only 1 in a million customers experienced an incorrect detection - the percent of customers with incorrect detections was less than three zeros to the right of the decimal (<0.0001%).

  3. Customer experience

    With this criteria, we measure the performance implications of antimalware on the day-to-day activities that a person might perform – such as opening an application, browsing the web, downloading files, and playing games and multimedia. Latency perceptible by a human tends to land within the 50 to 100 millisecond range. In most months, most activities stay under 100 milliseconds latency. This is the second graphic on our results page and it shows the customer experience when running the latest version of Windows Defender on the latest version of Windows 8. September's measurement reflects Windows 8.1.

To sum it up, the two graphics on our results page highlight the findings for coverage, quality, and customer experience (in terms of system performance). The first graphic shows protection coverage and quality for Microsoft's real-time protection products that cover home, small business, and enterprise, which represent approximately 150 million endpoints. The second graphic shows the performance implications when running the latest version of Windows Defender on the latest version of Windows 8. There is a great whitepaper that provides additional insights at this link.

And finally, let's talk about the September 2013 results:

  1. Coverage and top infections – September 2013

    In September, 0.17% of our customers encountered a miss (0.03%) or an infection (0.14%). This infection number was uncharacteristically high because of the resurgence of an old threat we currently call Sefnit. 44% of the active detections for the month were related to this Sefnit family. That's a very large percentage – on normal months, no one family represents more than 6% of active infections. As we investigated the threat, we noticed that the distributors of Sefnit were using some sneaky techniques to infect computers, including using installer programs that install legitimate software but occasionally install legitimate software with bonus material (Sefnit). Sefnit distributors are also modifying the appearance of components, such as sometimes using an obfuscator and then sometimes not.

  2. Incorrect detections – September 2013

    This month, only 0.00025% customers were impacted due to incorrect detections. This percentage was slightly above average. The driver for the slightly above average impact was due to an incorrect detection on a 2009 version of the Microsoft Malicious Software Removal Tool.

  3. Customer experience – September 2013

    We consistently provide great performance for our customers using Microsoft antimalware products. In September 2013, the results have been consistent with the 50 to 100 milliseconds range.

Our goal is to provide great antimalware solutions for our consumer and business customers. I hope this blog demonstrates how committed we are in raising the bar for ourselves and others in the industry for doing so. We're monitoring our results, performance, and progress closely, prioritizing for real threats that might affect our customers and applying lessons learned to make our products even better. Plus, we support antimalware partners in order to build a strong and diverse ecosystem to fight malware – the true adversary.

Holly Stewart, Senior Program Management Lead, MMPC

Categories: MDT

Our protection metrics - September results

The USMT team blog - Fri, 10/25/2013 - 21:08

Earlier this year, we started publishing a new set of metrics on our portal – An evaluation of our protection performance and capabilities. These metrics show month over month how we do in three areas: coverage, quality, and customer experience in protecting our customers.

And, since we started to publish the results on this page, I've had many great conversations with customers and partners alike, discussing what the results mean for their organization and their protections. In this post, I want to cover some of the most common taxonomy questions I was asked during those conversations and also discuss the results for September 2013.

First, let's dive into what the terms we use really mean:

  1. Coverage – the infection metric

    This is how we measure threat misses and infections. If we block a threat, that means we've protected our customers as expected and that's a win. Misses and infections show up as a red dot and the bar chart in red.

    Misses are threats we had early warning detections on (non-blocking detection), but by the time we determined it to be a threat, the threat had either disappeared or changed into a different file on the computer.

    Infections are threats we detected and then had to remediate (instead of a block). We call these active because, according to our telemetry, they appeared to have some active running component when we detected them. On the positive side, our real-time protection detected and worked to remove the active threat. We continue to work on methods to determine the ways in which threats become active, for example, through vulnerability exploits, through another program that drops the malware, or through credential-based attacks so that we can further address these active threats and provide actionable information to customers about how to protect themselves.

    Here's why that's important. Many threats, like Conficker, show up as active because the threat uses passwords or exploits that were effective in compromising the system for a very brief moment in time. For example, 85% of Conficker infections on Windows 7 happen through credential-based attacks (read more about this Conficker case in SIRv12). When we detect a Conficker infection that was delivered this way (which happens immediately), we identify it as active because it was written by a system process compromised through a credential-based attack.

