Category: Microsoft news

Microsoft news, features, events, and press materials

Posted on by Leave a comment

Satya Nadella: Crisis requires co-ordinated digital response

This article is a part of a series in which the Financial Times asks leading commentators and policymakers what to expect from a post-Covid-19 future

The writer is chief executive of Microsoft

Society’s deepest concerns are rooted right now in two connected questions: how do we protect public health and how can we promote an economic recovery that is inclusive? A third question is becoming more important because intensive use of technology has become so central to the other two: how do we preserve the privacy and cyber security needed for trustworthy computing? The past two months have seen digitisation progression that would ordinarily take two years generated by the demands of remote working and the need for accurate data and intelligence.

Neither the public nor the private sector alone can provide the answers. The challenges we face demand an unprecedented alliance between business and government. Too often we celebrate the ideal of a maverick working alone in a garage solving all our hard problems. We do need those mavericks, but we also need more co-ordinated combinations of government and industry that respond and innovate. That’s true for this pandemic and it is true for global warming, homelessness and other pressing concerns.

As a software platform and tools company, we at Microsoft view ourselves as digital first responders when the true first responders call from the front lines. Microsoft works for the heroes who are putting their lives at risk and must bring them everything we have to offer.

Here’s what I mean. In healthcare, data is an indispensable tool for decision-making. We’re working at every level of government to help standardise data, provide it for healthcare workers and to support scientific efforts to discover treatments and vaccines.

Working remotely is a new reality. The sheer number of appointments and meetings taking place on our Teams platform means greater productivity and access to greater volumes of intelligence. We’ve seen a new daily record of 2.7bn meeting minutes in one day, up 200 per cent from 900m on March 16, when falling securities markets shook the world. The UK’s National Health Service, the Cleveland Clinic and others are using our platform for virtual visits, consultations between isolated patients and their families and, sadly, end of life video calls. New doctors are taking the Hippocratic oath using Flipgrid, our video sharing tool.

Telemedicine is skyrocketing. A health network in Pennsylvania uses our video conferencing platform to communicate with patients most vulnerable to Covid-19. Seattle hospitals are using our tools to manage bed counts and inventory of critical supplies and share information with others in the region. And the US Centers for Disease Control and Prevention used our services to build a health bot that quickly assesses the symptoms and risk factors for people asking about infection.

Technology is accelerating the search for a vaccine and treatments. We are helping to create an open, machine-readable data set of all scientific literature on Covid-19. We have expanded our partnership with Adaptive Biotechnologies to map the immune system’s response to coronavirus, and will make the data set freely accessible to speed the development of treatments. And scientists are using GitHub, our developer platform, to power a distributed computing project that uses volunteers’ personal computers to assist researchers developing potential therapeutics.

Looking ahead, economic recovery must be inclusive, allowing every country, industry and citizen to prosper. Cloud-based products and services are keeping businesses, governments and non-profits functioning, and helping small businesses serve their customers and compete. Broadband is needed everywhere to support vulnerable populations.

Education and skills development must be a centrepiece of our efforts to recover. Schools and universities around the world are turning to tech platforms for remote learning. The University of Bologna recently moved 90 per cent of courses for 80,000 students online within three days. Not bad for a 900-year-old institution. A Japanese elementary school hosted its graduation on Minecraft, building a virtual assembly hall and seating to maintain the sense of community and belonging so important in times like this.

Finally, trust and security are more important than ever. We must all prioritise the protection of healthcare systems from cyber attacks. In addition, more kids are online than ever, so Microsoft is doubling down on digital safety. We’re committed to protecting privacy and building ethical artificial intelligence.

Accurate information and resources are always essential, especially during a global pandemic. LinkedIn Learning and Bing are providing data and life-saving information. We’re working with Facebook, Google, Twitter and our customers to help elevate authoritative content and combat fraud and misinformation about the virus.

It is a societal failure when we undervalue institutions and the critical services they provide. What we need is citizens and customers to demand co-ordination and partnership across sectors.

What’s happening in Seattle, the first US city affected by the coronavirus outbreak, provides a glimpse. A public-private alliance of the region’s largest employers, Challenge Seattle, became the town square for sharing data and best practices, managing the crisis and planning our return to work. Partnerships between business, government non-profit and academia are essential to flattening the infection curve everywhere, and recovery will require an enduring, vigilant effort.

Posted on by Leave a comment

Registration now open for Build 2020

It’s not the Build we thought it would be, but it’s gonna be special. Today, we’re excited to share that registration for an all-new virtual Build experience is now open. We can’t wait to bring together our community of developers to learn, connect and code together.

While things will look a little different this year as we all absorb and adjust to new realities brought on  COVID-19, we’re excited about Microsoft Build 2020, a 48-hour virtual event starting May 19 at 8 a.m. PT that will kick off with welcome remarks from Satya Nadella. This will be followed by a session with and for Developers hosted by me (read more on my blog).

Here’s a little more of what you can expect at Build this year:

  • Two days of continuous learning in your time zone: Attend sessions, talks and demos carefully chosen to help developers be productive wherever you work, and drive innovation and transformation. You will hear from the engineers behind the products you use every day and connect with your peers in a digital event experience.
  • Build community connections: Expand your network and your perspective on what’s possible. Connect and collaborate with your peers from around the world and with the Microsoft engineers behind the tools and services you rely on.
  • Level up your coding: Discover new ways to take your code and application architecture to the next level with as we help you troubleshoot, optimize and secure your projects.
  • Helping developers today: We’re committed to support developers with cost-effective, efficient innovations that make people’s lives easier and better, especially in uncertain times. Today, we announced new lower pricing for Visual Studio Codespaces (formerly Visual Studio Online) so you can create cloud-hosted dev environments that are accessible from anywhere, from any device. Earlier this month, GitHub announced that all of its core features are now available for free to all users. You can expect more such announcements as we journey through Microsoft Build.

Register for the event here. I’m really proud of what we’re working on and I’m looking forward to sharing it with you all.

Tags: , ,

Posted on by Leave a comment

Microsoft announces registered exchange offers

REDMOND, Wash. — April 30, 2020 — Microsoft Corp. (NASDAQ: MSFT) (“Microsoft”) announced today the commencement of offers to (i) exchange (the “Pool 1 Offer”) the ten series of notes described in the table below (collectively, the “Pool 1 Notes”) for a new series of Microsoft’s notes due June 1, 2050 (the “New 2050 Notes”) and a cash payment, as applicable, and (ii) exchange (the “Pool 2 Offer” and, together with the Pool 1 Offer, the “Exchange Offers”) the four series of notes described in the table below (collectively, the “Pool 2 Notes” and, together with the Pool 1 Notes, the “Existing Notes”) for a new series of Microsoft’s notes due June 1, 2060 (the “New 2060 Notes” and, together with the New 2050 Notes, the “New Notes”) and a cash payment, as applicable.

