Module 17Office 365 Active Directory Synchronization Presenter Name Presenter Role Conditions and Terms of Use Microsoft Confidential This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited. The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Copyright and Trademarks © 2014 Microsoft Corporation. All rights reserved. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Complying with all applicable copyright lAdmin Web Service is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. For more information, see Use of Microsoft Copyrighted Content at http://www.microsoft.com/about/legal/permissions/ Microsoft®, Internet Explorer®, Outlook®, SkyDrive®, Windows Vista®, Zune®, Xbox 360®, DirectX®, Windows Server® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. Overview This module covers the integration of an on-premises Active Directory with the Azure Active Directory through the use of the Azure AD Connect tool, including: • Purpose – What does it do? • Requirements • Permissions • Understanding Synchronization • Key Deployment Considerations 3 Objectives This module will cover: • Directory synchronization overview • The Azure AD Connect Tool • Preparing On Premises Active Directory for directory synchronization • Password synchronization 4 What is the Azure AD Connect Tool? • • • Azure AD Connect is the single tool and experience for connecting and synchronizing your on premises directories to Azure Active Directory Designed as a software based appliance • Set it and forget it • Relies on Forefront Identity Manager 2010 R2 (aka FIM) • Bundled with SQL Server 2012 Express LocalDB Enables a unified Global Address List (GAL) experience between your on-premises organization and Office 365 as well as: • The ability to manage all Active Directory user accounts onpremises • The ability to synchronize on-premises Active Directory password hashes • All account changes replicate automatically to Office 365 • Required for single sign-on (ADFS) • Required for Exchange Hybrid Deployment or Staged Migration 5 Synchronizati on Direction • • • • Directory synchronization is mostly one way to Azure Active Directory Hybrid requires 7 attributes to be written back to the onpremises user objects for coexistence purposes Password write back capability (requires Azure AD Premium license) On-premises AD being the authoritative source for all changes • Delete a user on-premises and directory synchronization will delete the corresponding user in Office 365 6 . 0 or Newer Additional requirements: • Standalone . 2012 and 2012 R2 supported • Microsoft .NET Framework 4. 2008 R2. Member Server or a Domain Controller • Local Administrator to install AADSync • Azure AD account “Global Administrator“ The following components are installed automatically: • Forefront Identity Manager 2010 R2 • Microsoft SQL Server Express 2012 LocalDB (a light version of SQL Server Express) • Microsoft Online Services Sign-in Assistant 7 .Software Requiremen ts System requirements: • Windows 2008.5 • Windows PowerShell 3. Network Requiremen ts • • Synchronization with Office 365 occurs securely over HTTPS port 443 Internal network communication will use typical Active Directory related ports 8 . 000–50.000 1.Hardware Recommendatio ns and Directory service quota Number of objects in Active Directory CPU Memory Hard disk size Fewer than 10.000–600.6 GHz 4 GB 70 GB 10.000 1.000 1.000 1.6 GHz 16 GB 100 GB 100.6 GHz 32 GB 450 GB •More SQL Server Express size limit 500 thatGB enables you to than 600.6 GHz 32 GB 300 GB 300.000 objects 9 .000 1.000–300.6has GHza 10GB 32 GB manage approximately 100.000–100.000 1.6 GHz 4 GB 70 GB 50. This company has exceeded the number of objects that can be synchronized. What happens when quota is exceeded ? 016: Synchronization has been stopped.Directory Service Object Quota The default directory service quota is calculated according to the following guidelines If you don't have any verified domains The current directory service quota in Windows Azure AD is 50. 