  2. Quality – Incorrect detections

    Incorrect detections happen when antimalware products incorrectly flag and misclassify a file as malware or unwanted software. The yellow dot and the other bar chart represent incorrect detections. In any given month, only an extremely small number of programs are incorrectly detected. In most months in 2013, for example, only 1 in a million customers experienced an incorrect detection - the percent of customers with incorrect detections was less than three zeros to the right of the decimal (<0.0001%).

  3. Customer experience

    With this criteria, we measure the performance implications of antimalware on the day-to-day activities that a person might perform – such as opening an application, browsing the web, downloading files, and playing games and multimedia. Latency perceptible by a human tends to land within the 50 to 100 millisecond range. In most months, most activities stay under 100 milliseconds latency. This is the second graphic on our results page and it shows the customer experience when running the latest version of Windows Defender on the latest version of Windows 8. September's measurement reflects Windows 8.1.

To sum it up, the two graphics on our results page highlight the findings for coverage, quality, and customer experience (in terms of system performance). The first graphic shows protection coverage and quality for Microsoft's real-time protection products that cover home, small business, and enterprise, which represent approximately 150 million endpoints. The second graphic shows the performance implications when running the latest version of Windows Defender on the latest version of Windows 8. There is a great whitepaper that provides additional insights at this link.

And finally, let's talk about the September 2013 results:

  1. Coverage and top infections – September 2013

    In September, 0.17% of our customers encountered a miss (0.03%) or an infection (0.14%). This infection number was uncharacteristically high because of the resurgence of an old threat we currently call Sefnit. 44% of the active detections for the month were related to this Sefnit family. That's a very large percentage – on normal months, no one family represents more than 6% of active infections. As we investigated the threat, we noticed that the distributors of Sefnit were using some sneaky techniques to infect computers, including using installer programs that install legitimate software but occasionally install legitimate software with bonus material (Sefnit). Sefnit distributors are also modifying the appearance of components, such as sometimes using an obfuscator and then sometimes not.

  2. Incorrect detections – September 2013

    This month, only 0.00025% customers were impacted due to incorrect detections. This percentage was slightly above average. The driver for the slightly above average impact was due to an incorrect detection on a 2009 version of the Microsoft Malicious Software Removal Tool.

  3. Customer experience – September 2013

    We consistently provide great performance for our customers using Microsoft antimalware products. In September 2013, the results have been consistent with the 50 to 100 milliseconds range.

Our goal is to provide great antimalware solutions for our consumer and business customers. I hope this blog demonstrates how committed we are in raising the bar for ourselves and others in the industry for doing so. We're monitoring our results, performance, and progress closely, prioritizing for real threats that might affect our customers and applying lessons learned to make our products even better. Plus, we support antimalware partners in order to build a strong and diverse ecosystem to fight malware – the true adversary.

Holly Stewart, Senior Program Management Lead, MMPC

Categories: MDT

Our protection metrics - September results

Earlier this year, we started publishing a new set of metrics on our portal – An evaluation of our protection performance and capabilities. These metrics show month over month how we do in three areas: coverage, quality, and customer experience in protecting our customers.

And, since we started to publish the results on this page, I've had many great conversations with customers and partners alike, discussing what the results mean for their organization and their protections. In this post, I want to cover some of the most common taxonomy questions I was asked during those conversations and also discuss the results for September 2013.

First, let's dive into what the terms we use really mean:

  1. Coverage – the infection metric

    This is how we measure threat misses and infections. If we block a threat, that means we've protected our customers as expected and that's a win. Misses and infections show up as a red dot and the bar chart in red.

    Misses are threats we had early warning detections on (non-blocking detection), but by the time we determined it to be a threat, the threat had either disappeared or changed into a different file on the computer.

    Infections are threats we detected and then had to remediate (instead of a block). We call these active because, according to our telemetry, they appeared to have some active running component when we detected them. On the positive side, our real-time protection detected and worked to remove the active threat. We continue to work on methods to determine the ways in which threats become active, for example, through vulnerability exploits, through another program that drops the malware, or through credential-based attacks so that we can further address these active threats and provide actionable information to customers about how to protect themselves.