A Registration Statement on Form S-4, including a prospectus (the “Prospectus”), which is subject to change, relating to the issuance of the New Notes has been filed with the Securities and Exchange Commission (the “SEC”) on April 30, 2020 (the “Registration Statement”), but has not yet become effective. The New Notes may not be sold nor may offers to buy be accepted prior to the time the Registration Statement becomes effective. If and when issued, the New Notes will be registered under the Securities Act of 1933, as amended. The aggregate principal amount of Pool 1 Notes of each series that are accepted for exchange will be based on the order of acceptance priority for such series as set forth in the table below, and such that the aggregate principal amount of Pool 1 Notes accepted in the Pool 1 Offer results in the issuance of New 2050 Notes in an amount not exceeding $6,250,000,000 (the “New 2050 Notes Issue Cap”). The Pool 1 Notes are as follows:

Pool 1 Table
Title of Security CUSIP
Number		 Principal Amount Outstanding (MM) Acceptance Priority

Level

Reference UST Security (1)  

Fixed Spread

(basis points)

 Cash Payment

Percent of Premium (2)

 Early Exchange Premium (3) (4)
4.875% Notes due 2043 594918AX2 $500.0 1 30-year +110 100% $30
5.300% Notes due 2041 594918AM6 $1,000.0 2 30-year +105 100% $30
4.450% Notes due 2045 594918BL7 $3,000.0 3 30-year +110 100% $30
4.250% Notes due 2047 594918CA0 $3,000.0 4 30-year +110 100% $30
5.200% Notes due 2039 594918AD6 $750.0 5 30-year +95 100% $30
4.500% Notes due 2040 594918AJ3 $1,000.0 6 30-year +100 100% $30
3.750% Notes due 2043 594918AU8 $500.0 7 30-year +110 100% $30
3.750% Notes due 2045 594918BD5 $1,750.0 8 30-year +110 100% $30
4.100% Notes due 2037 594918BZ6 $2,500.0 9 30-year +87 100% $30
4.200% Notes due 2035 594918BK9 $1,000.0 10 30-year +75 100% $30

(1)   The “30-year Reference UST Security” refers to the 2.375% U.S. Treasury Notes due November 15, 2049.

(2)    The “Cash Payment Percent of Premium” is the percent (as set forth with respect to each series of Pool 1 Notes in the table above) of the amount by which the Total Exchange Consideration (as defined below and calculated at the Pricing Time (as defined below)) exceeds $1,000 per $1,000 principal amount of such Pool 1 Notes.

(3)   Per $1,000 principal amount of Pool 1 Notes.

(4)   Holders who validly tender Pool 1 Notes after the Early Exchange Time (as defined below) but on or before the Expiration Time (as defined below) will not be eligible to receive the “Early Exchange Premium” of $30 principal amount of New 2050 Notes for each $1,000 principal amount of Pool 1 Notes validly tendered and not validly withdrawn. For the avoidance of doubt, the $30 per $1,000 Early Exchange Premium is included within the Total Exchange Consideration, as calculated using the Fixed Spread over the 30-year Reference UST Security as described herein, and not in addition to the Total Exchange Consideration.

The aggregate principal amount of Pool 2 Notes of each series that are accepted for exchange will be based on the order of acceptance priority for such series as set forth in the table below, and such that the aggregate principal amount of Pool 2 Notes accepted in the Pool 2 Offer results in the issuance of New 2060 Notes in an amount not exceeding $3,000,000,000 (the “New 2060 Notes Issue Cap” and, together with the New 2050 Notes Issue Cap, the “New Notes Issue Cap”). The Pool 2 Notes are as follows:

Pool 2 Table
Title of Security CUSIP
Number		 Principal Amount Outstanding (MM) Acceptance Priority

Level

 Reference UST Security (1)  

Fixed Spread (basis points)

 Cash Payment Percent of Premium (2) Early Exchange Premium (3) (4)
4.750% Notes due 2055 594918BM5 $1,000.0 1 30-year +125 70% $30
4.000% Notes due 2055 594918BE3 $2,250.0 2 30-year +125 100% $30
4.500% Notes due 2057 594918CB8 $2,000.0 3 30-year +125 70% $30
3.950% Notes due 2056 594918BU7 $2,250.0 4 30-year +125 90% $30

(1)   The “30-year Reference UST Security” refers to the 2.375% U.S. Treasury Notes due November 15, 2049.

(2)    The “Cash Payment Percent of Premium” is the percent (as set forth with respect to each series of Pool 2 Notes in the table above) of the amount by which the Total Exchange Consideration (calculated at the Pricing Time) exceeds $1,000 per $1,000 principal amount of such Pool 2 Notes.

(3)    Per $1,000 principal amount of Pool 2 Notes.

(4)    Holders who validly tender Pool 2 Notes after the Early Exchange Time but on or before the Expiration Time will not be eligible to receive the “Early Exchange Premium” of $30 principal amount of New 2060 Notes for each $1,000 principal amount of Pool 2 Notes validly tendered and not validly withdrawn. For the avoidance of doubt, the $30 per $1,000 Early Exchange Premium is included within the Total Exchange Consideration, as calculated using the Fixed Spread over the 30-year Reference UST Security as described herein, and not in addition to the Total Exchange Consideration.

The aggregate principal amount of New Notes to be issued pursuant to the Exchange Offers will be subject to the applicable New Notes Issue Cap. We may in our sole discretion, subject to the applicable law, increase either or both of the New 2050 Notes Issue Cap or the New 2060 Notes Issue Cap. We will accept tenders of Existing Notes by series in accordance with the “acceptance priority level” (in numerical priority order) for each such series as set forth in the applicable table above.

Set forth below is a table summarizing the terms of the New Notes offered in the Exchange Offers:

Title of Series Maturity Date Aggregate Principal Amount of Existing Notes Accepted for Tender (MM) Benchmark Security Spread to Benchmark Security
New 2050 Notes June 1, 2050 An amount of Pool 1 Notes such that the aggregate principal amount of New 2050 Notes issued does not exceed $6,250.0 2.375% U.S. Treasury Notes due November 15, 2049 +125 bps
New 2060 Notes June 1, 2060 An amount of Pool 2 Notes such that the aggregate principal amount of New 2060 Notes issued does not exceed $3,000.0 2.375% U.S. Treasury Notes due November 15, 2049 +140 bps

Microsoft will pay interest on the New Notes at a rate per annum equal to the yield, calculated in accordance with standard market practice, that corresponds to the bid-side price of the 2.375% 30-year Reference UST Security due November 15, 2049, as of the Pricing Time, as displayed on the Bloomberg Government Pricing Monitor page FIT 1 plus the fixed spread set forth in the table above.

The following is a summary of certain key elements of the Exchange Offers:

The Exchange Offers will expire at 11:59 p.m., New York City time, on May 28, 2020, unless extended by Microsoft (such date and time, as they may be extended, the “Expiration Time”). The “Settlement Date” will be promptly following the Expiration Time and is expected to be June 1, 2020, which is the second business day following the Expiration Time.

To be eligible to receive the Early Exchange Premium, holders must validly tender their Existing Notes at or prior to 5:00 p.m., New York City time, on May 13, 2020, unless extended by Microsoft (such date and time, as they may be extended, the “Early Exchange Time”). Tenders of Existing Notes in the Exchange Offers may be validly withdrawn at any time at or prior to the Expiration Time, but will thereafter be irrevocable, except in certain limited circumstances where additional withdrawal rights are required by law. Microsoft reserves the right to remove one or more of the Existing Notes from the Exchange Offers if certain conditions (described below) for such series of Existing Notes will not be achieved.

If holders validly tender Existing Notes prior to the Early Exchange Time and do not validly withdraw such tendered Existing Notes prior to the Expiration Time, and such Existing Notes are accepted by Microsoft, such holders will receive, for each $1,000 principal amount of Existing Notes tendered and accepted, a combination of a principal amount of New Notes and a cash payment with an aggregate value equal to the Total Exchange Consideration (as defined below) as follows:

  • an aggregate principal amount of New Notes equal to (a) the Total Exchange Consideration for such Existing Notes minus (b) the Cash Component (as defined below); and
  • a cash payment equal to the Cash Component.

