Month: September 2024
Deploy Secure Azure AI Studio with a Managed Virtual Network
This article and the companion sample demonstrates how to set up an Azure AI Studio environment with managed identity and Azure RBAC to connected Azure AI Services and dependent resources and with the managed virtual network isolation mode set to Allow Internet Outbound. For more information, see How to configure a managed network for Azure AI Studio hubs. For more information, see:
You can use the Bicep templates in this GitHub repository to deploy the following Azure resources:
Resource
Type
Description
Azure Application Insights
Microsoft.Insights/components
An Azure Application Insights instance associated with the Azure AI Studio workspace
Azure Monitor Log Analytics
Microsoft.OperationalInsights/workspaces
An Azure Log Analytics workspace used to collect diagnostics logs and metrics from Azure resources
Azure Key Vault
Microsoft.KeyVault/vaults
An Azure Key Vault instance associated with the Azure AI Studio workspace
Azure Storage Account
Microsoft.Storage/storageAccounts
An Azure Storage instance associated with the Azure AI Studio workspace
Azure Container Registry
Microsoft.ContainerRegistry/registries
An Azure Container Registry instance associated with the Azure AI Studio workspace
Azure AI Hub / Project
Microsoft.MachineLearningServices/workspaces
An Azure AI Studio Hub and Project (Azure ML Workspace of kind ‘hub’ and ‘project’)
Azure AI Services
Microsoft.CognitiveServices/accounts
An Azure AI Services as the model-as-a-service endpoint provider including GPT-4o and ADA Text Embeddings model deployments
Azure Virtual Network
Microsoft.Network/virtualNetworks
A bring-your-own (BYO) virtual network hosting a jumpbox virtual machine to manage Azure AI Studio
Azure Bastion Host
Microsoft.Network/virtualNetworks
A Bastion Host defined in the BYO virtual network that provides RDP connectivity to the jumpbox virtual machine
Azure NAT Gateway
Microsoft.Network/natGateways
An Azure NAT Gateway that provides outbound connectivity to the jumpbox virtual machine
Azure Private Endpoints
Microsoft.Network/privateEndpoints
Azure Private Endpoints defined in the BYO virtual network for Azure Container Registry, Azure Key Vault, Azure Storage Account, and Azure AI Hub Workspace
Azure Private DNS Zones
Microsoft.Network/privateDnsZones
Azure Private DNS Zones are used for the DNS resolution of the Azure Private Endpoints
You can select a different version of the GPT model by specifying the openAiDeployments parameter in the main.bicepparam parameters file. For details on the models available in various Azure regions, please refer to the Azure OpenAI Service models documentation.
The default deployment includes an Azure Container Registry resource. However, if you wish not to deploy an Azure Container Registry, you can simply set the acrEnabled parameter to false.
When you enable managed virtual network isolation, a managed virtual network is created for the hub workspace. Any managed compute resources you create for the hub, for example the virtual machines of online endpoint managed deployment, will automatically use this managed virtual network. The managed virtual network can also utilize Azure Private Endpoints for Azure resources that your hub depends on, such as Azure Storage, Azure Key Vault, and Azure Container Registry. There are three different configuration modes for outbound traffic from the managed virtual network:
Outbound mode
Description
Scenarios
Allow internet outbound
Allow all internet outbound traffic from the managed virtual network.
You want unrestricted access to machine learning resources on the internet, such as python packages or pretrained models.
Allow only approved outbound
Outbound traffic is allowed by specifying service tags.
You want to minimize the risk of data exfiltration, but you need to prepare all required machine learning artifacts in your private environment.
* You want to configure outbound access to an approved list of services, service tags, or FQDNs.
Disabled
Inbound and outbound traffic isn’t restricted.
You want public inbound and outbound from the hub.
The Bicep templates in the companion sample demonstrate how to deploy an Azure AI Studio environment with the hub workspace’s managed network isolation mode configured to Allow Internet Outbound.
The Azure Private Endpoints and Private DNS Zones in the hub workspace managed virtual network are automatically created for you, while the Bicep templates create the Azure Private Endpoints and relative Private DNS Zones in the client virtual network.
When you provision the hub workspace of your Azure AI Studio with an isolation mode equal to the Allow Internet Outbound isolation mode, the managed virtual network and the Azure Private Endpoints to the dependent resources will not be created if public network access of Azure Key Vault, Azure Container Registry, and Azure Storage Account dependent resources is enabled.
The creation of the managed virtual network is deferred until a compute resource is created or provisioning is manually started. When allowing automatic creation, it can take around 30 minutes to create the first compute resource as it is also provisioning the network. For more information, see Manually provision workspace managed VNet.
If you initially create Azure Key Vault, Azure Container Registry, and Azure Storage Account dependent resources with public network enabled and then decide to disable it later, the managed virtual network will not be automatically provisioned if it is not already provisioned, and the private endpoints to the dependent resources will not be created.
In this case, if you want o create the private endpoints to the dependent resources, you need to reprovision the hub manage virtual network in one of the following ways:
Redeploy the hub workspace using Bicep or Terraform templates. If the isolation mode is set to Allow Internet Outbound and the dependent resources referenced by the hub workspace have public network access disabled, this operation will trigger the creation of the managed virtual network, if it does not already exist, and the private endpoints to the dependent resources.
Execute the following Azure CLI command az ml workspace provision-network to reprovision the managed virtual network. The private endpoints will be created with the managed virtual network if the public network access of the dependent resources is disabled.
Go to the Azure Portal and select your Azure AI hub.
Click on Settings and then Networking.
Open the Workspace managed outbound access tab.
Expand the section titled Required outbound rules.
Here, you will find the private endpoints that are connected to the resources within the hub managed virtual network. Ensure that these private endpoints are active.
You can also see the private endpoints hosted by the manage virtual network of your hub workspace inside the Networking settings of individual dependent resources, for example Key Vault:
Go to the Azure Portal and select your Azure Key Vault.
Click on Settings and then Networking.
Open the Private endpoint connections tab.
Here, you will find the private endpoint created by the Bicep templates in the client virtual network along with the private endpoint created in the hub managed virtual network of the hub.
Also note that when you create a hub workspace with the Allow Internet Outbound isolation mode, the creation of the managed network is not immediate to save costs. The managed virtual network needs to be manually triggered via the az ml workspace provision-network command, or it will be triggered when you create a compute resource or private endpoints to dependent resources.
At this time, the creation of an online endpoint does not automatically trigger the creation of a managed virtual network. An error occurs if you try to create an online deployment under the workspace which enabled workspace managed VNet but the managed VNet is not provisioned yet. Workspace managed VNet should be provisioned before you create an online deployment. Follow instructions to manually provision the workspace managed VNet. Once completed, you may start creating online deployments. For more information, see Network isolation with managed online endpoint and Secure your managed online endpoints with network isolation.