10 .000 objects.000 objects If you have at least one verified domain The default directory service quota in Windows Azure AD is 300. Contact Microsoft Online Services Support. • Custom setup: offers more choices and options. Connect to AD DS On-premises Active Directory credentials Member of the Enterprise Admins (EA) group in Active Directory Used as the local AD Connector account. it is the account that reads and writes the directory information for synchronization. but has situations where you need to ensure you have the correct permissions yourself 11 .Azure AD Connect credentials and permissions • • Wizard Page Express Setup: requires more privileges to setup more easily. -Creation of the Azure AD account that will be used for on-going sync operations in Azure AD. without requiring you to create users or configure permissions separately Credentials collected during Express Setup: Credentials Collected Permissions Required Used For Connect to Azure AD Azure AD directory credentials Global administrator role in Azure AD -Enabling sync in the Azure AD directory. that is. N/A Logon credentials of the user running the wizard Administrator of the local server The wizard creates the AD account that will be used as the sync service logon account on the local machine. Summary of the accounts that are created by Azure AD Connect Account created Permissions assigned Used for Azure AD account for sync Dedicated Directory Synchronization Role On-going sync operations (Azure AD MA account) Express Settings: AD account used for sync Read/write permissions on the directory as required for sync+password sync On-going sync operations (Azure AD MA account) Express Settings: sync service logon account Logon credentials of the user running the wizard Sync service logon account Custom Settings: sync service logon account NA Sync service logon account AD FS:GMSA account (aadcsvc$) Domain user FS service logon account 12 . Objects that Synchronize The Azure AD Connect tool synchronizes the following objects: • All Active Directory Users • Synchronized as a logon enabled with no license assigned though • Mailbox enabled users are synchronized as a mail-enabled users • Mail-Enabled Contacts • Mail-Enabled Groups The Azure AD Connect tool does not synchronize: • Built-in administrative user accounts • Built-in administrative groups • Exchange System Mailbox accounts • Dynamic Distribution Groups • Mail-enabled Public Folder objects 13 . 000 immediate members MailEnabledGroup objects: • DisplayName is empty • (ProxyAddress doesn't have a primary SMTP address) AND (mail attribute isn't present/invalid .i.000 immediate members 14 .Objects that Do Not Synchronize Contact objects: • DisplayName contains "MSOL" AND msExchHideFromAddressLists = TRUE • mailNickName starts with "CAS_" AND mailNickName contains "{“ SecurityEnabledGroup objects: • isCriticalSystemObject = TRUE • mail is present AND displayName is not present • Group has more than 15.e. indexof ('@') <= 0) • Group has more than 15. Objects that Do Not Synchronize (continued) Object is a conflict object (DN contains \0CNF:) User objects: • mailNickName starts with "SystemMailbox{" mailNickName starts with "CAS_" AND mailNickName contains "{" sAMAccountName starts with "CAS_" ANDsAMAccountName has "}" sAMAccountName equals "SUPPORT_388945a0" sAMAccountName equals "MSOL_AD_Sync" sAMAccountName is not present isCriticalSystemObject is not present msExchRecipientTypeDetails == 0x1000 OR 0x2000 OR 0x4000 OR 0x400000 OR 0x800000 OR 0x1000000 OR 0x20000000) 15 . Mandatory Attributes • Objects must contain values in the following core attributes to be considered for synchronization to Office 365 by Azure AD Connect: • cn • member (applies only to groups) • samAccountName (applies only to users) • alias (applies only to groups and contacts) • displayName (for groups with a mail or proxyAddresses attribute populated) 16 . DirSync and Account Status Active Directory DirSync Action Office 365 Mailbox Enabled Account Create Account Creates a mail-enabled user. *Assigning a license will create a mailbox Modify Account Make changes to an existing account Update changes Delete Account Delete account Delete account and mailbox and license removed Disabled account Disable account Sign-in blocked but still retains a license and mailbox 17 . *Assigning a license will not create a mailbox as msExchMailboxGUID attribute is populated on-premises Non-Mail Enabled Account Create Account Creates a user. etc. Other Apps 18 . SPO. LYO.ON-PREM MICROSOFT CLOUD IDENTITY BRIDGE SAAS APPS Azure Active Admin Web High Level Architectu re Overview Directory (AAD) Service (AWS) Google AD DS Box Salesforce Others AAD Sync Cloud Sync Fabric Or AAD Connect Or Identity Identity Manager Manager Dirsync Or FIM w/ Connector Or MIM 2016 HR Tenant forests for EXO. the ObjectGUID will never change • SourceAnchor is the DirSync term and ImmutableID is the ADFS 19 term . is constructed as: • sAMAccountName + “@” + Microsoft Online Default Domain (i.
