Merge branch 'MicrosoftDocs:main' into codespace-fluffy-adventure-4rwvqxpjj9q3774x

Author: sevend2

.openpublishing.redirection.json

@@ -6915,11 +6915,6 @@
       "redirect_url": "/previous-versions/troubleshoot/windows-server/windows-virtual-desktop-blank-screen",
       "redirect_document_id": false
     },
-    {
-      "source_path": "support/azure/virtual-desktop/welcome-virtual-desktop.yml",
-      "redirect_url": "/azure/virtual-desktop",
-      "redirect_document_id": false
-    },
     {
       "source_path": "support/windows-client/windows-troubleshooters/introduction-to-troubleshootingscript-toolset-tss.md",
       "redirect_url": "/troubleshoot/windows-client/windows-tss/introduction-to-troubleshootingscript-toolset-tss",

support/azure/.openpublishing.redirection.azure.json

@@ -665,6 +665,11 @@
         "redirect_url": "/troubleshoot/azure/virtual-machines/windows/activation-watermark-appears",
         "redirect_document_id": true
       },
+      {
+        "source_path": "virtual-machines/linux/linux-kernel-fails-restart-provision.md",
+        "redirect_url": "/troubleshoot/azure/virtual-machines/linux/welcome-virtual-machines-linux",
+        "redirect_document_id": false
+      },
       {
         "source_path": "active-directory/adal-authenticate-android-devices-fail.md",
         "redirect_url": "/troubleshoot/azure/entra-id/mfa/adal-authenticate-android-devices-fail",