The current limitations of managed virtual network are:
Azure AI Studio currently doesn’t support bringing your own virtual network, it only supports managed virtual network isolation.
Once you enable managed virtual network isolation of your Azure AI, you can’t disable it.
Managed virtual network uses private endpoint connections to access your private resources. You can’t have a private endpoint and a service endpoint at the same time for your Azure resources, such as a storage account. We recommend using private endpoints in all scenarios.
The managed virtual network is deleted when the Azure AI is deleted.
Data exfiltration protection is automatically enabled for the only approved outbound mode. If you add other outbound rules, such as to FQDNs, Microsoft can’t guarantee that you’re protected from data exfiltration to those outbound destinations.
Using FQDN outbound rules increases the cost of the managed virtual network because FQDN rules use Azure Firewall. For more information, see Pricing.
FQDN outbound rules only support ports 80 and 443.
When using a compute instance with a managed network, use the az ml compute connect-ssh command to connect to the compute using SSH.
According to the documentation, the hub managed virtual network feature is free. However, you will be charged for the following resources used by the managed virtual network:
Azure Private Link – Private endpoints used to secure communications between the managed virtual network and Azure resources rely on Azure Private Link. For more information on pricing, see Azure Private Link pricing.
FQDN outbound rules – FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. Azure Firewall SKU is standard. Azure Firewall is provisioned per hub.
NOTE
The firewall isn’t created until you add an outbound FQDN rule. If you don’t use FQDN rules, you will not be charged for Azure Firewall. For more information on pricing, see Azure Firewall pricing.
The jumpbox virtual machine is deployed with Windows 11 operating system and the Microsoft.Azure.ActiveDirectory VM extension, a specialized extension for integrating Azure virtual machines (VMs) with Microsoft Entra ID. This integration provides several key benefits, particularly in enhancing security and simplifying access management. Here’s an overview of what the Microsoft.Azure.ActiveDirectory VM extension offers:
Microsoft.Azure.ActiveDirectory VM extension is specialized for integrating Azure virtual machines (VMs) with Microsoft Entra ID. This integration provides several key benefits, particularly in enhancing security and simplifying access management. Here’s an overview of the features and benefits of this VM extension:
Enables users to sign in to a Windows or Linux virtual machine using their Microsoft Entra ID credentials.
Facilitates single sign-on (SSO) experiences, reducing the need for managing separate local VM accounts.
Supports multi-factor authentication, increasing security by requiring additional verification steps during login.
Integrates with Azure RBAC, allowing administrators to assign specific roles to users, thereby controlling the level of access and permissions on the virtual machine.
Allows administrators to apply conditional access policies to the VM, enhancing security by enforcing controls such as trusted device requirements, location-based access, and more.
Eliminates the need to manage local administrator accounts, simplifying VM management and reducing overhead.
For more information, see Sign in to a Windows virtual machine in Azure by using Microsoft Entra ID including passwordless.
Make sure to enforce multi-factor authentication on your user account in your Microsoft Entra ID Tenant, as shown in the following screenshot:
Then, specify at least an authentication method in addition to the password for the user account, for example the phone number, as shown in the following screenshot:
To log in to the jumpbox virtual machine using a Microsoft Entra ID tenant user, you need to assign one of the following Azure roles to determine who can access the VM. To assign these roles, you must have the Virtual Machine Data Access Administrator role, or any role that includes the Microsoft.Authorization/roleAssignments/write action, such as the Role Based Access Control Administrator role. If you choose a role other than the Virtual Machine Data Access Administrator, it is recommended to add a condition to limit the permission to create role assignments.
Virtual Machine Administrator Login: Users who have this role assigned can sign in to an Azure virtual machine with administrator privileges.
Virtual Machine User Login: Users who have this role assigned can sign in to an Azure virtual machine with regular user privileges.
To allow a user to sign in to the jumpbox virtual machine over RDP, you must assign the Virtual Machine Administrator Login or Virtual Machine User Login role to the user at the subscription, resource group, or virtual machine level. The virtualMachine.bicep module assigns the Virtual Machine Administrator Login to the user identified by the userObjectId parameter.
To log in to the jumpbox virtual machine via Azure Bastion Host using a Microsoft Entra ID tenant user with multi-factor authentication, you can use the az network bastion rdp command as follows:
–name <bastion-host-name>
–resource-group <resource-group-name>
–target-resource-id <virtual-machine-resource-id>
–auth-type AAD
After logging in to the virtual machine, if you open the Edge browser and navigate to the Azure Portal or Azure AI Studio, the browser profile will automatically be configured to the tenant user account used for the VM login.
Specify a value for the required parameters in the main.bicepparam parameters file before deploying the Bicep modules. Here is the markdown table extrapolating the name, type, and description of the parameters from the provided Bicep code:
Name
Type
Description
prefix
string
Specifies the name prefix for all the Azure resources.
suffix
string
Specifies the name suffix for all the Azure resources.
location
string
Specifies the location for all the Azure resources.
hubName
string
Specifies the name Azure AI Hub workspace.
hubFriendlyName
string
Specifies the friendly name of the Azure AI Hub workspace.
hubDescription
string
Specifies the description for the Azure AI Hub workspace displayed in Azure AI Studio.
hubIsolationMode
string
Specifies the isolation mode for the managed network of the Azure AI Hub workspace.
hubPublicNetworkAccess
string
Specifies the public network access for the Azure AI Hub workspace.
connectionAuthType
string
Specifies the authentication method for the OpenAI Service connection.
systemDatastoresAuthMode
string
Determines whether to use credentials for the system datastores of the workspace workspaceblobstore and workspacefilestore.
projectName
string
Specifies the name for the Azure AI Studio Hub Project workspace.
projectFriendlyName
string
Specifies the friendly name for the Azure AI Studio Hub Project workspace.
projectPublicNetworkAccess
string
Specifies the public network access for the Azure AI Project workspace.
logAnalyticsName
string
Specifies the name of the Azure Log Analytics resource.
logAnalyticsSku
string
Specifies the service tier of the workspace: Free, Standalone, PerNode, Per-GB.
logAnalyticsRetentionInDays
int
Specifies the workspace data retention in days.
applicationInsightsName
string
Specifies the name of the Azure Application Insights resource.
aiServicesName
string
Specifies the name of the Azure AI Services resource.
aiServicesSku
object
Specifies the resource model definition representing SKU.
aiServicesIdentity
object
Specifies the identity of the Azure AI Services resource.
aiServicesCustomSubDomainName
string
Specifies an optional subdomain name used for token-based authentication.
aiServicesDisableLocalAuth
bool
Specifies whether to disable the local authentication via API key.
aiServicesPublicNetworkAccess
string
Specifies whether or not public endpoint access is allowed for this account.
openAiDeployments
array
Specifies the OpenAI deployments to create.
keyVaultName
string
Specifies the name of the Azure Key Vault resource.