[email protected] AAD Connect Concepts UserPrincipalName: • Used to sign-in to the cloud services • Recommended to be the same as users primary SMTP address • Needs to use a domain suffix that is registered and verified in the tenant • Critical for successful single sign-on using AD FS • If missing.com) SourceAnchor: • Used as the immutable identifier for any given object that is synchronized between on-premises and Office 365 • Base64-encoded value generated from AD object’s on-premises ObjectGUID • Providing the AD object is never deleted. Source of Authority • Refers to the location where Active Directory objects are mastered (on-premises or Office 365) • Activating directory synchronization and installing Azure AD Connect makes the on-premises Active Directory the source of authority • Once enabled. changes to objects replicated to Office 365 can only be made on-premises • Deactivating directory synchronization transfers the source of authority back to the Azure AD 20 . Hard Match vs. Soft Match For attribute updates. stamp the ObjectGUID from on-premises as base64-encoded SourceAnchor attribute in Azure AD Connect Database • SourceAnchor flows into Azure Active Directory object’s ImmutableID. the Admin Web Service must identify what Azure AD object to act upon: • HardMatch attempted first: • Checks to see if the object already exists with the same SourceAnchor value (ObjectGUID) from the on-premises AD • SoftMatch if no hard match found: • Authoritatively matches an object in Office 365 with onpremises through a matching ProxyAddresses value • If a match exists. allowing Source Of Authority Transfer from Office 365 to on-premises 21 . Sync Overview On-Premises AAD Connect uses two managements agents: • “Active Directory Connector” management agent • “Azure Active Directory” management agent AAD Connect stores information in two places: • Connector Space • Metaverse Connector Space: • Replica of the managed objects in the Active Directory • Each management agent or connector has its own connector space Metaverse: • Aggregate information about a managed object (i.) Synchronization data flow: • User is imported from AD into the Active Directory Connector Connector space • User is projected to the Metaverse • User is provisioned to the Azure Active Directory Connector space • User is exported to the Office 365 Admin Web Service 22 . Group. User. etc.e. Sync Overview On-Premises (Continued) Synchronization data flow: CONNECTOR SPACE AD DS METAVERSE CONNECTOR INBOUND SYNC RULE OUTBOUN D SYNC RULE CONNECTOR SPACE AD DS CONNECTOR SPACE CONNECTOR INBOUND SYNC RULE CONNECTOR Run Profiles and Steps: Full Import Delta Import Full Synchronization Delta Synchronization Export Microsoft Confidential 23 . Sync Overview Office 365 Office 365 Admin Web Service receives the object data from AAD Connect • Import from AAD Connect: • Only specific attributes defined in FIM are synchronized for each object • Validate that changed data is not corrupted at the attribute level: • Data is normalized using “_” for UPN and SamAccountName • Otherwise when an update is invalid for attribute a rejection email is sent to the tenant contact • If an update is a user Account Creation event: • Admin Web Service attempts to create an account for the user • Failure causes a reject email to be sent to the tenant contact 24 . Sync Overview Office 365 (continued) • • If an update is an attribute change event: • Hard-match process to verify object already exists in Azure AD • Hard-match failure causes reject email to AAD Connect administrator Ships data to the Azure Active Directory: • Object creations and hard-matched object updates pushed at the attribute level 25 . Forward and Back Sync Forward-sync from Azure Active Directory to individual services: • Each online application in Office 365 has their own directory service • Once an object is changed in Azure AD. further synchronization daemons are constantly running that parse relevant changes and ship them to these services’ directory partitions • Can cause delay in applications becoming available to newly commissioned accounts/users 26 . to AAD Connect service using bi-directional FIM functionality • AAD Connect updates local the AD objects with these updated attributes 27 . back through Admin Web Service.Forward and Back Sync (continued) Back-Sync/Write-Back: • There are certain attributes for the Exchange Online (ExO) service that require reverse propagation to the on-premises environment for Exchange co-existence