    Here's why that's important. Many threats, like Conficker, show up as active because the threat uses passwords or exploits that were effective in compromising the system for a very brief moment in time. For example, 85% of Conficker infections on Windows 7 happen through credential-based attacks (read more about this Conficker case in SIRv12). When we detect a Conficker infection that was delivered this way (which happens immediately), we identify it as active because it was written by a system process compromised through a credential-based attack.

  2. Quality – Incorrect detections

    Incorrect detections happen when antimalware products incorrectly flag and misclassify a file as malware or unwanted software. The yellow dot and the other bar chart represent incorrect detections. In any given month, only an extremely small number of programs are incorrectly detected. In most months in 2013, for example, only 1 in a million customers experienced an incorrect detection - the percent of customers with incorrect detections was less than three zeros to the right of the decimal (<0.0001%).

  3. Customer experience

    With this criteria, we measure the performance implications of antimalware on the day-to-day activities that a person might perform – such as opening an application, browsing the web, downloading files, and playing games and multimedia. Latency perceptible by a human tends to land within the 50 to 100 millisecond range. In most months, most activities stay under 100 milliseconds latency. This is the second graphic on our results page and it shows the customer experience when running the latest version of Windows Defender on the latest version of Windows 8. September's measurement reflects Windows 8.1.

To sum it up, the two graphics on our results page highlight the findings for coverage, quality, and customer experience (in terms of system performance). The first graphic shows protection coverage and quality for Microsoft's real-time protection products that cover home, small business, and enterprise, which represent approximately 150 million endpoints. The second graphic shows the performance implications when running the latest version of Windows Defender on the latest version of Windows 8. There is a great whitepaper that provides additional insights at this link.

And finally, let's talk about the September 2013 results:

  1. Coverage and top infections – September 2013

    In September, 0.17% of our customers encountered a miss (0.03%) or an infection (0.14%). This infection number was uncharacteristically high because of the resurgence of an old threat we currently call Sefnit. 44% of the active detections for the month were related to this Sefnit family. That's a very large percentage – on normal months, no one family represents more than 6% of active infections. As we investigated the threat, we noticed that the distributors of Sefnit were using some sneaky techniques to infect computers, including using installer programs that install legitimate software but occasionally install legitimate software with bonus material (Sefnit). Sefnit distributors are also modifying the appearance of components, such as sometimes using an obfuscator and then sometimes not.

  2. Incorrect detections – September 2013

    This month, only 0.00025% customers were impacted due to incorrect detections. This percentage was slightly above average. The driver for the slightly above average impact was due to an incorrect detection on a 2009 version of the Microsoft Malicious Software Removal Tool.

  3. Customer experience – September 2013

    We consistently provide great performance for our customers using Microsoft antimalware products. In September 2013, the results have been consistent with the 50 to 100 milliseconds range.

Our goal is to provide great antimalware solutions for our consumer and business customers. I hope this blog demonstrates how committed we are in raising the bar for ourselves and others in the industry for doing so. We're monitoring our results, performance, and progress closely, prioritizing for real threats that might affect our customers and applying lessons learned to make our products even better. Plus, we support antimalware partners in order to build a strong and diverse ecosystem to fight malware – the true adversary.

Holly Stewart, Senior Program Management Lead, MMPC

Categories: MDT

Our protection metrics - September results

The Deployment Guys - Fri, 10/25/2013 - 21:08

Earlier this year, we started publishing a new set of metrics on our portal – An evaluation of our protection performance and capabilities. These metrics show month over month how we do in three areas: coverage, quality, and customer experience in protecting our customers.

And, since we started to publish the results on this page, I've had many great conversations with customers and partners alike, discussing what the results mean for their organization and their protections. In this post, I want to cover some of the most common taxonomy questions I was asked during those conversations and also discuss the results for September 2013.

First, let's dive into what the terms we use really mean:

  1. Coverage – the infection metric

    This is how we measure threat misses and infections. If we block a threat, that means we've protected our customers as expected and that's a win. Misses and infections show up as a red dot and the bar chart in red.

    Misses are threats we had early warning detections on (non-blocking detection), but by the time we determined it to be a threat, the threat had either disappeared or changed into a different file on the computer.