keyVaultNetworkAclsDefaultAction
string
Specifies the default action of allow or deny when no other rules match for the Azure Key Vault resource.
keyVaultEnabledForDeployment
bool
Specifies whether the Azure Key Vault resource is enabled for deployments.
keyVaultEnabledForDiskEncryption
bool
Specifies whether the Azure Key Vault resource is enabled for disk encryption.
keyVaultEnabledForTemplateDeployment
bool
Specifies whether the Azure Key Vault resource is enabled for template deployment.
keyVaultEnableSoftDelete
bool
Specifies whether soft delete is enabled for this Azure Key Vault resource.
keyVaultEnablePurgeProtection
bool
Specifies whether purge protection is enabled for this Azure Key Vault resource.
keyVaultEnableRbacAuthorization
bool
Specifies whether to enable the RBAC authorization for the Azure Key Vault resource.
keyVaultSoftDeleteRetentionInDays
int
Specifies the soft delete retention in days.
acrEnabled
bool
Specifies whether to create the Azure Container Registry.
acrName
string
Specifies the name of the Azure Container Registry resource.
acrAdminUserEnabled
bool
Enable admin user that have push/pull permission to the registry.
acrPublicNetworkAccess
string
Specifies whether to allow public network access. Defaults to Enabled.
acrSku
string
Specifies the tier of your Azure Container Registry.
acrAnonymousPullEnabled
bool
Specifies whether or not registry-wide pull is enabled from unauthenticated clients.
acrDataEndpointEnabled
bool
Specifies whether or not a single data endpoint is enabled per region for serving data.
acrNetworkRuleSet
object
Specifies the network rule set for the container registry.
acrNetworkRuleBypassOptions
string
Specifies whether to allow trusted Azure services to access a network-restricted registry.
acrZoneRedundancy
string
Specifies whether or not zone redundancy is enabled for this container registry.
storageAccountName
string
Specifies the name of the Azure Storage Account resource.
storageAccountAccessTier
string
Specifies the access tier of the Azure Storage Account resource. The default value is Hot.
storageAccountAllowBlobPublicAccess
bool
Specifies whether the Azure Storage Account resource allows public access to blobs. The default value is false.
storageAccountAllowSharedKeyAccess
bool
Specifies whether the Azure Storage Account resource allows shared key access. The default value is true.
storageAccountAllowCrossTenantReplication
bool
Specifies whether the Azure Storage Account resource allows cross-tenant replication. The default value is false.
storageAccountMinimumTlsVersion
string
Specifies the minimum TLS version to be permitted on requests to the Azure Storage account. The default value is TLS1_2.
storageAccountANetworkAclsDefaultAction
string
The default action of allow or deny when no other rules match.
storageAccountSupportsHttpsTrafficOnly
bool
Specifies whether the Azure Storage Account resource should only support HTTPS traffic.
virtualNetworkResourceGroupName
string
Specifies the name of the resource group hosting the virtual network and private endpoints.
virtualNetworkName
string
Specifies the name of the virtual network.
virtualNetworkAddressPrefixes
string
Specifies the address prefixes of the virtual network.
vmSubnetName
string
Specifies the name of the subnet which contains the virtual machine.
vmSubnetAddressPrefix
string
Specifies the address prefix of the subnet which contains the virtual machine.
vmSubnetNsgName
string
Specifies the name of the network security group associated with the subnet hosting the virtual machine.
bastionSubnetAddressPrefix
string
Specifies the Bastion subnet IP prefix. This prefix must be within the virtual network IP prefix address space.
bastionSubnetNsgName
string
Specifies the name of the network security group associated with the subnet hosting Azure Bastion.
bastionHostEnabled
bool
Specifies whether Azure Bastion should be created.
bastionHostName
string
Specifies the name of the Azure Bastion resource.
bastionHostDisableCopyPaste
bool
Enable/Disable Copy/Paste feature of the Bastion Host resource.
bastionHostEnableFileCopy
bool
Enable/Disable File Copy feature of the Bastion Host resource.
bastionHostEnableIpConnect
bool
Enable/Disable IP Connect feature of the Bastion Host resource.
bastionHostEnableShareableLink
bool
Enable/Disable Shareable Link of the Bastion Host resource.
bastionHostEnableTunneling
bool
Enable/Disable Tunneling feature of the Bastion Host resource.
bastionPublicIpAddressName
string
Specifies the name of the Azure Public IP Address used by the Azure Bastion Host.
bastionHostSkuName
string
Specifies the name of the Azure Bastion Host SKU.
natGatewayName
string
Specifies the name of the Azure NAT Gateway.
natGatewayZones
array
Specifies a list of availability zones denoting the zone in which the NAT Gateway should be deployed.
natGatewayPublicIps
int
Specifies the number of Public IPs to create for the Azure NAT Gateway.
natGatewayIdleTimeoutMins
int
Specifies the idle timeout in minutes for the Azure NAT Gateway.
blobStorageAccountPrivateEndpointName
string
Specifies the name of the private link to the blob storage account.
fileStorageAccountPrivateEndpointName
string
Specifies the name of the private link to the file storage account.
keyVaultPrivateEndpointName
string
Specifies the name of the private link to the Key Vault.
acrPrivateEndpointName
string
Specifies the name of the private link to the Azure Container Registry.
hubWorkspacePrivateEndpointName
string
Specifies the name of the private link to the Azure Hub Workspace.
vmName
string
Specifies the name of the virtual machine.
vmSize
string
Specifies the size of the virtual machine.
imagePublisher
string
Specifies the image publisher of the disk image used to create the virtual machine.
imageOffer
string
Specifies the offer of the platform image or marketplace image used to create the virtual machine.
imageSku
string
Specifies the image version for the virtual machine.
authenticationType
string
Specifies the type of authentication when accessing the virtual machine. SSH key is recommended.
vmAdminUsername
string
Specifies the name of the administrator account of the virtual machine.
vmAdminPasswordOrKey
string
Specifies the SSH Key or password for the virtual machine. SSH key is recommended.
diskStorageAccountType
string
Specifies the storage account type for OS and data disk.
numDataDisks
int
Specifies the number of data disks of the virtual machine.
osDiskSize
int
Specifies the size in GB of the OS disk of the VM.
dataDiskSize
int
Specifies the size in GB of the data disk of the virtual machine.
dataDiskCaching
string
Specifies the caching requirements for the data disks.
enableMicrosoftEntraIdAuth
bool
Specifies whether to enable Microsoft Entra ID authentication on the virtual machine.
enableAcceleratedNetworking
bool
Specifies whether to enable accelerated networking on the virtual machine.
tags
object
Specifies the resource tags for all the resources.
userObjectId
string
Specifies the object ID of a Microsoft Entra ID user.