features to work • Back-Sync: Data is changed in the ExO partition and then sync’d back to Azure AD using daemons similar to those used for Forward-sync • Write-back: Data is shipped from Azure AD. Write Back Attributes Attributes that are written back to the on-premises Active Directory from Azure Active Directory in an Exchange Hybrid deployment scenario: Write-Back attribute Exchange "full fidelity" feature msExchArchiveStatus Online Archive: Enables customers to archive mail. msExchUserHoldPolicies Litigation Hold: Enables cloud services to determine which users are under Litigation Hold. msExchBlockedSendersHash msExchSafeRecipientsHash 28 . ProxyAddresses Enable Mailbox: Offboards an online mailbox back to on-premises Exchange (LegacyExchangeDN as X500) msExchSafeSendersHash Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients. msExchUCVoiceMailSettings Enable Unified Messaging (UM) Online voice mail: This attribute is used only for UM-Microsoft Lync Server integration to indicate to Lync Server on-premises that the user has voice mail in online services. onmicrosoft.com) • All Office 365 users receive this domain as an email address in a non-hybrid scenario • This special email address is inextricably linked to each Exchange Online recipient • The domain cannot be managed.Microsoft Online Default Routing Domain The Microsoft Online Default Routing Domain is constructed from the tenant name (contoso. or deleted • The email address can be over-ridden as the primary SMTP address by using the attributes in the on-premises Active Directory user object but will always remain as a users secondary SMTP address 29 . changed. com smtp:
[email protected] 30 .com SMTP:
[email protected] smtp:
[email protected] SMTP:
[email protected] SMTP:
[email protected] smtp:
[email protected] Connect and SMTP Addresses Active Directory Attribute Active Directory Value Office 365 Value proxyAddresses SMTP:
[email protected] smtp:
[email protected] mail
[email protected] smtp:
[email protected] SMTP:
[email protected] smtp:
[email protected] UserPrincipalName
[email protected] proxyAddresses SMTP:
[email protected] smtp:
[email protected] proxyAddresses smtp:
[email protected] SMTP:
[email protected]. Activate users by assigning them a license in the Portal or via PowerShell 31 . Prepare the on-premises Active Directory • Account and attribute clean-up (idFix) • UPN of users matches federated domain (if using ADFS) 2. Enable Directory Synchronization in the Portal or via PowerShell Set-MSOLDirSyncEnabled –EnableDirSync $True 5.AAD Connect Process 1. Setup Identity Federation (if applicable) 4. Create and verify your custom domain(s) 3. Download and run Directory Synchronization 6. Verify the synchronization was successful 7. object count and throttling by the service 32 .Estimating Synchronizati on Time *Actual times may vary depending on activity and environmental factors such as available bandwidth. If the user is currently logged into a cloud service with their old password. then change their password in the on-premises AD. their current cloud service session will continue uninterrupted 33 .Password Sync Overview • • • • • Password Synchronization is the process of copying a customers on-premises password hash to Azure Active Directory Allows the customer to use their on-premises password to log into their Office 365 Password Synchronization does not replace Identity Federation Changes to on-premises passwords are synced to the cloud in minutes. Azure AD. and all associated services never see or store the on-premises user's plain text password A digest of the Windows Active Directory Password Hash is used for transmission between the on-premises AD and Azure Active Directory To authenticate a user. the password presented by the user is hashed and compared with the stored hash The digest of the Password Hash cannot be used to access resources in the customer's on-premises environment. 