If holders validly tender Existing Notes after the Early Exchange Time, but prior to the Expiration Time, and such Existing Notes are accepted by Microsoft, such holders will receive, for each $1,000 principal amount of Existing Notes tendered and accepted, a combination of a principal amount of New Notes and a cash payment with an aggregate value equal to the Exchange Consideration (as defined below) as follows:

  • an aggregate principal amount of New Notes equal to (a) the Total Exchange Consideration for such Existing Notes minus (b) the Cash Component minus (c) the Early Exchange Premium; and
  • a cash payment equal to the Cash Component.

In addition to the Total Exchange Consideration or Exchange Consideration, as applicable, holders with Existing Notes that are accepted for exchange will receive a cash payment representing (i) all or a portion of the accrued and unpaid interest to, but not including, the Settlement Date and (ii) amounts due in lieu of any fractional amounts of New Notes. As The Depository Trust company (“DTC”) is the record holder of the Existing Notes, all holders of any Existing Notes will also receive any applicable accrued and unpaid interest on those Existing Notes in accordance with DTC procedures, regardless of the record dates with respect to each series of Existing Notes.

The “Pricing Time” will be 10:00 a.m., New York City time, on May 14, 2020, unless the Early Exchange Time is extended, in which case a new Pricing Time may be established with respect to the Exchange Offers. In the event that the Early Exchange Time is not extended, the Pricing Time will remain the same.

The “Total Exchange Consideration” (calculated at the Pricing Time in accordance with the Prospectus) for the Existing Notes validly tendered prior to the Early Exchange Time, and not validly withdrawn prior to the Expiration Time, is equal to the discounted value on the Settlement Date of the remaining payments of principal and interest per $1,000 principal amount of the Existing Notes through the applicable maturity date or par call date (as applicable) of the Existing Notes, using a yield equal to the sum of: (i) the bid-side yield on the applicable 30-year Reference UST Security set forth with respect to each series of Existing Notes in the tables above plus (ii) the applicable fixed spread set forth with respect to each series of Existing Notes in the tables above, minus accrued and unpaid interest on such series of Existing Notes up to but not including the Settlement Date. For avoidance of doubt, the $30 per $1,000 Early Exchange Premium is included within the Total Exchange Consideration, as calculated using the Fixed Spread of the 30-year Reference UST security and is not in addition to the Total Exchange Consideration.

The “Exchange Consideration” for the Existing Notes validly tendered after the Early Exchange Time but prior to the Expiration Time is equal to the Total Exchange Consideration minus the applicable Early Exchange Premium.

The “Cash Component” means the portion of the Total Exchange Consideration to be paid to holders in cash and is equal to (i) the applicable Cash Payment Percent of Premium for such series of Existing Notes multiplied by (ii) (a) the applicable Total Exchange Consideration for such series of Existing Notes minus (b) $1,000.

The completion of the Exchange Offers for each series of Existing Notes is subject to, and conditional upon, the satisfaction or waiver of certain conditions, including, among other things (i) the Registration Statement having been declared effective by the SEC on or prior to the Expiration Time and remaining effective on the Settlement Date; (ii) the condition that, as of the Pricing Time, the combination of the yield of the New Notes and the Total Exchange Consideration for the applicable series of Existing Notes would result in the New Notes and such Existing Notes not being treated as “substantially different” under FASB Accounting Standards Codification (“ASC”) 470-50; (iii) the requirement, with respect to the Exchange Offers of New Notes for Existing Notes, that we issue at least (a) $500,000,000 aggregate principal amount of New 2050 Notes and (b) $500,000,000 aggregate principal amount of New 2060 Notes; (iv) the Yield Condition (as described in the Prospectus) (for any applicable series of Existing Notes); and (v) that nothing has occurred or may occur that would or might, in our reasonable judgment, be expected to prohibit, prevent, restrict or delay an Exchange Offer or delay the scheduled Pricing Time or impair us from realizing the anticipated benefits of an Exchange Offer. Microsoft may, at its option, waive any such conditions at or by the Expiration Time, except the condition that the registration statement of which this prospectus forms a part has been declared effective by the SEC on or prior to the Expiration Time and remains effective on the Settlement Date.

Copies of the Prospectus pursuant to which the Exchange Offers are being made, may be obtained from D.F. King & Co., Inc., the information agent and exchange agent for the Exchange Offers, at 212-269-5552 (to exchange), at 800-431-9645 (for information U.S. Toll-free), at 212-269-5550 (information for brokers), at www.dfking.com/microsoft, or at microsoft@dfking.com. Questions regarding the terms and conditions of the Exchange Offers should be directed to the following joint lead dealer managers:

BofA Securities
620 South Tryon Street, 20th Floor
Charlotte, NC 28255
Toll Free: (888) 292-0070
Collect: (980) 387-3907
Attn: Liability Management Group		 Deutsche Bank Securities Inc.
60 Wall Street
New York, NY 10005
Toll Free: (866) 627-0391
Collect: (212) 250-2955
Attn: Liability Management Group

The Exchange Offers are made only by and pursuant to the terms and subject to the conditions set forth in the Prospectus, which forms a part of the Registration Statement after it is declared effective by the SEC, and the information in this news release is qualified by reference to such Prospectus and the Registration Statement. None of Microsoft, the dealer managers or the information agent and exchange agent makes any recommendations as to whether holders should tender their Existing Notes pursuant to the Exchange Offers. Holders must make their own decisions as to whether to tender Existing Notes, and, if so, the principal amount of Existing Notes to tender.

This news release does not constitute an offer or a solicitation by Microsoft of an offer to buy, nor shall there be any sale of securities in any state or jurisdiction in which such offer or solicitation or sale would be unlawful.

In order to participate in any Exchange Offer, holders of the Existing Notes located or resident in Canada are required to complete, sign and submit to the exchange agent a Canadian Eligibility Form, which may be obtained from D.F. King & Co., Inc. contacts above, to confirm they satisfy applicable Canadian eligibility requirements and to provide certain additional information.

Any holder of the Existing Notes located in any Member State of the European Economic Area or in the United Kingdom that is a retain investor will not be able to participate in the Exchange Offers. For these purposes, a retain investor means a person who is one or more of the following: (i) a retail client as defined in point (11) of Article 4(1) of the EU Directive on Markets in Financial Instruments (2014/65/EU) (as amended, “MiFID II”); or (ii) a customer within the meaning of Directive (EU) 2016/97, where that customer would not qualify as a professional client as defined in point (10) of Article (4)(1) of MiFID II.