We suggest reading sensitive configuration data such as passwords or SSH keys from a pre-existing Azure Key Vault resource. For more information, see Create parameters files for Bicep deployment
To set up the infrastructure for the secure Azure AI Studio, you will need to install the necessary prerequisites and follow the steps below.
Before you begin, ensure you have the following:
An active Azure subscription
Azure CLI installed on your local machine. Follow the installation guide if needed.
Appropriate permissions to create resources in your Azure account
Basic knowledge of using the command line interface
Start by cloning the repository to your local machine:
cd bicep
Edit the main.bicepparam parameters file to configure values for the parameters required by the Bicep templates. Make sure you set appropriate values for resource group name, location, and other necessary parameters in the deploy.sh Bash script.
Use the deploy.sh Bash script to deploy the Azure resources via Bicep. This script will provision all the necessary resources as defined in the Bicep templates.
Run the following command to deploy the resources:
By following these steps, you will have Azure AI Studio set up and ready for your projects using Bicep. If you encounter any issues, refer to the additional resources or seek help from the Azure support team.
After deploying the resources, you can verify the deployment by checking the Azure Portal or Azure AI Studio. Ensure all the resources are created and configured correctly.
You can also follow these instructions to deploy, expose, and call the Basic Chat prompt flow using Bash scripts and Azure CLI.
Microsoft Tech Community – Latest Blogs –Read More
Powershell – Change Intune Application Assignments
Hello,
I’d like to bulk-edit a number of my Intune Win32 assignments. I’ve got ~30 applications to go through, but I’ve noted their AppIDs so it would be worth the time investment to find a working Powershell script to run this without having to manually edit each one.
Below runs through Elevated Powershell without error, so I’d thought it was successful. Unfortunately nothing changes and assignments remain the same. I’ve cut down the number in this script and edited tenant-based ID’s but practically-speaking this runs through fine.
Can anyone advise? I’m new to powershell and basically relying on AI to help make them, or the occasional forum post I can find.
# Install the Microsoft Graph PowerShell SDK if not already installed
Install-Module Microsoft.Graph -Scope CurrentUser -Force
# Import the Device Management module
Import-Module Microsoft.Graph.DeviceManagement
# Connect to Microsoft Graph
Connect-MgGraph -Scopes “DeviceManagementApps.ReadWrite.All”
# Retrieve all mobile apps
$allApps = Get-MgDeviceAppManagementMobileApp
# Filter for Win32 apps
$win32Apps = $allApps | Where-Object { $_.’@odata.type’ -eq ‘#microsoft.graph.win32LobApp’ }
# List of specific app IDs to target
$specificAppIds = @(
“ba5988e8-4hhe-4e99-9181-ff85ce589113”,
“d49dk602-5e02-4af3-b09c-d98d8edac8fb”
)
# Filter the Win32 apps to only include the specific apps
$targetApps = $win32Apps | Where-Object { $specificAppIds -contains $_.Id }
# Define group IDs
$requiredGroupId = “57ce1fb3-5f94-4287-8f0b-e2ed595ac900” # Replace with your actual required group ID
$uninstallGroupId = “aq7a3571-7f71-4deb-8f81-289dfe38a2e6” # Replace with your actual uninstall group ID
# Loop through each target app and update the assignment
foreach ($app in $targetApps) {
# Get the current assignments
$assignments = Get-MgDeviceAppManagementMobileAppAssignment -MobileAppId $app.Id
# Define the new assignments
$requiredGroupAssignment = @{
“@odata.type” = “#microsoft.graph.mobileAppAssignment”
target = @{
“@odata.type” = “#microsoft.graph.groupAssignmentTarget”
groupId = $requiredGroupId
}
intent = “required”
}
$uninstallGroupAssignment = @{
“@odata.type” = “#microsoft.graph.mobileAppAssignment”
target = @{
“@odata.type” = “#microsoft.graph.groupAssignmentTarget”
groupId = $uninstallGroupId
}
intent = “uninstall”
}
# Add the new assignments to the existing assignments
$updatedAssignments = $assignments + $requiredGroupAssignment + $uninstallGroupAssignment
# Update the app assignments
Update-MgDeviceAppManagementMobileAppAssignment -MobileAppId $app.Id -BodyParameter $updatedAssignments
Hello, I’d like to bulk-edit a number of my Intune Win32 assignments. I’ve got ~30 applications to go through, but I’ve noted their AppIDs so it would be worth the time investment to find a working Powershell script to run this without having to manually edit each one. Below runs through Elevated Powershell without error, so I’d thought it was successful. Unfortunately nothing changes and assignments remain the same. I’ve cut down the number in this script and edited tenant-based ID’s but practically-speaking this runs through fine. Can anyone advise? I’m new to powershell and basically relying on AI to help make them, or the occasional forum post I can find. # Install the Microsoft Graph PowerShell SDK if not already installedInstall-Module Microsoft.Graph -Scope CurrentUser -Force # Import the Device Management moduleImport-Module Microsoft.Graph.DeviceManagement # Connect to Microsoft GraphConnect-MgGraph -Scopes “DeviceManagementApps.ReadWrite.All” # Retrieve all mobile apps$allApps = Get-MgDeviceAppManagementMobileApp # Filter for Win32 apps$win32Apps = $allApps | Where-Object { $_.’@odata.type’ -eq ‘#microsoft.graph.win32LobApp’ } # List of specific app IDs to target$specificAppIds = @( “ba5988e8-4hhe-4e99-9181-ff85ce589113”, “d49dk602-5e02-4af3-b09c-d98d8edac8fb”) # Filter the Win32 apps to only include the specific apps$targetApps = $win32Apps | Where-Object { $specificAppIds -contains $_.Id } # Define group IDs$requiredGroupId = “57ce1fb3-5f94-4287-8f0b-e2ed595ac900” # Replace with your actual required group ID$uninstallGroupId = “aq7a3571-7f71-4deb-8f81-289dfe38a2e6” # Replace with your actual uninstall group ID # Loop through each target app and update the assignmentforeach ($app in $targetApps) { # Get the current assignments $assignments = Get-MgDeviceAppManagementMobileAppAssignment -MobileAppId $app.Id # Define the new assignments $requiredGroupAssignment = @{ “@odata.type” = “#microsoft.graph.mobileAppAssignment” target = @{ “@odata.type” = “#microsoft.graph.groupAssignmentTarget” groupId = $requiredGroupId } intent = “required” } $uninstallGroupAssignment = @{ “@odata.type” = “#microsoft.graph.mobileAppAssignment” target = @{ “@odata.type” = “#microsoft.graph.groupAssignmentTarget” groupId = $uninstallGroupId } intent = “uninstall” } # Add the new assignments to the existing assignments $updatedAssignments = $assignments + $requiredGroupAssignment + $uninstallGroupAssignment # Update the app assignments Update-MgDeviceAppManagementMobileAppAssignment -MobileAppId $app.Id -BodyParameter $updatedAssignments Read More
Adding two numbers in a select query produces a slightly different number.