34 .Are Passwords safe? • • • • The Password Sync tool. before they can utilize Password Synchronization Password Complexity Policy • Password Synchronization requires all on-premises synchronized users to follow the on-premises Active Directory password policy • Users managed in the cloud remain with cloud defined Password Policies • Password Synchronization sets cloud password for all onpremises synchronized users to “Never Expire” 35 .Password Sync Limitations Password Sync and Federated Identities • Customers cannot have both Password Synchronization and Federated authentication configured for the same domain (namespace). making them a managed account. • The Password Sync feature will not synchronize passwords for users with Federated Identities • Customers must manually remove/disable federation from individual accounts. with the difference that passwords are synchronized in minutes. such as resets It then extracts and hashes the user’s password from the onpremises Active Directory and to Azure AD The synchronization process is similar to that of objects. rather than the default three (3) hours for objects Password hashes are sync’d in batches of up to 50 users per batch Passwords are never sent to Azure AD nor stored in AAD in clear text Password has sync can be used together with password writeback to enable self service password reset (Azure AD Premium license needed) 36 .How does Password Hash Sync work? • • • • • • Azure AD Connect monitors the pwdLastSet user attribute to identify password change events. Enable Password Hash Synchronizati on • Select “Enable Password Synchronization” in the configuration wizard of AAD Connect 37 . Password Hash Sync versus SSO • • • Talking point A. * Talking point B. 38 . * Talking point C. Password write back • • • Talking point A. 39 . * Talking point B. * Talking point C. DC=contoso. 656 Password Change Request . This occurs every 30 minutes if no passwords have been updated in the onpremises AD DS. Each batch contains at least one user and at most 50 users.OU=Cloud Objects.DC=contoso.Event ID Monitoring Password Synchronizati on using the event logs Description 650 Event logsProvision credentials batch start. Result : Success.DC=local. Count: 1 Password synchronization finishes retrieving updated passwords from the on-premises AD DS. This occurs every 30 minutes if no passwords were updated in the onpremises AD DS. Password synchronization finishes informing Azure AD that there are no passwords to be synced.OU=Cloud Objects. Dn : CN=Viola Hanson. Password synchronization starts informing Azure AD that there are no passwords to be synced. 40 .Anchor : H552hI9GwEykZwof74JeOQ==. This identifies the user or users whose password changed and will be synced.DC=local. User or users whose password was successfully synced.Anchor: eX5b50Rf+UizRIMe2CA/tg==. 657 Password Change Result . Dn : CN=Viola Hanson. Count: 1 Cause Password synchronization starts retrieving updated passwords from the on-premises AD DS. 654 Provision credentials ping end. Change Date : 05/01/2013 16:34:08 Password synchronization indicates that a password change was detected and tries to sync it to Azure AD. 651 Provision credentials batch end. 653 Provision credentials ping start. Forcing Full Password Sync To trigger a full Password Sync to re-synchronize all user passwords • Import the Powershell module by running Import-Module AdSync • Run Get-ADSyncConnector |FL Name to get the connectors name • Disable password sync by running the cmdlet Set-ADSyncAADPasswordSyncConfiguration -SourceConnector <OnPremADDomain> -TargetConnector <AzureADDomain -Enable $false • Re-enable password sync by running the cmdlet Set-ADSyncAADPasswordSyncConfiguration -SourceConnector <OnPremADDomain> -TargetConnector <AzureADDomain> Enable $true 41 . or bulk attribute changes To force object synchronization: • Open the Command Prompt • Navigate to the folder C:\Program Files\Microsoft Azure AD Sync\Bin • Then run DirectorySyncClientCmd.exe Delta to trigger a delta DirSync 42 . for employee terminations.Forcing Delta Objects Sync DirSync is scheduled to perform delta syncs once every three hours: • You can force an immediate synchronization rather than wait 3 hours • For example. exe to view the status of the last sync cycle 43 .Verifying and Monitoring DirSync You can verify if DirSync has performed a successful sync by: • Looking for Event ID 104 in the Application Event Logs • Running Get-MSOLCompanyInformation and checking the LastDirSyncTime value • Checking the emails sent to the technical contact of the tenant • Using miisclient. Throttling Sync • • • • Throughput shared across tenants at Admin Web Service layer (throttled per directory partition) DirSync client automatically handles throttling and retries again Error Code 81 – Server Busy gets logged in the event logs when DirSync has been throttled Throttling can lead to variable sync times especially for a first full sync cycle after installation 44 . but they can be deleted via PowerShell directly in the Office 365 tenant Remove-MSOLUser/Contact/Group