About Microsoft

Microsoft (Nasdaq “MSFT” @microsoft) enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

Forward-Looking Statements

Statements in this news release are “forward-looking statements” based on current expectations and assumptions that are subject to risks and uncertainties. Actual results could differ materially because of factors described above as well as:

  • intense competition in all of our markets that may lead to lower revenue or operating margins;
  • increasing focus on cloud-based services presenting execution and competitive risks;
  • significant investments in products and services that may not achieve expected returns;
  • acquisitions, joint ventures, and strategic alliances that may have an adverse effect on our business;
  • impairment of goodwill or amortizable intangible assets causing a significant charge to earnings;
  • cyberattacks and security vulnerabilities that could lead to reduced revenue, increased costs, liability claims, or harm to our reputation or competitive position;
  • disclosure and misuse of personal data that could cause liability and harm to our reputation;
  • the possibility that we may not be able to protect information stored in our products and services from use by others;
  • abuse of our advertising or social platforms that may harm our reputation or user engagement;
  • the development of the internet of things presenting security, privacy, and execution risks;
  • issues about the use of artificial intelligence in our offerings that may result in competitive harm, legal liability, or reputational harm;
  • excessive outages, data losses, and disruptions of our online services if we fail to maintain an adequate operations infrastructure;
  • quality or supply problems;
  • the possibility that we may fail to protect our source code;
  • legal changes, our evolving business model, piracy, and other factors may decrease the value of our intellectual property;
  • claims that Microsoft has infringed the intellectual property rights of others;
  • claims against us that may result in adverse outcomes in legal disputes;
  • government litigation and regulatory activity relating to competition rules that may limit how we design and market our products;
  • potential liability under trade protection, anti-corruption, and other laws resulting from our global operations;
  • laws and regulations relating to the handling of personal data that may impede the adoption of our services or result in increased costs, legal claims, fines, or reputational damage;
  • additional tax liabilities;
  • damage to our reputation or our brands that may harm our business and operating results;
  • exposure to increased economic and operational uncertainties from operating a global business, including the effects of foreign currency exchange;
  • uncertainties relating to our business with government customers;
  • adverse economic or market conditions that may harm our business;
  • catastrophic events or geo-political conditions, such as the COVID-19 pandemic, that may disrupt our business; and
  • the dependence of our business on our ability to attract and retain talented employees.

For more information about risks and uncertainties associated with Microsoft’s business, please refer to the “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and “Risk Factors” sections of Microsoft’s SEC filings, including, but not limited to, its annual report on Form 10-K and quarterly reports on Form 10-Q that are incorporated by reference in the Prospectus forming a part of the Registration Statement, copies of which may be obtained by contacting Microsoft’s Investor Relations department at (800) 285-7772 or at Microsoft’s Investor Relations website at http://www.microsoft.com/en-us/investor.

Posted on by Leave a comment

2 years of digital transformation in 2 months

This week, CEO Satya Nadella delivered Microsoft’s quarterly earnings report to Wall Street—our first in the era of COVID-19. On the call, Satya shared some new numbers: In April, we saw more than 200 million Microsoft Teams meeting participants in a single day, generating more than 4.1 billion meeting minutes. Also, Teams now has more than 75 million daily active users, and two-thirds of them have shared, collaborated, or interacted with files on Teams as well. As Satya put it, “We’ve seen two years’ worth of digital transformation in two months. From remote teamwork and learning, to sales and customer service, to critical cloud infrastructure and security—we are working alongside customers every day to help them adapt and stay open for business in a world of remote everything.”

To keep their teams connected in this world of remote everything, our customers need more than meetings or chat alone. Teams combines meetings, calls, chat, and collaboration into a single tool that preserves context and keeps everyone up to speed. Below, I dig into the role that Teams is playing to keep the world working and share customer stories about how Teams enables their work. But first, a bit more about those numbers.

About the numbers

Satya shared three important types of numbers in his call: daily meeting participants, daily meeting minutes, and daily active users. We see different vendors use these metrics in different ways, but we’re the only one on the market that can release all three. The reason for that is simple: Teams is the only solution that offers chat, calls, meetings, and collaboration in one.

So how do we define each? Our daily meeting participants number is the aggregate number of people joining a meeting in a day—so if someone participates in five meetings in a day, they would be counted five times. Meanwhile, we measure daily meeting minutes by adding together the total time people spend in Teams meetings within a 24-hour period. For example, if two people are in the same 10-minute meeting, we count that as 20 meeting minutes. Finally, we define daily active users (DAU) as the count of unique users performing an intentional action in a 24-hour period in any of the Teams clients—desktop, mobile, or web. Intentional actions include sending or replying to a chat, joining a meeting, or opening a file in Teams. We don’t count passive actions like auto boot, minimizing a screen, or closing the app. We also don’t count Skype Consumer or Skype for Business usage, since that’s a completely different app. Our DAU numbers are de-duped, meaning we only count each user once.

Powering the world’s work

Across education, government, healthcare, and business, Teams is powering collaboration for organizations of all sizes while meeting the highest standards of security and privacy. Around the world, more than 183,000 educational institutions use Teams. In the United Arab Emirates alone, over 350,000 students are relying on Teams for remote learning. On the business side, 20 organizations have more than 100,000 active users on Teams, including Continental AG, Ernst & Young, Pfizer, and SAP. Just last week, Accenture became the first organization to surpass half a million users, and we expanded our partnership with the NFL. We even collaborated with the League to help bring the first-ever virtual NFL Draft to life with Teams!

And after weeks of learning, working and living this way, we’re all developing new habits. Some COVID-19-era habits will prove temporal—I know many parents who can’t wait for the return of in-person play dates, for instance. But we believe the habits we see in Teams are more durable and will persist well beyond the current crisis. Data from regions like China and South Korea, where many people have returned to the office, but continue Teams habits they developed while working apart, backs this up. For example, a report out this month showed more than two times the number of new Teams users each day in China compared to end of January. And the number of daily active Teams users in China also continued to grow week over week.

Helping our customers

We are so inspired by the ingenuity and agility of our customers as they navigate the shift to remote work. Here are a few of their stories.

Accenture:
Accenture is one of the largest users of Microsoft Teams in the world, and during this unprecedented crisis, it is proving to be invaluable—both for us and for helping our clients maintain business continuity and stay connected to their people and customers.”
—Julie Sweet, Chief Executive Officer, Accenture

Goodyear Tire Company:
“Our work from home experience has been nothing short of phenomenal. We were able to transition 25,000 associates to working from home in a matter of just a few days, and Teams played a vital role in that. This is evidenced by a tremendous increase in Teams usage, which includes a 410 percent increase in Teams meetings compared to a normal week. We have continued to work in the Goodyear way taking care of our customers and associates with integrity and conscientiousness, with Teams helping our associates stay connected to their work and each other.”
—Sherri Neubert, Vice President and Chief Information Officer, Goodyear Tire Company

Guildford Technical Community College:
We found ourselves faced with implementing a collaboration tool in a couple of days versus the original 90-120 days we had originally planned. Fortunately, we had begun testing and building out some of the basic functionality in Teams, but not to the extent to complete an enterprise rollout. COVID-19 entered the picture and we had no choice other than to roll out Teams to all faculty and staff at the college and to include classroom instruction among other things. Thanks to the MS “team,” pun intended, we were able to pull it off successfully and we are now working to enable additional functionality to the faculty, staff and students. Thank you so much for your responsiveness and willingness to help us during a very trying time, MS team! You folks rock!
—Ron G Horn, Chief Information Officer, Guildford Technical Community College

Calderdale and Huddersfield NHS Foundation Trust:
Consultant Medical Oncologist Jo Dent runs several clinics for cancer patients at the trust—many of them young women with busy lives, jobs, and children to look after. Previously, patients could choose from appointments at fixed times of the week and often travelled with their families for up to an hour for a five-minute check-up. Now, Dr. Dent can contact a patient using Teams at a time that suits them both. Dent says, “We can have a quick chat over video just so I can check that the treatment that I’ve prescribed is working how I would expect. It gives them the chance to drop the kids off at school and lets the appointment happen on their time, not our time. With Teams, we offer the patient the choice, and it’s less stressful for them.”
—Jo Dent, Consultant Medical Oncologist, Calderdale and Huddersfield NHS Foundation Trust

In this era of remote everything, we have seen two years’ worth of digital transformation in two months. Teams is enabling this accelerated transformation by giving people a single tool to chat, call, meet, and collaborate. With Teams as their hub for teamwork, our customers are discovering new collaboration habits that we believe will persist well beyond this crisis. We are committed to continuing to build the tools that keep them connected and productive—through COVID-19 and beyond.