support/azure/app-service/faqs-web-app-security.md

@@ -0,0 +1,92 @@
+---
+title: Azure App Service Security FAQs
+description: Provides answers to common questions about Azure App Service security.
+services: app-service
+author: hepiet
+ms.topic: faq
+ms.date: 01/20/2025
+ms.author: hepiet
+ms.service: azure-app-service
+---
+# Frequently asked questions about App Service security
+
+This article provides answers to common questions about Azure App Service security.
+
+## FAQs
+
+### How do I know whether a specific CVE (Common Vulnerabilities and Exposures) or known security issue applies to my web app?
+
+[Microsoft Security Response Center](https://msrc.microsoft.com/) (MSRC) investigates all reports of security vulnerabilities that affect Microsoft products and services. MSRC provides this information in the [Security Update Guide](https://msrc.microsoft.com/update-guide/vulnerability) as part of an ongoing effort to help you manage security risks and keep your systems protected.
+
+If your question isn't answered and you still need help, submit a [support request](https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview?DMC=troubleshoot) that includes the number of the CVE. 
+
+To report a vulnerability, see [Report an issue](https://msrc.microsoft.com/report/vulnerability/new).
+
+### How do I know when a particular specific version of software or security patch will arrive at the Azure platform runtime?
+
+App Service is a platform that has various underlying technologies, such as Windows, Linux, and web application frameworks. Updates are applied at a routine cadence for OS, host runtime, and Microsoft image repo.
+
+- Check [this article](/azure/app-service/overview-patch-os-runtime) to understand OS and runtime updating in Azure App Service regarding the OS or software in App Service.
+- Check [Guest OS update details](/azure/cloud-services/cloud-services-guestos-msrc-releases) to understand the updates that are applied to the Azure Guest OS.
+
+If you still need help, gather the following information before you submit a request to [Azure support](https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview?DMC=troubleshoot):
+
+- Specify the security update that you're inquiring about.
+- Verify the security update version of the software that's deployed on Azure.
+- Determine whether the update is already applied in Azure.
+
+### Is TLS 1.3 supported on Azure App Service?
+
+For incoming requests to your web app, App Service supports TLS versions 1.0, 1.1, 1.2, and 1.3. See [Azure App Service TLS overview](/azure/app-service/overview-tls) for more information.
+
+### How do I disable weak ciphers on Azure App Service?
+
+A cipher suite is a set of instructions that contains algorithms and protocols to help secure network connections between clients and servers. A client makes a request to the server that includes a list of cipher suites that it supports, and the server (front-end of the web app) picks the most secure suite that's supported by both client and server. For a more comprehensive discussion of cipher suites, see [Demystifying Cipher Suites on Azure App Services](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/demystifying-cipher-suites-on-azure-app-services/ba-p/2656254).
+
+For [Azure App Service Environment (ASE)](/azure/app-service/environment/overview), you can set your own ciphers through Azure Resource Explorer. For detailed steps, see [Change TLS cipher suite order](/azure/app-service/environment/app-service-app-service-environment-custom-settings#change-tls-cipher-suite-order).
+
+To disable Weak TLS cipher suites for web apps on multitenant setups, see [Disabling weaker TLS ciphers suites for web apps on multitenant Premium App Service plans](https://azure.github.io/AppService/2022/10/11/Public-preview-min-tls-cipher-suite.html).
+
+For more information, see [FAQ on App Service cipher suites](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/faq-on-app-service-cipher-suites/ba-p/3881922).
+
+### How do I enable protection against DDoS attacks or suspicious activity for my app service?
+
+By default, Distributed Denial of Service (DDoS) protection is not enabled for App Service plans and their app services.
+
+You can use [Azure DDoS Protection](/azure/ddos-protection/ddos-protection-overview) to protect your Azure resources from attacks. Azure DDoS Protection, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks.
+
+Notice that [Azure Traffic Manager](/azure/traffic-manager/traffic-manager-overview) is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions while providing high availability and responsiveness. However, Traffic Manager does not provide protection against DDoS attacks.
+
+### I suspect that my website is being hacked. What should I do?
+
+Microsoft secures and [frequently updates the hosting environment and infrastructure](/azure/app-service/overview-patch-os-runtime). If a website was hacked or defaced, this usually indicates an exploited vulnerability that's caused by an outdated app package.
+
+Azure App Service does not block insecure apps from running. If the website is vulnerable, you must fix the vulnerabilities in the website code, and then redeploy it to Azure App Service. 
+
+Azure support can help you review the web app's HTTP logs and deployment history to identify when the unknown file was first accessed or whether suspicious patterns appear in the logs. We can also offer guidance about how to configure security services such as Web Application Firewall and Microsoft Defender for App Service. However, we can't take direct action because the permanent fix might involve implementing a Web Application Firewall or updating the existing codes.
+
+You can [restore a backup](/azure/app-service/manage-backup?tabs=portal#restore-a-backup) or redeploy the site, but this is not a long-term fix if the security issue is not resolved.
+
+### My site has been added to the blocklist. What should I do?
+
+If the IP address is frequently blocklisted, it's important to investigate the root cause. The blockage might be caused by sending spam email messages, hosting malicious content, or other security vulnerabilities that should be resolved.
+
+- **Inbound IP blocklisted**: To address an inbound IP blocklisting issue, request a [static inbound IP address](/azure/app-service/overview-inbound-outbound-ips#get-a-static-inbound-ip) by using an IP-based SSL to secure your domain. Alternatively, you can use Azure services such as [Azure Application Gateway](/azure/application-gateway/overview) or [App Service Environment](/azure/app-service/environment/networking) (ASE) to gain a dedicated inbound IP address.
+
+- **Outbound IP blocklisted**: The only way to request dedicated outbound IP addresses is to use an App Service Environment. Apps that run in Azure share outbound addresses from a common pool.  
+    - You can deploy your app in a different (resource group + location) to host the application in a new scale unit. [Scaling your app between pricing tiers](/azure/app-service/manage-scale-up#scale-up-your-pricing-tier) will also trigger a change in outbound IP addresses.  
+    - Alternatively, use [Azure's NAT Gateway](/azure/vpn-gateway/vpn-gateway-about-vpngateways) to assign dedicated outbound IP addresses to your resources.  
+    - For more information, see [How to fix outbound IPs for App Service using NAT Gateway](https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-fix-outbound-ips-for-app-service/2320612).  
+
+- **SMTP blocklisted**: Port 25 is mainly used for unauthenticated email delivery. Outbound connections from App Services to the public internet by using port 25 are not restricted. However, using this design could result in outbound IP addresses being flagged as spam and, therefore, blocklisted.  
+    - We recommend that you use authenticated SMTP relay services to send email or implement App Service VNet Integration.  
+    - Alternatively, host the App Service in an [App Service Environment (ASE)](/azure/app-service/environment/networking) to route outbound SMTP connections over a private network.  
+    - For details, refer to [Troubleshoot outbound SMTP connectivity problems in Azure](/azure/virtual-network/troubleshoot-outbound-smtp-connectivity).  
+
+### Why am I receiving warnings or alerts for my web app in security scan reports?
+
+Security scans are typically run against a web app URL. Make sure that the tested URL resolves to the intended web app. If it resolves elsewhere, such as an application gateway, you can expect to receive inaccurate scan results.
+
+Some scan results could be false positives even as others indicate a genuine security issue that might require a consultation with Azure support. Certain changes are within your control, such as networking or website configuration. Other changes at the platform level can be controlled only by Microsoft.
+
+Azure support can assist you by reviewing the full scan results, confirming the results, and providing security feature options to you.

support/azure/app-service/toc.yml

@@ -6,6 +6,8 @@
     href: ./capture-memory-dumps-app-service.md
   - name: Create or delete web apps FAQs
     href: ./create-delete-resources-faq.yml
+  - name: App service security FAQs
+    href: faqs-web-app-security.md
   - name: Availability, performance, and application FAQs
     href: web-apps-performance-faqs.md
   - name: App Service Compliance with PCI Standards 3.0 and 3.1

support/azure/azure-kubernetes/extensions/changes-in-kubernetes-event-driven-autoscaling-add-on-214-215.md