will allow you to delete an object that is owned by DirSync Deleted objects get moved to a Recycle Bin in the tenant To view contents run Get-MSOLUser –ReturnDeletedUsers Purge Recycle Bin using Remove-MSOLUser -RemoveFromRecycleBin If object still exists on-premises. object needs to be restored from onpremises Use the AD Recycle Bin (requires W2K8 R2 Forest Functional Level) Or AD authoritative restore of deleted object(s) 45 . will be recreated on next Sync cycle If deleted on-premises.DirSync and Deletes • • • • • • • • • Objects owned by DirSync cannot be edited directly in the portal. Accidental Deletes Scenario: • On-premises AD Admin accidentally deletes a user object in AD (Oops) • DirSync propagates delete to the cloud • User object is deleted in the cloud (mailbox lost) What do you do now? 46 . etc. • Recovery is dependent on keeping the same SourceAnchor value • New SourceAnchor value with same attribute values will not recover the user object in Office 365 and instead will create a new user 47 . mailbox is also recovered.Accidental Deletes (continued) Manual recovery: • Admin identifies object to be recovered on-premises and uses the recycle bin feature or an authoritative restore of the object Via AAD Connect: • When admin restores the user object in AD the object is automatically recovered by AAD Connect. • You can sync .microsoft. tread carefully. based on: • Domain • OU • Attribute based • Useful for filtering-out service accounts and protected objects • Incorrect filtering can mass delete objects (and their mailboxes) from the Azure Active Directory • Filtering configuration is lost if you reinstall or upgrade the DirSync tool Configure filtering for directory synchronization http://technet.Filtering What Objects Sync DirSync filtering is now supported.aspx 48 .com/en-us/library/jj710171. Attribute based filtering Follow-along Example of attribute-based filtering: 1) Open Synchronization Rules Editor 2) Rule Types Inbound Select “In Fom AD – User Join” 3) Click Edit 4) Go to Scoping Filter 5) Any users that match the query will sync 50 . Troubleshooti ng • • • • • Use the MIISClient UI to monitor export errors and track down objects Use the DirSync error mail notifications from Office 365 Search for duplicate proxyaddresses against Exchange online by running Get-Recipient <allegedduplicateaddress> Use the IdFix tool to identify and fix problem objects or attributes in the on-premises Active Directory The best approach is to make sure the AD objects are as clean as possible before implementing AD Azure Connect 51 . onmicrosoft.g.Key Deployment Consideration s • Complete Active Directory cleanup work before implementing DirSync • Understand how “soft match” works • Consider Exchange schema extensions for non-Exchange AD environments • Verify on-premises user objects have a value (not null) for UPN suffix and that it is correct • The default routing domain (e.com) is used for Office 365 UPN suffix if the on-premises UPN suffix does not contain a public routable DNS domain (i. cannot use *.local) Verified domains • Add all SMTP domains as verified domains before synchronizing 52 .e. contoso. Install and Configure Azure AD Connect Tool 53 .Lab: Activate. Module Review • • • What objects does the Azure AD Connect tool synchronize? What port does Azure AD Connect use to synchronize with Office 365? How can you force directory synchronization to run? 54 . OR Answer 2: Open Task Scheduler.Module Review (Answers) • • • What objects does the Azure AD Connect tool synchronize? Answer: Users.exe Delta from the Command prompt. and right-click and run the Azure AD Sync Scheduled Task 55 . and groups What port does Azure AD Connect use to synchronize with Office 365? Answer: HTTPS 443 How can you force directory synchronization to run? Answer 1: Run DirectorySyncClientCmd. contacts. you learned: • The on-premises requirements and preparation required to run directory synchronization • How the Azure AD Connect tool synchronizes objects and simplifies user provisioning and administration of objects 56 .Module Summary In this Lesson. Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. Microsoft. IMPLIED OR STATUTORY. MICROSOFT MAKES NO WARRANTIES. AS TO THE INFORMATION IN THIS PRESENTATION .S. and/or other countries.© 2013 2012 Microsoft Corporation. it should not be interpreted to be a commitment on the part of Microsoft. EXPRESS. All rights reserved. Because Microsoft must respond to changing market conditions. Windows.