Posted on by Leave a comment

Virtual graduation toolkit helps preserve traditions of pride and celebration

Preserving traditions with virtual graduations

Humans love to celebrate. We learn at an early age that every milestone is a good reason to gather, share our excitement with friends and family, feel pride in our accomplishments, and enjoy the warmth of connection. And the reason for celebration can be defined in many different ways. It can mark something as simple as the passing of time (like a birthday), or something a person spends years working toward, like a high school or college graduation. Celebrating and marking milestones are more important than ever when times are difficult. What better opportunity to highlight the positive, and come together to support one another than when other parts of life are uncertain? But how do you celebrate when people need to stay physically distant to be safe?

Around the world, millions of people are struggling with this question—especially education administrators, students, and their loved ones. At this time of year, there are thousands of ceremonies and traditions for all levels of education that typically bring large groups together. They range from pre-school song-and-dance presentations, to the “Pomp and Circumstance” and cap tossing of university graduations. Every one of them provides a sense of closure for one chapter of life, and the opening to another, and means a great deal to students, families, and educators.

The
current situation has made it unwise for groups to gather in the usual way, so
educational institutions are working to find alternative ways to mark their
commencements. This is an incredibly difficult decision to make.

Teams live event availability expanded to support MORE digital graduations!

Starting in early May 2020, organizations with the Microsoft Office 365 A1, which is free for educational institutions, will have the ability to host and broadcast Teams live events for a limited time. Users with faculty licenses can host a virtual graduation, alumni summit or any other live event. In addition to adding Teams Live Events to Office 365 A1, we have  increased the audience size to 20,000, number of concurrent live events to 50 and extended the length to 16 hours, at no extra cost. Starting in early May 2020, live events will be automatically enabled for users with an A1 faculty license and automatically disabled on July 1.

There is no “one size fits all” solution to properly recognize the achievements of every student and honor the traditions of each school and group while following recommended social distancing policies. But as schools around the world are demonstrating, there are many creative and innovative ways to make the most of this graduation season. Online solutions range from PowerPoint presentations prepared by faculty/administrators with input and content from students, to hybrid live, recorded, and livestreamed ceremonies. For example, Ritusemeikan Primary school in Japan held an in-person commencement with their students and faculty, but livestreamed it to families via Teams, to limit the number of people at the gathering.

Students at the University of Pennsylvania and several other colleges and universities have collaborated to recreate their campuses in Minecraft. Many of them are organizing virtual versions of traditions and ceremonies practiced at their schools that will be held and viewed in the Minecraft world. And one of the most moving examples is by Newcastle University Medical School, where the graduating class individually recorded themselves reciting the Hippocratic Oath and posted it to Flipgrid to express their commitment to their new position as medical doctors. Administrators also recorded congratulatory speeches, and the school produced a short video commemorating the event that’s available for all to view.

Though every tradition and ceremony is different, with the right tools and a little creativity, there are ways to celebrate safely and make positive memories for all.

Digital events can even follow the traditional graduation flow with an academic procession, a welcome address, presentation of awards, speeches, and more.

To support institutions moving forward with digital graduations and celebrations, we’ve put together a toolkit of resources that will be updated regularly. To see the most up-to-date content, check back to this page often:

Graduations and celebrations come in many forms. You can hold a digital celebration for a team at the end of their season, host a goodbye party to mark a student’s transition from elementary school to middle school, or host a traditional online graduation to mark the completion of high school or college.

And starting in early May 2020, we’ve made the applications needed more broadly available than ever. Users with the Microsoft Office 365 A1 faculty license, which is free for educational institutions, will have the ability to host and broadcast Teams live events for a limited time. That means users with A1 faculty licenses can host a virtual graduation, alumni summit or any live event for up to 20,000 attendees, at no extra cost. Starting in early May 2020, live events will be automatically enabled for users with an A1 faculty license and automatically disabled on July 1.

We recognize the process of hosting a virtual graduation is a first for many educational institutions, and we’re here to help with this important moment for your students and their family. To ensure schools are able to successfully execute their plans, our Microsoft Store team will offer resources and personalized trainings, tailored to the unique needs of each participating school. Get started today! Once we have information about your school’s goals, and schedule, we can determine the best way to help you conduct your virtual graduation ceremony and celebrate your student’s milestone achievement.

Challenging times can bring out the best in the human spirit and inspire innovation and creativity. We’d love to hear your ideas and see your solutions!

Our sincere congratulations to everyone celebrating achievements and moving toward their next milestone.

Posted on by Leave a comment

New Minecraft Earth features out now

Summary

  • Minecraft Earth introduces Player Journal and updated Challenges today
  • Additional new features added recently include Adventure Crystals and Buildplate Link Sharing

It’s been nearly six months since the first tappables were tapped and buildplates were built in Minecraft Earth with our initial early access release. We’ve used these six months to test, build, and collect feedback from our players to shape an experience that continues to evolve and change.

Today, we’re excited to share some of the new tools and features that we’ve been working on:

  • Player Journal, released today, provides a way to collect and track different mobs and blocks collected and gain rewards for unique items. You could also say that this provides a way to earn bragging rights amongst your friends!
  • Today we also released an update to Challenges, giving them a makeover and introducing new challenge Seasons. Pick your path through the Season map to complete challenges and unlock rewards! You can even unlock new character creator clothing to wear in vanilla Minecraft. Challenges can now also be refreshed through randomized tappables for players to collect.  
  • Adventure Crystals, released on March 25, give players an easy way to experience Adventures (which were previously tied to a physical location) in their home, their backyard, or wherever they are. Players collect these through tappables and can spawn them anywhere and anytime to play and gain rewards. Common Crystals are given as daily rewards, but you need to find chests inside adventures to discover crystals and adventures of higher rarity!
  • Buildplate Link Sharing, released on April 14, allows players to share their Minecraft Earth creations with friends simply by sending them a link they generate in-game or on social media. But worry not – links shared are a copy of the original world, so your little brother isn’t actually able to destroy your masterpiece.

The Minecraft Earth team and I also want to take a moment to acknowledge the current global COVID-19 situation. We have been adapting the game accordingly over the last few weeks by increasing tappable spawn rate and density, introducing Adventure Crystals and removing location-based dependencies, and trying to find ways to help empower Minecraft Earth players to continue to build, craft, Adventure, and mine from the safety of their own homes.

Minecraft Earth is poised to continue growing as we regularly develop new tools, experiences and features. So much of this growth is due to the valuable community feedback we’ve received thus far, so we’d like to say “thank you” and stay tuned – there’s much more to come in the months ahead.

Posted on by Leave a comment

New tools to help IT empower employees securely in a remote work world

If you want to know just how dramatically the world has changed over the last few months, consider how your opinion on working from home has changed since March. Remote work used to be an option that was nice to have if you needed it or if you were getting some extra things done over the weekend—but I don’t think any of us ever anticipated that mastering every nuance of working from home in a climate like this was going to be a critical part of our long-term success.