@@ -36,17 +36,17 @@ Your AKS cluster Kubernetes version determines which KEDA version will be instal
      ```yaml
      triggers:
      - type: any-type
-     metadata:
-     metricName: "my-custom-name"
+       metadata:
+         metricName: "my-custom-name"
      ```
 
      Example by using KEDA 2.15 or 2.14
 
      ```yaml
      triggers:
      - type: any-type
-     name: "my-custom-name"
-     metadata:
+       name: "my-custom-name"
+       metadata:
      ```
 
 ## Frequently asked questions

support/azure/azure-storage/files/connectivity/files-troubleshoot-smb-connectivity.md

@@ -4,7 +4,7 @@ description: Troubleshoot problems connecting to and accessing SMB Azure file sh
 services: storage
 ms.service: azure-file-storage
 ms.custom: sap:Connectivity, devx-track-azurepowershell, linux-related-content
-ms.date: 09/12/2024
+ms.date: 02/04/2025
 ms.reviewer: kendownie, jarrettr, v-weizhu, v-six, hanagpal
 ---
 # Troubleshoot Azure Files connectivity and access issues (SMB)
@@ -106,7 +106,7 @@ SourceAddress    : <your-ip-address>
 TcpTestSucceeded : True
 ```
 
-> [!Note]  
+> [!NOTE]
 > This command returns the current IP address of the storage account. This IP address is not guaranteed to remain the same, and may change at any time. Don't hardcode this IP address into any scripts, or into a firewall configuration.
 
 #### Solutions for cause 1
@@ -231,6 +231,8 @@ Make sure port 445 is open and [check DNS resolution and connectivity to your fi
 
 ### [Linux](#tab/linux)
 
+Linux clients can use [AzFileDiagnostics](https://github.com/Azure-Samples/azure-files-samples/tree/master/AzFileDiagnostics/Linux) to automate symptom detection and ensure that they have the correct prerequisites.
+
 Common causes for this problem are:
 
 - You're using a Linux distribution with an outdated SMB client. See [Use Azure Files with Linux](/azure/storage/files/storage-how-to-use-files-linux) for more information on common Linux distributions available in Azure that have compatible clients.
@@ -262,17 +264,17 @@ To learn more, see [Prerequisites for mounting an Azure file share with Linux an
 1. Connect from a client that supports SMB encryption or connect from a virtual machine in the same datacenter as the Azure storage account that's used for the Azure file share.
 2. Verify the [Secure transfer required](/azure/storage/common/storage-require-secure-transfer) setting is disabled on the storage account if the client doesn't support SMB encryption.
 
-##### Cause 2: Virtual network or firewall rules are enabled on the storage account
+##### Cause 2: Virtual network or firewall rules are enabled on the storage account, or port 445 is blocked
 
-If virtual network (VNET) and firewall rules are configured on the storage account, network traffic will be denied access unless the client IP address or virtual network is allowed access.
+If virtual network (VNET) and firewall rules are configured on the storage account, network traffic will be denied access unless the client IP address or virtual network is allowed access. In addition, if your company or ISP blocks port 445 outbound, you won't be able to mount the share.
 
 ##### Solution for cause 2
 
-Verify that the VNET and firewall rules are configured properly on the storage account and the port 445 is allowlisted. To test if virtual networks or firewall rules cause the issue, you can temporarily change the setting on the storage account to **Allow access from all networks**. To learn more, see [Configure Azure Storage firewalls and virtual networks](/azure/storage/common/storage-network-security).
+Verify that the VNET and firewall rules are configured properly on the storage account, and that port 445 is allowlisted. To test if virtual networks or firewall rules cause the issue, you can temporarily change the setting on the storage account to **Allow access from all networks**. To learn more, see [Configure Azure Storage firewalls and virtual networks](/azure/storage/common/storage-network-security).
 
 ##### Cause 3: SMB client is configured to use NTLMv1
 
-Azure Files only supports NTLMv2 and Kerberos for SMB file shares. Kernel 4.4 and later versions enable NTLMv2 by default and disable LANMAN. Under default configurations, NTLMv1 is kept as a negotiation only option. For more information, see your OS documentation.
+Azure Files only supports NTLMv2 (storage account key only) and Kerberos authentication for SMB file shares. NTLMv1 isn't supported. Kernel 3.3 and later versions default to NTLMv2 unless overridden with the `sec` mount option. Kernel 4.4 and later versions enable NTLMv2 by default and disable LANMAN. Under default configurations, NTLMv1 is kept as a negotiation only option. For more information, see your OS documentation.
 
 ##### Solution for cause 3
 
@@ -284,7 +286,7 @@ When storage account key access is disabled or disallowed for a storage account,
 
