You are here

Feed aggregator

Restrict Team Foundation Build permissions

MSDN Blogs - Wed, 08/06/2014 - 13:10

Do you have code that should be seen by only a subset of members of your on-premises team project collection? Do you use Team Foundation Build (TFBuild)? If so, you must create some custom groups to reduce the risk that unauthorized team project collection members can use a build process to bypass team project permissions.


For example, you administer the following team projects:

You want only the members of each team project to be able to read the code it contains, as shown above. However, by default, TFBuild controllers are collection-scoped resources, and so have permission to access all code in the collection. This means people who are not members of a team project could use a build process to obtain the code it contains.

For example, Johnnie is a member only of TfvcProjectA, but it is in the same team project collection as TfvcProjectB. So he could create a build process that delivers him the content from TfvcProjectB. Specifically, he can:

  • Map the path to the code on the Source Settings tab.
  • Check in a unit test that copies the code to a folder he can access.
  • Customize the build process to copy the code to a folder he can access.

To prevent this kind of access, implement some custom groups and deny the Project Collection Build Service Accounts group all permissions. For example, you are running four build servers as NETWORK SERVICE:

The following diagram details the membership and permission settings:

Q: Why must I deny permissions to members of the Project Collection Build Service Accounts group?

Note: This guidance applies only to on-premises Team Foundation servers. We don't support this scenario for Visual Studio Online team projects.

Create the collection-level groups

From the security page of team project collection, create the collection-level groups.

For each of your collection-level groups, grant the following permissions:

Add each build service account to one (and only one) of the collection-level groups.

Q: Where can I get the name of the build service account? A: See Deploy and configure a build server.

Modify the Project Collection Build Service Accounts group:

  • Remove all its members.
  • Set all the permissions to Deny.
Grant work item permissions

From the areas page of each of the team projects served by the collection-level group, grant work item permissions:

Set all the permissions of the Project Collection Build Service Accounts group to Deny.

Grant build permissions

From the build page of each of the team projects served by the collection-level group, grant build permissions:

Set all the permissions of the Project Collection Build Service Accounts group to Deny.

Grant version control permissions

Which kind of version control does your team project have?

TFVC version control

From the version control page of each of the team projects served by the collection-level group, grant TFVC version control permissions:

Set all the permissions of the Project Collection Build Service Accounts group to Deny.

Git version control

From the version control page of each of the team projects served by the collection-level group, grant Git version control permissions:

Set all the permissions of the Project Collection Build Service Accounts group to Deny.

Create the project-level groups

From the security page of each of your team projects, create a project-level group:

For each project-level group, grant the following permissions:

Add the appropriate collection-level group to the project-level group:

Q&A Q: Why must I deny permissions to members of the Project Collection Build Service Accounts group?

A: To mitigate the risk of unauthorized access to team project resources, you should set all permissions of this group to Deny. Even if you personally are careful not to add members to the group, this could happen:

  • Automatically by the system. If another team project collection administrator deploys a build server, TFS automatically adds the build service account to the group.
  • Manually by another team project collection administrator who is not aware of the collection-wide access that this TFS group enables.
Questions? Suggestions? Feedback?

I invite you to post:

Leveraging existing code across .NET platforms

MSDN Blogs - Wed, 08/06/2014 - 13:06

Today we are happy to announce the alpha release of the .NET Portability Analyzer extension for Visual Studio. Please try it out. This add-in was created by our software developer intern Charles Lowell.

Over the last few years, consumers and enterprise employees are using more devices than before which run different operating systems like iOS, Android, Windows Phone, and Windows 8. As a result developing apps for different platforms is almost a requirement now. With the release of the .NET Portability Analyzer extension we are integrating the ability to reason about portability of your existing code into your development environment. This will allow you an easy way to understand how portable your code is and get recommendations to write your code so that your code just works across platforms.

You may have seen Tech Ed 2014 announcements & .NET blog post on “Targeting Multiple Platforms”. This post continues from there.