The challenges of the work-from-home necessitated by COVID-19 will never be forgotten by anyone, especially in our IT community where 100-hour weeks were necessary to make sure everyone else could continue working 40. Here at Microsoft, we’ve probably seen every possible challenge from every industry and point on the map, and we are committed to partnering with you as we all navigate this “new normal” and keep working to ensure the continuity of your business at a time when there’s no precedent to guide us.

As you’ve shared your challenges with us, we have been hard at work to find the answers that technology can provide. Whether it’s enabling remote meetings and collaboration, provisioning and managing remote devices, ensuring the data that’s no longer confined to your network remains secure and compliant, using low-code tools and platforms to rapidly build new business applications, or addressing the latest COVID-19-related threats—we have built solutions and developed the guidance your organization needs to help you make the most of this new environment. I recommend you check out the full set of assets we’ve complied on the Microsoft Together site.

Over the last two months, there has been heavy usage of Microsoft Teams for online meetings, group chat, file sharing, and more—and this has led to an unprecedented spike in active usage that we’ve worked around the clock (quite literally) to support. Today we announced new features to enhance the meetings experience for organizations and schools. For those of you using Teams, we have resources to help you with best practices and tips, wherever you are in your Teams adoption journey. You can access those resources and see what else is new in this Tech Community blog.

Enabling your users to work from anywhere, regardless of the industry you’re in, requires a level of confidence and control over how users access information across different device endpoints and networks. To make this easier for you, today I’m happy to announce several improvements to our products, including:

  • A new management experience for Windows Virtual Desktop to quickly provision and manage remote desktops and apps and upcoming support for Microsoft Teams.
  • A unified control plane for device and access management, with Microsoft Endpoint Manager and Azure Active Directory (Azure AD), to ensure all endpoints connecting to corporate resources are secure.
  • And the ability to get the insights you need to understand how your organization is working, and make proactive improvements with Microsoft Productivity Score.

Also, we invite you to tune into our Fireside Chat today at 7 AM Pacific, during which Alysa Taylor (Corporate Vice President, Microsoft Business Applications & Global Industry), Bret Arsenault (Corporate Vice President, Microsoft Chief Information Security Officer), and I will answer your questions, share best practices, and provide guidance to help you during this challenging time. If you can’t join us live, you can watch the replay here.

Enabling you with a virtualized desktop for remote work with Windows Virtual Desktop

Many of our customers have turned to the power of desktop and app virtualization to empower their remote workers on any device. Windows Virtual Desktop uses the scale and power of the Azure global footprint and network to enable a secure remote app and/or desktop experience wherever your users are.

Today I’m happy to announce that we’ve made some significant updates to help to make it easier for you:

  • Updated management experience—Now get started with Windows Virtual Desktop faster with the new management experience deeply integrated into the Azure Portal. You can set up host pools, manage applications or desktops, and assign users—all from the Azure Portal. We have improved the auto-scaling experience through integration with Azure Automation and Azure Logic Apps. Check out the details in this Microsoft 365 blog.
  • Compliance and security—Windows Virtual Desktop is already available worldwide and today we are giving users choice on where to store the service data to meet your regulatory and compliance needs. releasing support for service databases distributed across Azure regions for regulatory and compliance needs of data residency—service metadata can be distributed across the U.S. and Europe, with additional regions coming soon.
  • Upcoming support for Microsoft Teams—Additionally, we will be improving the remote meeting and collaboration experience when using Microsoft Teams from Windows Virtual Desktop deployments with “A/V redirection” for video calling. This will create a direct path between your users when sharing video, significantly improving the video and audio experience. We expect this feature to be available within a month in Public Preview. Check out the deep dive.

You can read more about these new Windows Virtual Desktop features in a Microsoft 365 blog I wrote together with Julia White today. In addition, for a robust set of videos from the Windows Virtual Desktop engineering team demoing step-by-step deployments with all this new functionality and more, watch the Virtual Event content.

New features to help you to manage and secure your endpoints remotely

Securing remote work starts with a strong identity foundation. Azure Active Directory (Azure AD) enables your remote workers to find and access the apps they need from anywhere without compromising security. Many of our customers use Azure AD Conditional Access policies and multi-factor authentication (MFA) to secure access to their resources aligned with the principles of Zero Trust, and enable remote collaboration with external users with B2B collaboration capabilities.

Today, we’re extending the ability to use Azure AD single sign-on (SSO) with as many cloud applications as you’d like across all pricing tiers, including Azure AD Free. This means any Microsoft customer using a subscription of a commercial online service can connect all their cloud applications to Azure AD for single sign-on, and protect this access with multi-factor authentication (MFA) as a security default at no extra cost. We are also introducing several new features to make it easier for IT administrators to secure and manage access. You can learn more in the Azure AD blog authored by Alex Simons.

With Microsoft Endpoint Manager, we’ve done a lot to help ensure that your people can access information and services securely from almost any device. For broader endpoint management, across your apps and devices, we’ve improved the integration between Configuration Manager and the Microsoft Endpoint Manager admin center in Azure. You can try the new Endpoint Manager portal yourself at endpoint.microsoft.com.

Other new features include:

  • Tenant attach—With tenant attach, you can quickly attach an Intune tenant to your Configuration Manager deployment to enable the two to work together. Starting with the Configuration Manager 2002 release, you can upload your Configuration Manager devices to the cloud service and take actions—like device and user policy sync—directly from the Endpoint Manager admin center. This will help speed up common actions you might take and provide a consolidated view of all your organization’s devices in the web-based admin center. In the near future, searching for a user in the troubleshooting portal will allow your help desk to see all of a user’s device regardless of their management configuration in Microsoft Endpoint Manager. Over the coming months we’ll enable more troubleshooting tools to enable your help desk access to information and capabilities to facilitate their day-to-day actions.
  • Unified app delivery—We’ve also been working to bring the richness of Software Center from Configuration Manager and MyApps from Azure Active Directory into our Company Portal app for unified app delivery, so people can get the apps they need across their endpoints. The unified end user experience is expected in the next few weeks. But don’t worry, if you rely on Software Center and MyApps as standalone portals, they are not going away.
  • Support for Microsoft Edge for deploying apps and packages across platforms—A few months back, we released the new Microsoft Edge browser, which gives you the most compatibility for modern web and your existing apps, plus you benefit from the advanced security and privacy controls. Today, our endpoint management experiences natively integrate the app and package deployment process for PC and MacOS, and you can distribute the Edge mobile apps directly from the App Store or Google Play. We also have a security baseline dedicated to securing Edge.
  • Expanded support for macOS—Microsoft Endpoint Manager is a unified platform for all endpoints, so I’m excited to announce that we are introducing the Intune MDM agent for macOS, which extends the management controls in macOS. For example, with shell scripting, admins can leverage the agent to automate repetitive tasks and attain greater flexibility in configuring Macs. This is just the beginning of new capabilities, and we’re well on our way to giving admins first-class macOS management with Microsoft Intune.
  • Prevent cross-account sharing in Outlook mobile—With Microsoft Intune, you can apply app protection policies for Outlook for iOS and Android to help to ensure that work or school accounts can only access approved storage locations. This enables you to mitigate the risk of introducing personal content and potentially malicious content from entering your corporate environment. We’ve also updated the file attachment experience in Outlook to help guide you towards these trusted data sources and further protect mobile communications and collaboration in the enterprise.