In a select query, the Field contains ‘Total Net (inc Manual): [Manually Input Amount]+[Net Amount]’.
In one example, it should produce 20.6, but it produces 20.6000003814697.
Both values do not contain more than 2 decimal places, so it’s not a formatting issue ([Manually Input Amount] is 0 and [Net Amount] is 20.6).
I’ve tried running it as ‘Total Net (inc Manual): [Net Amount]+0’; as in this instance the [Manually Input Amount] was 0, but I still get the same result (20.6000003814697 instead of 20.6).
When I run this against a whole table, many values are slightly out, but not all of them.
I’m completely baffled, so any help would be appreciated.
In a select query, the Field contains ‘Total Net (inc Manual): [Manually Input Amount]+[Net Amount]’. In one example, it should produce 20.6, but it produces 20.6000003814697.Both values do not contain more than 2 decimal places, so it’s not a formatting issue ([Manually Input Amount] is 0 and [Net Amount] is 20.6).I’ve tried running it as ‘Total Net (inc Manual): [Net Amount]+0’; as in this instance the [Manually Input Amount] was 0, but I still get the same result (20.6000003814697 instead of 20.6).When I run this against a whole table, many values are slightly out, but not all of them. I’m completely baffled, so any help would be appreciated. Read More
NetworkATC Stuck on Validating
After migrating our three-node Azure Stack HCI cluster to intent-based networking with network ATC, the configuration status for some of the intents remains in the “Validating” status. I have two intents: One management and compute. One storage. I’m not sure how to troubleshoot why the configuration status doesn’t progress to “Success” status. Fortunately, the cluster is operating normally, but I fear something must be wrong. A cluster validation test doesn’t indicate any issues. All nodes are running 10.0.25398
Get-NetIntentStatus | select IntentName, Host, ConfigurationStatus, ProvisioningStatus | ft
IntentName Host ConfigurationStatus ProvisioningStatus
———- —- ——————- ——————
storage dun-s-hci1 Success Completed
storage dun-s-hci2 Success Completed
storage dun-s-hci3 Success Completed
management_compute dun-s-hci1 Validating
management_compute dun-s-hci2 Validating
management_compute dun-s-hci3 Validating
After migrating our three-node Azure Stack HCI cluster to intent-based networking with network ATC, the configuration status for some of the intents remains in the “Validating” status. I have two intents: One management and compute. One storage. I’m not sure how to troubleshoot why the configuration status doesn’t progress to “Success” status. Fortunately, the cluster is operating normally, but I fear something must be wrong. A cluster validation test doesn’t indicate any issues. All nodes are running 10.0.25398 Get-NetIntentStatus | select IntentName, Host, ConfigurationStatus, ProvisioningStatus | ftIntentName Host ConfigurationStatus ProvisioningStatus———- —- ——————- ——————storage dun-s-hci1 Success Completedstorage dun-s-hci2 Success Completedstorage dun-s-hci3 Success Completedmanagement_compute dun-s-hci1 Validatingmanagement_compute dun-s-hci2 Validatingmanagement_compute dun-s-hci3 Validating Read More
Adding VM Instance View Details, e.g. osName, to the VM Resource Object JSON (for Custom Policy Use)
I’m requesting to add more details to the JSON of the VM resource object, particularly from the VM instance view data. This is to include operating system information, such as the name and version (osName and osVersion), for use in a custom Policy. Although these details are visible in the portal, they’re not present in the VM’s resource object, which is necessary for our custom policy. Read More
Geography Data Type #CONNECT! error message when changing city to country
Only getting an error with Paris to France and nothing else. I am in England so I don’t need a VPN. I have the latest Windows and Office update too. Please help. If not solution is there a method where I can use a formal to read Paris and Print France in Column K.
Only getting an error with Paris to France and nothing else. I am in England so I don’t need a VPN. I have the latest Windows and Office update too. Please help. If not solution is there a method where I can use a formal to read Paris and Print France in Column K. Read More
no me deja windows 11 actualizar mi sistema
Buenas alguien me puede arreglar o que me diga como solucionar el problema que tengo es que me sale que tengo una actualización, pero cuando lo pongo a actualizar cuando llega a un 8% me salta el error de no se pudo actualizar la partición reservada del sistema, entonces les pregunto ¿hay alguna solución?
Buenas alguien me puede arreglar o que me diga como solucionar el problema que tengo es que me sale que tengo una actualización, pero cuando lo pongo a actualizar cuando llega a un 8% me salta el error de no se pudo actualizar la partición reservada del sistema, entonces les pregunto ¿hay alguna solución? Read More
Windows Server 2019&2022 Servíce Problem (Microsoft Purview Data Loss Prevention Service (MDDlpSvc))
I have recently noticed that the above service has been updated, but the service will not start/restart on Windows Server 2019 and 2022.
It doesn’t work under Registry either
Has anyone any idea on how to solve the Service.
I have recently noticed that the above service has been updated, but the service will not start/restart on Windows Server 2019 and 2022.It doesn’t work under Registry either Has anyone any idea on how to solve the Service. Read More
Users are not able to receive phone calls during a teams call
I have at least two users know who state that while they are in a normal teams call (such as a video meeting) They do not receive phone calls from our phone queue. Other people in the teams call can receive the phone call notification, but not them. Is there any reason for this? Is there anything I can try to resolve this?
I have at least two users know who state that while they are in a normal teams call (such as a video meeting) They do not receive phone calls from our phone queue. Other people in the teams call can receive the phone call notification, but not them. Is there any reason for this? Is there anything I can try to resolve this? Read More
Swiss DCs Partner Update Call September 2024
Please find attached the pdf slides from this quarter’s partner Swiss DCs update call. The recording and AI recap is here: Regular Partner Q&A Call on CH DC-20240920_140148-Meeting Recording.mp4 (sharepoint.com)
Main info covered:
Please find attached the pdf slides from this quarter’s partner Swiss DCs update call. The recording and AI recap is here: Regular Partner Q&A Call on CH DC-20240920_140148-Meeting Recording.mp4 (sharepoint.com)
Main info covered:
New Public Story
5 years Swiss DCs
Azure
More powerful NVIDIA GPUs NVv5 now generally available in Switzerland North in two zones, enabling e.g. resource-intensive applications such as CAD for Virtual Desktop
Azure Cosmos DB for MongoDB vCore available very soon in Switzerland North
Modern Work
GPU cloud PCs in Windows 365 available in Switzerland
Final Call
Similar to established areas with mature DCs such as DE / FR / UK, there is no local DC Lead any longer in Switzerland
Please approach your Microsoft partner team or Martin Abrle for Swiss DCs requests
I will delete the call series for the future as I transitioned to the role of AI National Skills Director
Thank you VERY MUCH for the past collaboration and everything you’ve done for Swiss DCs! Read More
ODBC driver in ADF
For ODBC driver to work with ADF, what are the prerequisites ?