    Infections are threats we detected and then had to remediate (instead of a block). We call these active because, according to our telemetry, they appeared to have some active running component when we detected them. On the positive side, our real-time protection detected and worked to remove the active threat. We continue to work on methods to determine the ways in which threats become active, for example, through vulnerability exploits, through another program that drops the malware, or through credential-based attacks so that we can further address these active threats and provide actionable information to customers about how to protect themselves.

    Here's why that's important. Many threats, like Conficker, show up as active because the threat uses passwords or exploits that were effective in compromising the system for a very brief moment in time. For example, 85% of Conficker infections on Windows 7 happen through credential-based attacks (read more about this Conficker case in SIRv12). When we detect a Conficker infection that was delivered this way (which happens immediately), we identify it as active because it was written by a system process compromised through a credential-based attack.

  2. Quality – Incorrect detections

    Incorrect detections happen when antimalware products incorrectly flag and misclassify a file as malware or unwanted software. The yellow dot and the other bar chart represent incorrect detections. In any given month, only an extremely small number of programs are incorrectly detected. In most months in 2013, for example, only 1 in a million customers experienced an incorrect detection - the percent of customers with incorrect detections was less than three zeros to the right of the decimal (<0.0001%).

  3. Customer experience

    With this criteria, we measure the performance implications of antimalware on the day-to-day activities that a person might perform – such as opening an application, browsing the web, downloading files, and playing games and multimedia. Latency perceptible by a human tends to land within the 50 to 100 millisecond range. In most months, most activities stay under 100 milliseconds latency. This is the second graphic on our results page and it shows the customer experience when running the latest version of Windows Defender on the latest version of Windows 8. September's measurement reflects Windows 8.1.

To sum it up, the two graphics on our results page highlight the findings for coverage, quality, and customer experience (in terms of system performance). The first graphic shows protection coverage and quality for Microsoft's real-time protection products that cover home, small business, and enterprise, which represent approximately 150 million endpoints. The second graphic shows the performance implications when running the latest version of Windows Defender on the latest version of Windows 8. There is a great whitepaper that provides additional insights at this link.

And finally, let's talk about the September 2013 results:

  1. Coverage and top infections – September 2013

    In September, 0.17% of our customers encountered a miss (0.03%) or an infection (0.14%). This infection number was uncharacteristically high because of the resurgence of an old threat we currently call Sefnit. 44% of the active detections for the month were related to this Sefnit family. That's a very large percentage – on normal months, no one family represents more than 6% of active infections. As we investigated the threat, we noticed that the distributors of Sefnit were using some sneaky techniques to infect computers, including using installer programs that install legitimate software but occasionally install legitimate software with bonus material (Sefnit). Sefnit distributors are also modifying the appearance of components, such as sometimes using an obfuscator and then sometimes not.

  2. Incorrect detections – September 2013

    This month, only 0.00025% customers were impacted due to incorrect detections. This percentage was slightly above average. The driver for the slightly above average impact was due to an incorrect detection on a 2009 version of the Microsoft Malicious Software Removal Tool.

  3. Customer experience – September 2013

    We consistently provide great performance for our customers using Microsoft antimalware products. In September 2013, the results have been consistent with the 50 to 100 milliseconds range.

Our goal is to provide great antimalware solutions for our consumer and business customers. I hope this blog demonstrates how committed we are in raising the bar for ourselves and others in the industry for doing so. We're monitoring our results, performance, and progress closely, prioritizing for real threats that might affect our customers and applying lessons learned to make our products even better. Plus, we support antimalware partners in order to build a strong and diverse ecosystem to fight malware – the true adversary.

Holly Stewart, Senior Program Management Lead, MMPC

Categories: MDT

Configuring Faster Live Migration in Windows Server 2012 R2

Virtual PC Guy's WebLog - Fri, 10/25/2013 - 12:47

On Monday I gave a quick introduction to the faster live migration technologies in Windows Server 2012 R2.  Before I start getting into how this all works and what the things to consider are, lets talk about how you configure it.

By default – when you install (or upgrade to) Windows Server 2012 R2 we will enable faster live migration with compression.  If you want to use faster live migration with RDMA this is something you will need to configure directly.  Using the inbox management tools for Hyper-V you can do this either through the graphical user interface:

Here you open the Hyper-V Settings on each server, expand the Live Migrations section and select Advanced Features.  You can then select the appropriate Performance options setting for your environment.