Improve employee and technology experiences with Productivity Score preview

Remaining productive in this new remote work-centric world can be challenging on many levels. Employees are using new tools to collaborate, meet, and communicate, while needing to securely work anywhere. Enabling this requires a powerful and consistent technology experience. As an IT Pro, you’re responsible for ensuring both the employee and technology experience. Productivity Score can help by delivering visibility into how your organization is working, insights to improve productivity, and recommendations actionable in Microsoft 365 to fix issues and impart helpful changes.

Available in preview, Productivity Score is an analytics solution that measures employee and technology experiences versus benchmarks and your own business goals. These goals are flexible and personal to your organization, making it a key tool to maximize your IT investments as you adjust to new remote workstyles and needs now, and in the future, when onsite work begins to restart.

Based on feedback from our initial November announcement at Ignite 2019, we are moving beyond providing tenant-level information and can now give you more granular insights in critical categories, including:

  • Content Collaboration, so you can understand how people are reading, authoring, collaborating, and sharing content though OneDrive and SharePoint.
  • Mobility, to help you see how your employees work from any device, anywhere though their use of email, documents, and Microsoft Teams across the web, mobile, and desktop versions.
  • Communications, a new category designed to drive awareness and action so people can easily communicate via email, chat, and Yammer posts.

At Ignite, we also talked about how technology is critical to productivity. Today we are adding to Productivity Score, insights on how endpoints and your network contribute to your organizational productivity. The Network Connectivity category provides visibility into which worksite locations have network challenges that may inhibit access to critical workloads such as Exchange Online, SharePoint Online, and in the future, Microsoft Teams.

Endpoint Analytics helps you measure and improve one of my favorite things—time to productivity. In other words, the time it takes someone to get up and running. Lag time leaves your employees waiting—and unproductive. For example, people are surprised when I share that my managed device cold boots in under 15 seconds with all the security and policy controls applied. I strongly believe this can be achieved in any environment and I want to help you get there. Endpoint Analytics can help by identifying policies or hardware issues that may be slowing down devices in your estate, and proactively make changes without the need to disrupt end users or generate a help desk ticket.

To learn more about what’s new with Productivity Score, check out this Tech Community blog.

Investing in resources to help you through this time

We also understand that there’s never been a more important time to ensure you are securing and governing your most critical data. Check out today’s Microsoft Security blog from Alym Rayani as he shares some new research and product innovation that will help you to more easily secure and govern your most critical assets.

We understand what a challenging time this is for you—both professionally and personally. We remain committed to innovating in ways that will make your job easier and help you empower your people to be productive and secure in this new world of work. For more information and detailed guidance around empowering your employees, securing your environment, and more, check out the COVID-19 Remote Work resources page.

Posted on by Leave a comment

How Xbox Game Pass is helping friends stay connected

For many of us, the current global health situation has made it more difficult to spend time with friends, family, and the people we care about most. We are heartened to see many people using games to be entertained, to find inspiration, and to strengthen social connections through shared adventures.

At Xbox, our mission has always been to bring you the best games to play, with the people you want to play with. That’s why we created Xbox Game Pass, a community with unlimited access to a curated library of over 100 great Xbox console and PC games. 

We’re excited by the response to Xbox Game Pass and yesterday we announced that Game Pass now has over 10 million members from 41 countries worldwide. 

Xbox Game Pass inspires a new era of gaming – where the community with the same Game Pass plan can play a large common catalog of the best games, discovering new titles and experiences together. With Game Pass, we want to answer the question: what to play next with my friends?

We’re still early on this journey, and in the last two months we’ve seen how important gaming can be to our community.

Since March, Xbox Game Pass members have added over 23 million friends on Xbox Live, which is a 70% growth in friendship rate. Game Pass members are also playing twice as much and engaging in more multiplayer gaming, which has increased by 130%.

Xbox Game Pass is empowering players and their friends to branch out and discover new games they might not have played before. We know this because after joining Game Pass people play 40% more games and more than 90% of members have played a game they wouldn’t have tried without Game Pass – often discovering new genres they have not yet experienced. This speaks to our passion at Xbox for sharing and celebrating the games that we love and for showcasing works, from blockbusters to indie developers with unique points of view.

The Xbox Game Pass library includes some of the biggest blockbuster franchises like Forza, Gears of War, Halo, Minecraft, NBA 2K, and The Witcher. It also includes dozens of high-quality games from independent developers, and 30% of our most popular games are family friendly titles like Kingdom Hearts III, Ori and the Will of the Wisps, and Sea of Thieves.

We’re humbled by the reception to Xbox Game Pass. It’s changing the way we play and discover games together, and it inspires us on our journey to help people connect through gaming.

We’re also inspired to deliver you our fastest, most powerful console ever that will set a new bar for performance, feel, speed and compatibility when it releases this holiday; as well as a library of games from our 15 Xbox Game Studios and thousands of development partners around the world. Later this year our cloud game streaming technology, Project xCloud, will come to Game Pass—so you and your friends can stream and play the games you love together on your devices.

I’ve always believed gaming has a unique power to bring us together, and I’m proud of how our artform is introducing this unique power to more people during a time of need. I have no doubt that we’ll come through this experience stronger than ever.

Stay safe and stay well.

Phil

Posted on by Leave a comment

Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk

At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.

Multiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.

The ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of human-operated ransomware campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.

Many of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker’s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.

In this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:

We have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).

Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks

While the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.

In stark contrast to attacks that deliver ransomware via email—which tend to unfold much faster, with ransomware deployed within an hour of initial entry—the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.

To gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:

  • Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)
  • Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords
  • Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers
  • Citrix Application Delivery Controller (ADC) systems affected by CVE-2019-19781
  • Pulse Secure VPN systems affected by CVE-2019-11510

Applying security patches for internet-facing systems is critical in preventing these attacks. It’s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: CVE-2019-0604, CVE-2020-0688, CVE-2020-10189.

Like many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.

As with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it’s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.

A motley crew of ransomware payloads

While individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.

diagram showing different attack stages and techniques in each stage that various ransomware groups use

RobbinHood ransomware

RobbinHood ransomware operators gained some attention for exploiting vulnerable drivers late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.

Vatet loader

Attackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.

The group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.

Using Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit CVE-2019-19781, brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.

NetWalker ransomware

NetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.

PonyFinal ransomware

This Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren’t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.

Maze ransomware

One of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.

Maze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.

In a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.

After gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.

REvil ransomware

Possibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers – and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.

Other ransomware families

Other ransomware families used in human-operated campaigns during this period include:

  • Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks
  • RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials
  • MedusaLocker, which is possibly deployed via existing Trickbot infections
  • LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally

We highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:

  • Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities
  • Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials
  • Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data

Customers using Microsoft Defender Advanced Threat Protection (ATP) can consult a companion threat analytics report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the Microsoft Threat Experts service can also refer to the targeted attack notification, which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.

If your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ “one-time use” infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.

Investigate affected endpoints and credentials

Investigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.

  • For endpoints onboarded to Microsoft Defender ATP, use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.
  • Otherwise, check the Windows Event Log for post-compromise logons—those that occur after or during the earliest suspected breach activity—with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.

Isolate compromised endpoints

Isolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. Isolate machines using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.

Address internet-facing weaknesses

Identify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as shodan.io, to augment your own data. Systems that should be considered of interest to attackers include:

  • RDP or Virtual Desktop endpoints without MFA
  • Citrix ADC systems affected by CVE-2019-19781
  • Pulse Secure VPN systems affected by CVE-2019-11510
  • Microsoft SharePoint servers affected by CVE-2019-0604
  • Microsoft Exchange servers affected by CVE-2020-0688
  • Zoho ManageEngine systems affected by CVE-2020-10189

To further reduce organizational exposure, Microsoft Defender ATP customers can use the Threat and Vulnerability Management (TVM) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.