Can some one confirm if an VM should be required or if ODBC can work without the VM and data can be accessed directly in Azure Services, for example from Netsiute.
For ODBC driver to work with ADF, what are the prerequisites ?Can some one confirm if an VM should be required or if ODBC can work without the VM and data can be accessed directly in Azure Services, for example from Netsiute. Read More
Azure WAF’s Bot Manager 1.1 and JavaScript Challenge: Navigating the Bot Threat Terrain
Introduction
Bots are a common presence on the internet, serving a range of functions from automating customer service to indexing pages for search engines. However, their capabilities can be exploited for malicious activities, such as launching botnet attacks that can compromise web applications and disrupt services. Businesses continuously face the delicate balancing act of allowing good bots to perform their functions while preventing bad bots from causing harm.
To address these challenges, Azure Web Application Firewall (WAF) has new enhancements that provide advanced protection against such threats, ensuring the security and integrity of web applications. In this blog, we will explore Azure WAF Bot Manager 1.1 in Azure Front Door (AFD) and coming soon to Application Gateway WAF, as well as the WAF JavaScript Challenge which is available in both Application Gateway and Azure Front Door. These features offer comprehensive protection against malicious bots while ensuring that good bots can continue their work without interruption.
The Malicious Bot Landscape
Bots account for approximately 48% of all internet traffic, with 30% of this attributed to malicious bots. These malicious bots are automated programs designed to attack web and mobile applications for fraudulent and harmful purposes. A sizable portion of these, around 33%, are simple bad bots that use automated scripts to conduct their malicious activities.
Bad bots can engage in a variety of attacks which include:
Launching DDoS attacks on customer-facing websites.
Gaining initial access by escalating privileges in critical systems, then using that access to launch additional attacks through lateral movement.
Spamming customer websites with form submission pages.
Spoofing legitimate mobile user agents to execute a range of fraudulent and malicious activities.
Scraping website content, tampering with SEO rankings or prices, and launching denial-of-inventory attacks.
Spreading false information, performing targeted phishing, and conducting social engineering attacks.
Given the wide range of threats posed by malicious bots, it is crucial to have robust defenses in place to protect your web applications. In the next section, we will explore how the new Bot Manager 1.1 ruleset and JavaScript Challenge work to effectively prevent the threats posed by malicious bots.
Azure WAF Bot Manager 1.1 Ruleset
The Azure WAF Bot Manager ruleset helps protect web applications by identifying and managing bot traffic, distinguishing between good bots and malicious bots, and applying appropriate actions (Block, Allow, Log, JS Challenge) to each rule.
Azure WAF’s Bot Manager 1.1, available in Azure Front Door, represents an improvement over its predecessor, Bot Manager 1.0. This ruleset is designed to provide more precise detection of both good bots and bad bots, reducing false positives, and improving security.
Bot Manager 1.1 introduces advanced detection capabilities by refining and expanding the rules that differentiate between legitimate and malicious bots. These enhancements have been made in the Goodbot and Badbot rules.
The Goodbot Rule Group
The Goodbot rule group in Bot Manager 1.1 has been significantly enhanced to reduce false positives and improve SEO rankings by allowing a broader range of legitimate bots to access websites. This group now includes a variety of verified good bots categorized into specific roles such as search engine crawlers, advertising bots, social media bots, link checkers, content fetchers and feed fetchers. These enhancements ensure that well-known legitimate bots such as Bingbot and Googlebot can perform their functions without being blocked, thus preventing issues like lower SEO rankings or disrupted services through blocking. Additionally, the flexibility to customize actions for each Goodbot rule gives users granular control over their web application’s interaction with these bots.
The screenshot below displays the new Goodbot rules added to the Bot Manager 1.1 ruleset:
For more details on the Goodbot rules you can check out – Goodbot Rules.
The Badbot Rule Group
The Badbot rule group in Bot Manager 1.1 introduces a powerful new rule, Bot100300, which targets IPs with high-risk scores identified through threat intelligence. This rule complements existing bad bot detection mechanisms, such as Bot100100, which focuses on verified malicious IPs. By enhancing the detection of risky and malicious bots, this rule group helps mitigate threats like scraping, phishing, spamming, and denial-of-inventory attacks. The default action for these bots is set to “block,” ensuring that harmful activities are effectively thwarted, although users have the option to modify this action if needed.
The screenshot below displays the new Badbot rule added to the Bot Manager 1.1 ruleset:
For more details on the Badbot rules, you can check out – Badbot rules.
Enabling and using the new Bot Manager 1.1 Ruleset
To enable the Bot Manager 1.1 ruleset in WAF in Azure Front Door in the Azure Portal, navigate to your AFD WAF Policy.
In the policy settings, go to the Managed rules tab. Here, you will find the option to assign the Bot Manager 1.1 ruleset.
Simply select the Bot Manager 1.1 ruleset from the dropdown menu under the Assign option.
Click on Save to apply the change.
After assigning the ruleset, you can customize the specific actions for each rule group based on your security needs, such as blocking or allowing certain bot categories.
With the enablement complete, the ruleset is available for use, providing your application with enhanced protection against malicious bots while allowing legitimate bot traffic.
To demonstrate the Bot Manager 1.1 ruleset in action, we conduct a simple test to show how a bad bot can be blocked. In our setup, we install Postman in a virtual machine with internet access and configure Azure Front Door with a WAF Policy that has the Bot Manager 1.1 ruleset enabled. Behind this Azure Front Door, a web application is running and is actively protected by the WAF. We use Postman as it allows us to manually craft HTTP requests, making it an ideal tool to simulate bot traffic and test the WAF’s response to malicious IP addresses.
In Postman, we simulate a request from a bad bot attempting to access the protected web application. This is done by injecting a known malicious IP address into the ‘x-forwarded-for’ header—a technique often employed by bots to disguise their actual origin. We configure Postman to send a GET request to the web application’s endpoint. In the headers section, we add the ‘x-forwarded-for’ header and assign it the malicious IP address, which has been flagged for engaging in malicious activities.
With the request configured, we send the GET request to the web server through the AFD address. The WAF policy, with Bot Manager 1.1 ruleset enabled, detects the request as malicious based on the IP address and blocks it before it can reach the web application. The server responds with a 403 Forbidden status code, confirming that the bad bot has been successfully prevented from accessing the application.
In our AFD WAF logs, we observe that the request was blocked by the Bot Manager ruleset:
Azure WAF JavaScript (JS) Challenge
The JavaScript (JS) Challenge in Azure WAF is an invisible, non-interactive web challenge designed to differentiate between legitimate users and bad bots. When triggered, it presents a challenge to the user’s browser, which is processed automatically without any human intervention. Legitimate users pass through seamlessly, while malicious bots fail the challenge and are blocked. This approach effectively protects web applications from bot attacks while maintaining a smooth experience for real users, as it operates behind the scenes without disrupting normal browsing activities.