You can also do this through PowerShell by accessing the VirtualMachineMigrationPerformanceOption property on the VMHost object.  You can read and set this property using Get-VMHost and Set-VMHost as shown below:

You can also configure these options through System Center Virtual Machine Manager 2012 R2.  In the graphical user interface you can open the properties on the Hyper-V host and change to the Migration Settings page.  Here you will see the live migration Performance option section.

With System Center Virtual Machine Manager 2012 R2 PowerShell you can use the Get-SCVMHost and Set-SCVMHost commands to configure the MigrationPerformanceOption on each host as shown below.

One nice aspect of the System Center Virtual Machine Manager PowerShell commands is that it is quite easy to change this setting on multiple Hyper-V servers at once.  This is important as you need to have the same live migration performance option configured on all Hyper-V hosts in order to get the behavior that you want.

Cheers,
Ben

Categories: MDT

Hyper-V Poster Updates

Virtual PC Guy's WebLog - Thu, 10/24/2013 - 13:02

There are a number of things happening with the ever popular Hyper-V architectural posters at the moment.  First, last week updated Hyper-V architectural posters for Windows Server 2012 R2 were made available here: http://www.microsoft.com/download/details.aspx?id=40732

One neat detail to call out is that you can now download the entire poster, or just the individual sections of the poster.  We made this change as we had a lot of people asking us to make it easier to print this stuff out on a standard office printer – so the smaller sections should print comfortable on a single sheet of A4 / Foolscap.

On top of this – an updated version of the Posterpedia app is now available.  You can install it from here: http://aka.ms/sposterpedia

This is a Windows 8 application that gives you full access to all of the Windows architectural posters that have been released over the last couple of years.  Apart from the obvious fact that it is a convenient way to take this posters with you when you are on the road – I like this application for two reasons:

  • Older architectural posters are all included, and they are often still accurate and helpful.  I was looking at the Hyper-V poster that we published for Windows Server 2008 R2 the other day and it is full of information that is still useful and relevant.
  • As you drill down into each poster – you can link directly to more detailed information that is available on TechNet.  This really helps if you identify an interesting area where you need to know more.

Cheers,
Ben

Categories: MDT

Nice to Know: Upgrade Sequencing for System Center 2012 R2

The Deployment Bunny - Tue, 10/22/2013 - 02:24

Microsoft has just released information on how to upgrade the System Center 2012 stack. Now BEFORE you start, you need to figure out where to start and what’s to be done in other system center products at the same time. In many cases you will not be able to upgrade the entire stack at the same time, there for all interactions between needs to be taken seriously. As an example, if you do have Orchestrator integration, you need to upgrade the OR server first, but it does not mean all the OIPS should be upgraded, the should of course be upgraded when the corresponding SC2012R2 system gets updated, so there is a lot to think about…

The link is here http://technet.microsoft.com/en-us/library/dn521010.aspx

Some highlights:

Orchestrator: http://technet.microsoft.com/en-us/library/jj628201.aspx

  • If Orchestrator is part of your environment, then Orchestrator will be the first component that you upgrade.

Service Manager: http://technet.microsoft.com/en-us/library/jj628207.aspx

Data Protection Manager: http://technet.microsoft.com/en-us/library/jj628208.aspx

  • There are some new features that are available with Data Protection Manager (DPM) that are only available when using Windows Server 2012.

Operations Manager: http://technet.microsoft.com/en-us/library/jj628193.aspx

After you upgrade Operations Manager, you might have to install the Operations Manager console on some of the down-level components.

  • There are some new features that are available with Operations Manager that are only available when using Windows Server 2012.

Configuration Manager: http://technet.microsoft.com/en-us/library/jj628195.aspx

Virtual Machine Manager and App Controller: http://technet.microsoft.com/en-us/library/jj628212.aspx


Categories: MDT

Removing Windows 8.1 Built-in Applications

The Deployment Guys - Mon, 10/21/2013 - 18:21

Last year I published a PowerShell script that is designed to remove the built-in Windows 8 applications when creating a Windows 8 image. Well now that Windows 8.1 has been released we must update the PowerShell script to work with Windows 8.1.