Inspect and rebuild devices with related malware infections

Many ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.

Building security hygiene to defend networks against human-operated ransomware

As ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions—credential hygiene, minimal privileges, and host firewalls—to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.

Apply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:

  • Randomize local administrator passwords using a tool such as LAPS.
  • Apply Account Lockout Policy.
  • Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.
  • Utilize host firewalls to limit lateral movement. Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.
  • Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
  • Follow standard guidance in the security baselines for Office and Office 365 and the Windows security baselines. Use Microsoft Secure Score assesses to measures security posture and get recommended improvement actions, guidance, and control.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Turn on attack surface reduction rules, including rules that can block ransomware activity:
    • Use advanced protection against ransomware
    • Block process creations originating from PsExec and WMI commands
    • Block credential stealing from the Windows local security authority subsystem (lsass.exe)

For additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read Human-operated ransomware attacks: A preventable disaster.

Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware

What we’ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services—in this time of global crisis—that their attacks cause.

Human-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can’t break through a wall, they’ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.

Microsoft Threat Protections (MTP) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.

Through built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.

Microsoft Threat Protection is also part of a chip-to-cloud security approach that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On Secured-core PCs these mitigations are enabled by default.

We continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the Microsoft Detection and Response (DART) team to help investigate and remediate.

Microsoft Threat Protection Intelligence Team

Appendix: MITRE ATT&CK techniques observed

Human-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.

Credential access

Persistence

Command and control

Discovery

Execution

Lateral movement

Defense evasion

  • T1070 Indicator Removal on Host | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe
  • T1089 Disabling Security Tools | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers

Impact

Posted on by Leave a comment

Azure + Red Hat: Expanding hybrid management and data services for easier innovation anywhere

For the past few years, Microsoft and Red Hat have co-developed hybrid solutions enabling customers to innovate both on-premises and in the cloud. In May 2019, we announced the general availability of Azure Red Hat OpenShift, allowing enterprises to run critical container-based production workloads via an OpenShift managed service on Azure, jointly operated by Microsoft and Red Hat.

Microsoft and Red Hat are now working together to further extend Azure services to hybrid environments across on-premises and multi-cloud with upcoming support of Azure Arc for OpenShift and Red Hat Enterprise Linux (RHEL), so our customers will be able to more effectively develop, deploy, and manage cloud-native applications anywhere. With Azure Arc, customers will have a more consistent management and operational experience across their Microsoft hybrid cloud including Red Hat OpenShift and RHEL.

What’s new for Red Hat Customers with Azure Arc

As part of the Azure Arc preview, we’re expanding Azure Arc’s Linux and Kubernetes management capabilities to add support specifically for Red Hat customers, enabling you to:

Organize, secure, and govern your Red Hat ecosystem across environments

Many of our customers have workloads sprawling across clouds, datacenters, and edge locations. Azure Arc enables customers to centrally manage, secure, and control RHEL servers and OpenShift clusters from Azure at scale. Wherever the workloads are running, customers can view inventory and search from the Azure Portal. They can apply policies and manage compliance for connected servers and clusters from Azure Policy; either one or many clusters at a time. Customers can enhance their security posture through built-in Azure security policies and RBAC for the managed infrastructure that works the same way wherever they run. As Azure Arc progresses towards general availability, more policies will be enabled, such as reporting on expiring certificates, password complexity, managing SSH keys, and enforcing disk encryption.

In addition, with SQL Server 2019 for RHEL 8 is now quicker to deploy via new images now available in the Azure Marketplace, we’re expanding Azure Arc to manage SQL Server on RHEL, providing integrated database and server governance via unified Azure Policies.

Finally, Azure Arc makes it easy to use Azure Management services such as Azure Monitor and Azure Security Center when dealing with workloads and infrastructure running outside of Azure.

Manage OpenShift clusters and applications at scale

Manage container-based applications running in Azure Red Hat OpenShift service on Azure, as well as OpenShift clusters running on IaaS, virtual machines (VMs), or on-premises bare metal. Applications defined in Github repositories can be automatically deployed via Azure Policy and Azure Arc to any repo-linked OpenShift cluster, and policies can be used to keep them up to date. New application versions can be distributed globally to all Azure Arc-managed OpenShift clusters using Github pull requests, with full DevOps CI/CD pipeline integrations for logging and quality testing. Additionally, if an application is modified in an unauthorized way, the change is reverted, so your OpenShift environment remains stable and compliant.

Run Azure Data Services on OpenShift and anywhere else

Azure Arc enables you to run Azure data services on OpenShift on-premises, at the edge, and in multi-cloud environments, whether a self-deployed cluster or a managed container service like Azure Red Hat OpenShift. With Azure Arc support for Azure SQL Managed Instance on OpenShift, you’ll know your container-based data infrastructure is always current and up to date; Microsoft SQL Big Data Cluster (BDC) support for OpenShift provides a new container-based deployment pattern for big data storage and analytics, allowing you to elastically scale your data with your dynamic OpenShift based application anywhere it runs.

Managing multiple configurations for an on-premises OpenShift deployment from Azure Arc.

Managing multiple configurations for an on-premises OpenShift deployment from Azure Arc.

Azure SQL Managed Instances within Azure Arc.

Azure SQL Managed Instances within Azure Arc.

If you’d like to learn more about how Azure is working with Red Hat to make innovation easier for customers in hybrid cloud environments, join us for a fireside chat between Scott Guthrie, EVP of Cloud and AI at Microsoft, and Paul Cormier, president and CEO of Red Hat, including a demo of Azure Arc for Red Hat today at the Red Hat Summit 2020 Virtual Experience.

Private hybrid clusters and OpenShift 4 added to Azure Red Hat OpenShift

Rounding out our hybrid offerings for Red Hat customers, today we’re announcing the general availability of Azure Red Hat OpenShift on OpenShift 4.

This release brings key innovations from Red Hat OpenShift 4 to Azure Red Hat OpenShift. Additionally we‘re enabling features to support hybrid and enterprise customer scenarios, such as:

  • Private API and ingress endpoints: Customers can now choose between public and private cluster management (API) and ingress endpoints. With private endpoints and Azure Express Route support we’re enabling private hybrid clusters, allowing our mutual customers to extend their on-premises solutions to Azure.
     
  • Industry compliance certifications: To help customers meet their compliance obligations across regulated industries and markets worldwide, Azure Red Hat OpenShift is now PCI DSS, HITRUST, and FedRAMP certified. Azure maintains the largest compliance portfolio in the industry both in terms of total number of offerings, as well as number of customer-facing services in assessment scope.
     
  • Multi-Availability Zones clusters: To ensure the highest resiliency, cluster components are now deployed across 3 Azure Availability Zones in supported Azure regions to maintain high availability for the most demanding mission-critical applications and data. Azure Red Hat OpenShift has a Service Level Agreement (SLA) of 99.9 percent.
  • Cluster-admin support: We’ve enabled the cluster-admin role on Azure Red Hat OpenShift clusters, enabling full cluster customization capabilities, such as running privileged containers and installing Custom Resource Definitions (CRDs).

Getting started with Azure Arc

To learn more about Azure Arc for RHEL environments, get started with the preview today. For anyone interested in Azure Arc enabled OpenShift, we will be going into public preview soon. Contact us here for more info.