But there is something you should be aware of: Please do not use something like MSSQLSERVER_SCSM as the name of the instance, otherwise the SCSM Management Server installation wizard will fail! What you will see in the wizard is the error “access to the sql server instance was denied”, with the instance listed as Default_SCSM. If you use something like SCSM as the name for your instance, everything works smoothly…

• Microsoft Office365 – https://cloudsecurityalliance.org/star-registrant/microsoft-office-365/
• Microsoft Windows Azure – https://cloudsecurityalliance.org/star-registrant/microsoft-windows-azure/ 
• Microsoft Dynamics CRM Online – https://cloudsecurityalliance.org/star-registrant/microsoft-dynamics-crm-online/

“In this document we provide our customers with a detailed overview of how Microsoft Online Services fulfill the security, privacy, compliance, and risk management requirements as defined in the Cloud Security Alliance (CSA) Cloud Control Matrix (CCM). ”

You can find the download link for this Excel sheet and some further information on http://blog.ilmbestpractices.com/2012/04/fim-db-sizing-calculator.html.

But please note, this is not an official FIM 2010 terminology documentation from Microsoft (the FIM product group).

Url: http://blogs.technet.com/b/jingalls/archive/2012/04/20/a-comprehensive-fim-2010-terminology-document.aspx

For those of you how don’t know what the FIMOV is, here a short description:

The FIM Object Visualizer is a tool to create reports of various configurations such as:

• FIM Active Metaverse Schema configuration
• Attribute Flow Precedence Configuration
• Management Policy Rules
• Synchronization Rules
• Workflows
• FIMMA Schema configuration
• Management Agent Attribute Selection
• Management Agents
• Metaverse Schema
• Replication Configuration

The FIMOV is now built with a .NET Windows Forms application and is available as a ClickOnce app as well.

Url: http://fimov.codeplex.com/

Microsoft Endpoint Protection for Windows Azure provides the ability to include an antimalware protection agent in each Windows Azure virtual machine running your Windows Azure service. It extends the Windows Azure SDK by providing an antimalware import which provides antimalware configuration and deployment capabilities.

When you deploy MEP to Windows Azure, the following core technologies are enabled by default:

• Real-time protection – monitors activity on the system to detect and block malware from executing.
• Scheduled scanning – periodically performs targeted scanning to detect malware on the system, including actively running malicious programs.
• Malware remediation – takes action on detected malware resources, such as deleting or quarantining malicious files and cleaning up malicious registry entries.
• Signature updates – installs the latest protection signatures (aka “virus definitions”) to ensure protection is up-to-date.
• Active protection – reports metadata about detected threats and suspicious resources to Microsoft to ensure rapid response to the evolving threat landscape, as well as enabling real-time signature delivery through the Dynamic Signature Service (DSS).

And of course, the monitoring of MEP (btw, I just assume that MEP will be the acronym for Microsoft Endpoint Protection, similar to FEP or SCEP) is addressed as well. So obvious, System Center should be your monitoring tool to use (System Center Monitoring Pack for Windows Azure, http://www.microsoft.com/download/en/details.aspx?id=11324)

Download URL and documentations: http://www.microsoft.com/download/en/details.aspx?id=29209

To keep things simple, Windows Server 8 DirectAccess now includes all features and functions from Forefront UAG DirectAccess, as well as a few new capabilities:

• DirectAccess and RRAS coexistence
• Simplified DirectAccess management for small and medium organization administrators
• Removal of PKI deployment as a DirectAccess prerequisite
• Built-in NAT64 and DNS64 support for accessing IPv4-only resources
• Support for DirectAccess server behind a NAT device
• Simplified network security policy
• Load balancing support
• Support for multiple domains
• NAP integration
• Support for OTP (token based authentication)
• Automated support for force tunneling
• IP-HTTPS interoperability and performance improvements
• Manage-out support
• Multisite support
• Support for Server Core
• Windows PowerShell support
• User and server health monitoring
• Diagnostics
• Accounting and reporting
• Site-to-site IKEv2 IPsec tunnel mode VPN

Therefore it is not a surprise, that a Forefront UAG DirectAccess migration is already in place on TechNet (http://technet.microsoft.com/en-us/library/hh831658.aspx).

• Remove Access overview, http://technet.microsoft.com/en-us/library/hh831416.aspx

http://support.microsoft.com/kb/2635086

Update Rollup 2 (build 4.0.3606.2) is available for Microsoft Forefront Identity Manager (FIM) 2010. This hotfix package resolves several issues and adds several features that are described in the “More Information” section. Additionally, this update contains all servicing fixes that were made since the release of FIM 2010.

If you just add the service account to the Exchange Recipient group, you will see the following error event in EventLog (and of course, the run profile will stop/fail with the error stopped-extension-dll-exception).

There is an error in Exch2010Extension BeginExportToCd() function.Type: System.Management.Automation.Remoting.PSRemotingTransportException

Message:

“Microsoft.MetadirectoryServices.ExtensionException: Processing data from remote server failed with the following error message: The user “<domain>/<ADMAAccount>” isn’t assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic.

So based on the error, it’s clear that you have to add the account used for the Active Directory Management Agent to the Exchange Recipient Administrators group, instead of the FIM Sync Service service account.

My old blog (http://blog.gocloud-security.ch/2009/12/09/bitlocker-and-how-to-change-the-user-pin/) describes a possible solution/approach with a custom service or process that calls the manage-bde command. Now, since a couple of month, there is a much smarter way to allow your Windows standard users to change the BitLocker PIN – MBAM (Microsoft BitLocker Administration and Monitoring)!

MBAM has been released in August 2011 as part of MDOP and integrates different capabilities that have been missed with BitLocker. For example a helpdesk key recovery UI, single recovery keys (the MBAM client will create a new key once a BitLocker recovery key has been exposed), and different audit and compliance reports.

You can find a technical slide deck with all required information about MBAM
on http://media.ch9.ms/teched/na/2011/ppt/WCL317.pptx.