The script below takes a simple list of Apps and then removes the provisioned package and the package that is installed for the Administrator. To adjust the script for your requirements simply update the $AppList comma separated list to include the Apps you want to remove. The script is designed to work as part of an MDT or Configuration Manager task sequence. If it detects that you are running the script within a task sequence it will log the to the task sequence folder otherwise it will log to the Windows\temp folder.

<#    
    ************************************************************************************************************
    Purpose:    Remove built in apps specified in list
    Pre-Reqs:    Windows 8.1
    ************************************************************************************************************
#>

#---------------------------------------------------------------------------------------------------------------
# Main Routine
#---------------------------------------------------------------------------------------------------------------

# Get log path. Will log to Task Sequence log folder if the script is running in a Task Sequence
# Otherwise log to \windows\temp

try

{

$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

$logPath = $tsenv.Value("LogPath")

}

catch

{

Write-Host "This script is not running in a task sequence"

$logPath = $env:windir + "\temp"

}

$logFile = "$logPath\$($myInvocation.MyCommand).log"

# Start logging

Start-Transcript $logFile

Write-Host "Logging to $logFile"

# List of Applications that will be removed

$AppsList = "microsoft.windowscommunicationsapps","Microsoft.BingFinance","Microsoft.BingMaps",`

"Microsoft.BingWeather","Microsoft.ZuneVideo","Microsoft.ZuneMusic","Microsoft.Media.PlayReadyClient.2",`

"Microsoft.Media.PlayReadyClient.2","Microsoft.XboxLIVEGames","Microsoft.HelpAndTips","Microsoft.BingSports",`

"Microsoft.BingNews","Microsoft.BingFoodAndDrink","Microsoft.BingTravel","Microsoft.WindowsReadingList",`

"Microsoft.BingHealthAndFitness","Microsoft.WindowsAlarms","Microsoft.Reader","Microsoft.WindowsCalculator",`

"Microsoft.WindowsScan","Microsoft.WindowsSoundRecorder","Microsoft.SkypeApp"

ForEach ($App in $AppsList)

{

$Packages = Get-AppxPackage | Where-Object {$_.Name -eq $App}

if ($Packages -ne $null)

{

      Write-Host "Removing Appx Package: $App"

      foreach ($Package in $Packages)

      {

      Remove-AppxPackage -package $Package.PackageFullName

      }

}

else

{

      Write-Host "Unable to find package: $App"

}

$ProvisionedPackage = Get-AppxProvisionedPackage -online | Where-Object {$_.displayName -eq $App}

if ($ProvisionedPackage -ne $null)

{

      Write-Host "Removing Appx Provisioned Package: $App"

      remove-AppxProvisionedPackage -online -packagename $ProvisionedPackage.PackageName

}

else

{

      Write-Host "Unable to find provisioned package: $App"

}

}

# Stop logging

Stop-Transcript

For more information on adding and removing apps please refer to this TechNet article.

This post was contributed by Ben Hunter, a Senior Product Marketing Manager with Microsoft

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.

Categories: MDT

Removing Windows 8.1 Built-in Applications

The Deployment Guys - Mon, 10/21/2013 - 18:21

Last year I published a PowerShell script that is designed to remove the built-in Windows 8 applications when creating a Windows 8 image. Well now that Windows 8.1 has been released we must update the PowerShell script to work with Windows 8.1.

The script below takes a simple list of Apps and then removes the provisioned package and the package that is installed for the Administrator. To adjust the script for your requirements simply update the $AppList comma separated list to include the Apps you want to remove. The script is designed to work as part of an MDT or Configuration Manager task sequence. If it detects that you are running the script within a task sequence it will log the to the task sequence folder otherwise it will log to the Windows\temp folder.

<#    
    ************************************************************************************************************
    Purpose:    Remove built in apps specified in list
    Pre-Reqs:    Windows 8.1
    ************************************************************************************************************
#>

#---------------------------------------------------------------------------------------------------------------
# Main Routine
#---------------------------------------------------------------------------------------------------------------

# Get log path. Will log to Task Sequence log folder if the script is running in a Task Sequence
# Otherwise log to \windows\temp

try

{

$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

$logPath = $tsenv.Value("LogPath")

}

catch

{

Write-Host "This script is not running in a task sequence"

$logPath = $env:windir + "\temp"

}

$logFile = "$logPath\$($myInvocation.MyCommand).log"