 ##### Solution for cause 4
 
-Use identity-based authentication. The file share must be joined to an on-premises Active Directory Domain Servies (AD DS) or Microsoft Entra Domain Services domain, and the Linux client must be [configured to use Kerberos authentication](/azure/storage/files/storage-files-identity-auth-linux-kerberos-enable).
+Use identity-based authentication instead. See [Enable Active Directory authentication over SMB for Linux clients accessing Azure Files](/azure/storage/files/storage-files-identity-auth-linux-kerberos-enable) for prerequisites and instructions.
 
 #### <a id="error115"></a>"Mount error(115): Operation now in progress" when you mount Azure Files by using SMB 3.x
 
@@ -492,6 +494,8 @@ $leaseClient.Break() | Out-Null
 
 ## [Linux](#tab/linux)
 
+Linux clients can use [AzFileDiagnostics](https://github.com/Azure-Samples/azure-files-samples/tree/master/AzFileDiagnostics/Linux) to automate symptom detection and ensure that they have the correct prerequisites.
+
 In Linux, you might see the following issues.
 
 ### Open handles on files or directories
@@ -589,6 +593,8 @@ If you're using Azure file shares to store profile containers or disk images for
 
 ## [Linux](#tab/linux)
 
+Linux clients can use [AzFileDiagnostics](https://github.com/Azure-Samples/azure-files-samples/tree/master/AzFileDiagnostics/Linux) to automate symptom detection and ensure that they have the correct prerequisites.
+
 ### <a id="permissiondenied"></a>"[permission denied] Disk quota exceeded" when you try to open a file
 
 In Linux, you might receive an error message that resembles the following:

support/azure/azure-storage/files/file-sync/file-sync-troubleshoot-cloud-tiering.md

@@ -4,7 +4,7 @@ description: Troubleshoot common issues with cloud tiering in an Azure File Sync
 author: khdownie
 ms.service: azure-file-storage
 ms.topic: troubleshooting
-ms.date: 01/13/2025
+ms.date: 02/04/2025
 ms.author: kendownie
 ms.reviewer: vritikanaik, v-weizhu
 ms.custom: sap:File Sync
@@ -102,7 +102,7 @@ If content doesn't exist for the error code, follow the general troubleshooting
 | 0x80c83007 | -2134364153 | ECS_E_STORAGE_ERROR | The file failed to tier due to an Azure storage issue. | If the error persists, open a support request. |
 | 0x800703e3 | -2147023901 | ERROR_OPERATION_ABORTED | The file failed to tier because it was recalled at the same time. | No action required. The file will be tiered when the recall completes and the file is no longer in use. |
 | 0x80c80264 | -2134375836 | ECS_E_GHOSTING_FILE_NOT_SYNCED | The file failed to tier because it hasn't synced to the Azure file share. | No action required. The file will tier once it has synced to the Azure file share. |
-| 0x80070001 | -2147942401 | ERROR_INVALID_FUNCTION | The file failed to tier because the cloud tiering filter driver (*storagesync.sys*) isn't running. | To resolve this issue, open an elevated command prompt and run the following command: `fltmc load storagesync`<br/>If the Azure File Sync filter driver fails to load when running the `fltmc` command, uninstall the Azure File Sync agent, restart the server, and reinstall the Azure File Sync agent. |
+| 0x80070001 | -2147024895 | ERROR_INVALID_FUNCTION | The file failed to tier because the cloud tiering filter driver (*storagesync.sys*) isn't running or because the file has a .sid extension. | Security identifier (.sid) files can't be read by the storage sync service, so they can't be tiered to the cloud. If the file doesn't have a .sid extension, you can resolve this issue by opening an elevated command prompt and running the following command: `fltmc load storagesync`<br/>If the Azure File Sync filter driver fails to load when running the `fltmc` command, uninstall the Azure File Sync agent, restart the server, and reinstall the Azure File Sync agent. |
 | 0x80c86041 | -2134351807 | ECS_E_AFS_FILTER_NOT_LOADED | The file failed to tier because the cloud tiering filter driver (*storagesync.sys*) isn't running. | To resolve this issue, open an elevated command prompt and run this command `fltmc load storagesync`. <br/>If the Azure File Sync filter driver fails to load when running the `fltmc` command, uninstall the Azure File Sync agent, restart the server, and reinstall the Azure File Sync agent. |
 | 0x80070070 | -2147024784 | ERROR_DISK_FULL | The file failed to tier due to insufficient disk space on the volume where the server endpoint is located. | To resolve this issue, free at least 100 MiB of disk space on the volume where the server endpoint is located. |
 | 0x80070490 | -2147023728 | ERROR_NOT_FOUND | The file failed to tier because it hasn't synced to the Azure file share. | No action required. The file will tier once it has synced to the Azure file share. |