The JavaScript Challenge works when it is active on Azure WAF and a client’s HTTP/S request matches a specific rule in the WAF policy causing the challenge to be triggered. This challenge prompts the client’s browser to perform a computational task on a dedicated JavaScript challenge page. While the user may briefly see this page, the challenge runs automatically in the background without requiring any user interaction. If the browser successfully completes the task, the request is validated and allowed to proceed, indicating that the client is a legitimate user. However, if the challenge fails, the request is blocked, effectively stopping the bad bot from accessing the application.
The JS Challenge is particularly beneficial because it reduces friction for legitimate users; it is invisible and requires no human intervention. This seamless approach ensures that the user experience remains unaffected while providing robust protection against bad bots. Additionally, the challenge is reissued under certain conditions, such as when a user’s IP address changes or when accessing the page from a different domain, ensuring continuous and adaptive protection.
Azure WAF JS Challenge Characteristics:
Invisible, Non-Interactive Challenge: The JS Challenge operates without requiring input from users, allowing for a smooth browsing experience while blocking malicious bots. The user very briefly sees the challenge page (shown below):
Customizable Cookie Lifetime: The validity of the JS Challenge cookie can be customized, with options ranging from 5 to 1,440 minutes (24 hours). The default setting is 30 minutes. This is found in the Policy Settings page of the WAF policy in Application Gateway and Azure Front Door.
JS Challenge action settings in Application Gateway WAF:
JS Challenge action settings in Azure Front Door WAF:
JS Challenge in Managed rules: The JS Challenge is integrated in the WAF managed rulesets within the Bot Manager ruleset. To enable the JavaScript Challenge within the Bot Manager’s managed rules, users can navigate to the Managed rules section in their WAF policy and adjust the actions for each rule group. This setup allows the WAF to adapt to various security needs, applying the JavaScript Challenge as necessary to ensure ongoing protection.
JS Challenge action in Managed rules for Application Gateway WAF:
JS Challenge action in Managed rules for Azure Front Door WAF:
JS Challenge in Custom Rules: The JavaScript Challenge can be applied within custom rules, allowing administrators to target specific traffic patterns or conditions, such as IP addresses or request headers. This provides granular control over when the challenge is triggered, enhancing security by focusing on specific threats.
JS Challenge Custom rule action in Application Gateway WAF:
JS Challenge Custom rule action in Azure Front Door WAF:
Cross-Origin Resource Sharing (CORS) Protection: The challenge is reapplied when accessing resources from a different domain, ensuring consistent security across multiple domains.
Logging and Metrics: Detailed logs and metrics are captured whenever the JS Challenge is triggered. These allows security administrators to track the challenges and analyze traffic patterns and security incidents. The JS Challenge logs and metrics are available in both AFD and Application Gateway.
Example JS Challenge Metric for Application Gateway WAF:
Example JS Challenge Logs in Azure Front Door:
Enabling and using the JavaScript Challenge
As seen earlier, the JavaScript (JS) Challenge can be enabled within both the Bot Manager ruleset and custom rules. To enable it within the Bot Manager ruleset, simply navigate to the Managed Rules section of your WAF policy in either Application Gateway or Azure Front Door, select the Bot Manager rule you want to configure, and change the action to JS Challenge. For custom rules, you would create a new rule and select the JS Challenge as the action. Additionally, within the Policy Settings, you can adjust the JS Challenge cookie’s validity period, with options ranging from 5 to 1,440 minutes.
Azure Front Door (Example) – Enabling JS Challenge in the Bot Manager Ruleset:
Application WAF Gateway (Example) – Enabling JS Challenge in a Custom Rule:
To demonstrate the JS Challenge in action, we set up a simple scenario using an Application Gateway with a WAF policy and use the custom rule we created above. We have a demo web application behind the Application Gateway protected by our WAF. Our custom rule is configured to inspect the RequestUri and trigger the JS Challenge when the URI contains /ftp. If a request matches this condition, the WAF challenges it using the JS Challenge. A bot will fail to solve the challenge, whereas a legitimate user using a browser will pass through without issues. In our setup, within Policy Settings, the JavaScript Challenge timeout is set to 5 minutes.
We first enable Developer Tools (clicking F12) on our browser and navigate to the Network section to monitor the requests. Then, we launch the web application and click on the link that leads to the /ftp path. The browser briefly displays the challenge, confirming that the JS Challenge is active and functioning.
After the challenge finishes, the JS challenge cookie will appear under the Response Headers:
When we navigate to any other page within our application website, we notice the same cookie included in the Request Headers:
The same JS challenge cookie appears on other pages of the application as it confirms the user has already passed the challenge. Once the challenge is completed, the cookie is stored in the user’s browser and sent with every request to any page within the same domain. This prevents the user from being re-challenged on each page, ensuring they can navigate smoothly across the application without interruption while maintaining security.
The Application WAF logs provide detailed insights into JS Challenge requests, showing the issued and passed challenges as well as active challenges:
Conclusion
Malicious bots pose serious risks to web applications, from scraping content to launching denial-of-service attacks. Azure WAF’s Bot Manager 1.1 and JavaScript Challenge provide robust protection by effectively blocking bad bots while allowing legitimate traffic to flow seamlessly. By implementing these features, businesses can safeguard their web applications from automated threats without compromising the user experience. These tools offer a powerful, adaptive defense against the evolving landscape of bot-driven attacks.
Resources:
What is Azure Web Application Firewall on Azure Application Gateway? – Azure Web Application Firewall | Microsoft Learn
What is Azure Web Application Firewall on Azure Front Door? | Microsoft Learn
Bot Protection Ruleset
Configure bot protection for Web Application Firewall with Azure Front Door | Microsoft Learn
General availability of Azure WAF Bot Manager 1.1 Ruleset – Microsoft Community Hub
Azure Web Application Firewall JavaScript challenge (preview) overview | Microsoft Learn
Azure WAF Public Preview: JavaScript Challenge – Microsoft Community Hub
Microsoft Tech Community – Latest Blogs –Read More
How to merge two partitions of external hard disk on Windows 10/11?
Hi members,
I’m looking for some guidance on merging two partitions on an external hard disk on my Windows PC. The drive currently has two separate partitions, and I’d like to combine them into one without losing any data. Here’s what I’ve tried so far:
I opened the Disk Management tool, but I couldn’t find an option to merge the partitions directly.I’m aware that I might need to delete one partition and then extend the other, but I’m concerned about potential data loss.
Is there any easy way to merge two partitions of external hard disk on Windows 11/10? If so, could you please share the steps you followed? Also, if there are any tools or software you recommend for this task, I’d appreciate your suggestions.
Thanks in advance for your help!