# Start logging

Start-Transcript $logFile

Write-Host "Logging to $logFile"

# List of Applications that will be removed

$AppsList = "microsoft.windowscommunicationsapps","Microsoft.BingFinance","Microsoft.BingMaps",`

"Microsoft.BingWeather","Microsoft.ZuneVideo","Microsoft.ZuneMusic","Microsoft.Media.PlayReadyClient.2",`

"Microsoft.Media.PlayReadyClient.2","Microsoft.XboxLIVEGames","Microsoft.HelpAndTips","Microsoft.BingSports",`

"Microsoft.BingNews","Microsoft.BingFoodAndDrink","Microsoft.BingTravel","Microsoft.WindowsReadingList",`

"Microsoft.BingHealthAndFitness","Microsoft.WindowsAlarms","Microsoft.Reader","Microsoft.WindowsCalculator",`

"Microsoft.WindowsScan","Microsoft.WindowsSoundRecorder","Microsoft.SkypeApp"

ForEach ($App in $AppsList)

{

$Packages = Get-AppxPackage | Where-Object {$_.Name -eq $App}

if ($Packages -ne $null)

{

      Write-Host "Removing Appx Package: $App"

      foreach ($Package in $Packages)

      {

      Remove-AppxPackage -package $Package.PackageFullName

      }

}

else

{

      Write-Host "Unable to find package: $App"

}

$ProvisionedPackage = Get-AppxProvisionedPackage -online | Where-Object {$_.displayName -eq $App}

if ($ProvisionedPackage -ne $null)

{

      Write-Host "Removing Appx Provisioned Package: $App"

      remove-AppxProvisionedPackage -online -packagename $ProvisionedPackage.PackageName

}

else

{

      Write-Host "Unable to find provisioned package: $App"

}

}

# Stop logging

Stop-Transcript

For more information on adding and removing apps please refer to this TechNet article.

This post was contributed by Ben Hunter, a Senior Product Marketing Manager with Microsoft

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.

Categories: MDT

The ADK for Windows 8.1 has been updated

With the general availability of Windows 8.1, a new update to the Assessment and Deployment Kit for Windows 8.1 has been posted to the Microsoft Download Center.  See http://msdn.microsoft.com/en-us/library/windows/hardware/hh825613.aspx for more information about the changes.  (Two of interest to most IT pros affect USMT and WIMGAPI.)

If you downloaded and installed the ADK for Windows 8.1 prior to 10/18, you will want to repeat the process to update to the most current version.  Here’s what you need to do:

  • Download the ADKSETUP.EXE again from http://www.microsoft.com/en-us/download/details.aspx?id=39982 and execute it.  (This new version knows about the updated components.  If you get an error saying that an older version is installed, then you weren’t running the RTM version of the ADK for Windows 8.1; you would need to manually uninstall that version before continuing.)
  • Choose the option to “Install new or updated features”:
  • Accept the license agreement, then select from the list of updated components (changed ones are marked with red asterisks):
  • Click “Install” to install the updated components.

While there are updates shown to all the components listed above, the only ones that were actually changed are the Deployment Tools (containing WIMGAPI), User State Migration Tool (USMT), and Windows Assessment Services (not installed in this case, which is why it isn’t marked above).

Categories: MDT

The ADK for Windows 8.1 has been updated

With the general availability of Windows 8.1, a new update to the Assessment and Deployment Kit for Windows 8.1 has been posted to the Microsoft Download Center.  See http://msdn.microsoft.com/en-us/library/windows/hardware/hh825613.aspx for more information about the changes.  (Two of interest to most IT pros affect USMT and WIMGAPI.)

If you downloaded and installed the ADK for Windows 8.1 prior to 10/18, you will want to repeat the process to update to the most current version.  Here’s what you need to do:

  • Download the ADKSETUP.EXE again from http://www.microsoft.com/en-us/download/details.aspx?id=39982 and execute it.  (This new version knows about the updated components.  If you get an error saying that an older version is installed, then you weren’t running the RTM version of the ADK for Windows 8.1; you would need to manually uninstall that version before continuing.)
  • Choose the option to “Install new or updated features”:
  • Accept the license agreement, then select from the list of updated components (changed ones are marked with red asterisks):
  • Click “Install” to install the updated components.

While there are updates shown to all the components listed above, the only ones that were actually changed are the Deployment Tools (containing WIMGAPI), User State Migration Tool (USMT), and Windows Assessment Services (not installed in this case, which is why it isn’t marked above).

Categories: MDT

Faster Live Migration in Windows Server 2012 R2

Virtual PC Guy's WebLog - Mon, 10/21/2013 - 13:03

There are a number of interesting new features in Hyper-V in Windows Server 2012 R2.  One of the ones that I was directly involved in was the work to make live migration faster.

Now, most people are pretty impressed with live migration today.  After all – it lets you move virtual machines between physical servers with zero downtime.  What could be better?  But as people are investing more and more in virtualization, and taking advantage of all the functionality that virtualization can provide, we are discovering new issues that need to be tackled.

In the case of live migration – it is already pretty fast and simple to live migrate a single virtual machine.  But that is not how live migration is used by most people.  Live migration is most frequently used to enable patch deployment to your virtualization fabric without needing to stop any virtual machines.  It is also used to dynamically redistribute virtual machine load on your fabric.  In both of these cases you are not live migrating a single virtual machine, but large numbers of virtual machines (and possibly all of your virtual machines).

It does not take long before the time to perform a live migration becomes noticeable in these scenarios.

For example: performing a zero downtime patch deployment in an 8 node Hyper-V cluster with 128 GB of memory per node will require that around a terabyte of data is transferred.  With Windows Server 2012 this operation would take 12 to 24 hours to complete (depending on your infrastructure).  And those numbers just get larger as your virtualization deployment grows.

It is for this reason that we decided that we needed to make live migration faster in Windows Server 2012 R2.  We are doing this by providing two new options for live migration:

  • Live migration with compression:  Here we utilize spare CPU capacity in the host operating system to reduce the amount of data that gets sent as part of the live migration.  In testing this has yielded a 2x to 4x performance improvement without any changes to the virtualization hardware or network configuration.
  • Live migration with RDMA: Here we take advantage of RDMA enabled hardware to deliver amazing performance for live migration, with zero CPU impact.

I will be going deep on these two approaches in the next week or two – but in the meantime you can see them demonstrated in this recording of me speaking at TechEd Australia this year:

These features are demonstrated at 26:30 on the above video.

Cheers,
Ben

Categories: MDT

Microsoft Deployment Toolkit 2013 Now Available

Microsoft Deployment Toolkit Team Blog - Mon, 10/21/2013 - 11:00

The Client Management team is pleased to announce the availability of the Microsoft Deployment Toolkit (MDT) 2013. The installer, release notes and updated documentation are available now on the Microsoft Download Center.

MDT 2013 requires the use of the Windows ADK for Windows 8.1 which is also available for download.

We encourage you to download and use this new version for deploying Windows 8.1, Windows 8 and Windows 7, and integrating with System Center 2012 R2 Configuration Manager. You can also continue to submit feedback via the MDT group of the Client Management program on Connect.

Additionally, please note the MDT Support Lifecycle is also now available.

As always, visit www.microsoft.com/mdt for more information on the Microsoft Deployment Toolkit.

--Aaron Czechowski, Senior Program Manager (@AaronCzechowski)

This posting is provided "AS IS" with no warranties and confers no rights.

 

Categories: MDT

Microsoft Deployment Toolkit 2013 Now Available

Microsoft Deployment Toolkit Team Blog - Mon, 10/21/2013 - 11:00

The Client Management team is pleased to announce the availability of the Microsoft Deployment Toolkit (MDT) 2013. The installer, release notes and updated documentation are available now on the Microsoft Download Center.

MDT 2013 requires the use of the Windows ADK for Windows 8.1 which is also available for download.

We encourage you to download and use this new version for deploying Windows 8.1, Windows 8 and Windows 7, and integrating with System Center 2012 R2 Configuration Manager. You can also continue to submit feedback via the MDT group of the Client Management program on Connect.

Additionally, please note the MDT Support Lifecycle is also now available.

As always, visit www.microsoft.com/mdt for more information on the Microsoft Deployment Toolkit.

--Aaron Czechowski, Senior Program Manager (@AaronCzechowski)

This posting is provided "AS IS" with no warranties and confers no rights.

 

Categories: MDT

Pages