Hi members, I’m looking for some guidance on merging two partitions on an external hard disk on my Windows PC. The drive currently has two separate partitions, and I’d like to combine them into one without losing any data. Here’s what I’ve tried so far: I opened the Disk Management tool, but I couldn’t find an option to merge the partitions directly.I’m aware that I might need to delete one partition and then extend the other, but I’m concerned about potential data loss.Is there any easy way to merge two partitions of external hard disk on Windows 11/10? If so, could you please share the steps you followed? Also, if there are any tools or software you recommend for this task, I’d appreciate your suggestions.Thanks in advance for your help! Read More
Cell value based on if it contains text, or if it contains a date, how the date relates to today
Hi all
I’m having problems writing a formula for this spreadsheet. The purpose is to show when a project needs to be sent. Each project has a deadline (column H), but some projects have a date they can’t be sent before (column I). I have created column J which is Actual Go Date, i.e. when it needs to be sent by, or if I can’t send it until later then today it says ‘wait’.
The problem I’m having is with column K. It is coding the priority based on how the date in column J compares to today’s date in C2 (see formula for cell K20), but how do I get it to also say ‘wait’ if column J has ‘wait’ in it rather than a date?
Thank you!
Hi allI’m having problems writing a formula for this spreadsheet. The purpose is to show when a project needs to be sent. Each project has a deadline (column H), but some projects have a date they can’t be sent before (column I). I have created column J which is Actual Go Date, i.e. when it needs to be sent by, or if I can’t send it until later then today it says ‘wait’.The problem I’m having is with column K. It is coding the priority based on how the date in column J compares to today’s date in C2 (see formula for cell K20), but how do I get it to also say ‘wait’ if column J has ‘wait’ in it rather than a date?Thank you! Read More
Obs studio not recording audio – best obs studio alternative for PC?
I recently used OBS Studio to record the screen, but found that OBS Studio was not recording audio. The picture was fine, but there was no sound. I checked the settings, tried adjusting the audio input and output devices, and updated OBS Studio to the latest version, but the problem was not solved. I wonder if anyone has encountered this situation, or has a better recommendation for the best OBS Studio alternative for PC? Especially PC software that can record the screen and audio at the same time.
I often need to record tutorial videos with sound at work, so I hope to find a more stable alternative software. Thank you for your suggestions!
I recently used OBS Studio to record the screen, but found that OBS Studio was not recording audio. The picture was fine, but there was no sound. I checked the settings, tried adjusting the audio input and output devices, and updated OBS Studio to the latest version, but the problem was not solved. I wonder if anyone has encountered this situation, or has a better recommendation for the best OBS Studio alternative for PC? Especially PC software that can record the screen and audio at the same time. I often need to record tutorial videos with sound at work, so I hope to find a more stable alternative software. Thank you for your suggestions! Read More
“How to Fix the System Tray Not Auto-Hiding Issue”
As the title suggests, I require maximum screen real estate. Occasionally, the system tray or taskbar fails to auto-hide.
Device: HP Envy x360
As the title suggests, I require maximum screen real estate. Occasionally, the system tray or taskbar fails to auto-hide. Device: HP Envy x360 Read More
How to Switch from Legacy to UEFI BIOS Mode on Windows 11
Has anyone managed to transition a Windows 11 system from Legacy mode to UEFI mode without having to undergo a full system reinstallation? My current computer is operating on Windows 11, and upon inspection, I discovered that it is configured in Legacy mode. I am interested in switching it to UEFI mode primarily to enhance performance and compatibility. Although I have come across various guides online, they mostly suggest reinstalling the system or indicate that the process is quite intricate. Restarting from scratch is not something I wish to do.
Has anyone attempted a direct conversion approach? Is this procedure overly complicated? Could you kindly share any specific steps or your personal experience with this transition?
Has anyone managed to transition a Windows 11 system from Legacy mode to UEFI mode without having to undergo a full system reinstallation? My current computer is operating on Windows 11, and upon inspection, I discovered that it is configured in Legacy mode. I am interested in switching it to UEFI mode primarily to enhance performance and compatibility. Although I have come across various guides online, they mostly suggest reinstalling the system or indicate that the process is quite intricate. Restarting from scratch is not something I wish to do. Has anyone attempted a direct conversion approach? Is this procedure overly complicated? Could you kindly share any specific steps or your personal experience with this transition? Read More
Find-on-page sidebar feature disabled on 129.0.2792.52 Stable
Hello, with the latest update to 129.0.2792.52 Stable the Find-on-page sidebar feature got disabled completely. Now there’s only the old and very limited pop-up box left for in page searches.
Also all the flags related to find-on-page are gone:
edge://flags/#edge-sidebar-find-on-page
edge://flags/#edge-find-on-page-filters
edge://flags/#edge-related-matches-for-find-on-page
We noticed that this happened on the other channels before (Beta, Dev and Canary) when they switched to version 129.
The Find-on-page sidebar is a stand alone feature for chromium based browsers and we use it a lot for researches. Especially the list of find occurrences is a big enhancement for navigating through long texts.
Can someone from the team please give information if the Find-on-page sidebar got finally deprecated or just temporarily disabled for experimenting and will be available in the future soon?
Thanks in advance!
Hello, with the latest update to 129.0.2792.52 Stable the Find-on-page sidebar feature got disabled completely. Now there’s only the old and very limited pop-up box left for in page searches. Also all the flags related to find-on-page are gone:edge://flags/#edge-sidebar-find-on-pageedge://flags/#edge-find-on-page-filtersedge://flags/#edge-related-matches-for-find-on-page We noticed that this happened on the other channels before (Beta, Dev and Canary) when they switched to version 129. The Find-on-page sidebar is a stand alone feature for chromium based browsers and we use it a lot for researches. Especially the list of find occurrences is a big enhancement for navigating through long texts. Can someone from the team please give information if the Find-on-page sidebar got finally deprecated or just temporarily disabled for experimenting and will be available in the future soon? Thanks in advance! Read More
How to fix iPhone touch screen not working issue with computer?
My iPhone recently had a problem with the screen not responding to touch. It doesn’t respond to any operation at all, and nothing happens when I swipe or click. I tried restarting the phone and cleaning the screen, but the problem still exists. The phone has never been dropped or soaked in water, and I really don’t understand why it suddenly became like this.
Does anyone know how to fix this iPhone touch screen not working problem? Is there any way to fix it myself, or do I have to go to a repair shop? I hope everyone can give me some advice, thank you!
My iPhone recently had a problem with the screen not responding to touch. It doesn’t respond to any operation at all, and nothing happens when I swipe or click. I tried restarting the phone and cleaning the screen, but the problem still exists. The phone has never been dropped or soaked in water, and I really don’t understand why it suddenly became like this. Does anyone know how to fix this iPhone touch screen not working problem? Is there any way to fix it myself, or do I have to go to a repair shop? I hope everyone can give me some advice, thank you! Read More