Understanding portability with Visual Studio

In our previous post we introduced the command line .NET Portability Analyzer. However, we felt that the acquisition and discovery of the tool for developers would be aided if we were to integrate the experience into VS. Additionally the integration into Visual Studio allows us to pinpoint the source locations where incompatible APIs are found to be. You can download it here. There is a great Channel 9 video about the extension which you can watch below.

Once you have installed the extension you can use the Portability Analyzer in two ways

Analyze Assembly approach

This menu allows you to specify a set of libraries that you want to analyze and get a summary view of all the changes that would need to be made to make it compatible with a given platform.

The output of this analysis is a file that documents the overall compatibility of each assembly analyzed along with a detailed drill down into individual Types/Members that are missing and recommendations about how to fix them.

Analyze Project approach

The project analysis adds a context menu to the project dialog, where you can request to analyze a given project for portability. The image below illustrates this experience.

When using this experience in addition to the report shown above, you will also get source level information about compatibility issue where available, which will be reported as a message in the error list of VS as shown below.

Using the API Portability Analyzer extension will enable you to get a quick overview of all the changes that you would need to make in order to be able to port your code to a given platform. Given the assembly level break-down it enables you to easily prioritize and cost either the easiest ports or the most high value ports depending on your business requirements. We are actively working on the recommendations to make them actionable and informative.

Using the API Portability Analyzer

In case you don`t have VS or wanted to integrate this functionality into your build the API Portability Analyzer tool takes your existing app or library and provides a report which tells you how compatible you are with different platforms. Let’s take a quick look into how you could use the [API Portability Analyzer](( Download the tool from the site above and run the command as follows:

This command will analyze the Autfac libraries and give you a report Excel file, which summarizes the compatibility of the existing Autofac binaries against the different platform profiles.

We see that the assembly for Autofac is fully compatible with Silverlight and there are some missing dependencies for the Autofac.Configuration dll. If we wanted to drill into this further you can look at the details page in the excel sheet and see a view as follows.

The details page gives us information about the specific members that are missing from a type and recommendations around alternatives that can be used. We are actively working to fill out the recommendations for the missing APIs so that you have guidance around how you can move your code over to a given platform. You can use your inner Excel ninja to get different organizations around the work that needs to be done in order to move to a given platform. Remember pivot-tables are your friend.

Helping make the .NET framework better.

The API Portability Analyzer submits anonymous data to Microsoft about the .NET APIs used by your app. This aggregate data provides input to us on popular and missing APIs along with understanding where our customers are currently trying to migrate code from. As we work on our next set of features and compatibility reviews, this would help us spend more time on enabling APIs that you love and use most frequently. For instance based on the data, we are now working on enabling TypeConverter and System.Web types on the ASP.NET vNext K stack. The information that we collect is the .NET APIs that your app is using, along with some other metadata like what framework version your assembly was built against and assembly references of your assembly.
The site gives you a visual sense of the data that we are collecting and we are looking at ways to add more value to this site. Your feedback around what features or data you would like to see here would be appreciated.

Wrapping Up

Using this tool enables you to quickly get a high level understanding of the work that needs to be done to port to a given platform. While it may appear that you would need to do work every time that you want to target a new platform, we on the .NET framework team are working to enable a vision of single .NET surface area. Our goal is to have parity across the APIs that we expose on our Modern framework stacks. The only reason for a missing API would be its lack of applicability to a given application model or platform.
The introduction of the Visual Studio extension makes it easy to reason about the migrating of code to a new platform. Depending on what your business requirements are you can easily prioritize and understand the costs of supporting a new platform. In addition this tool give us insights into the biggest pain points that you face when migrating your code. We would love to hear your feedback on how to make this tool better! Please let us know what you think by either leaving a comment on this post or reaching out to the team at

Survey for You :)

MSDN Blogs - Wed, 08/06/2014 - 12:53
We know a lot of you C++ developers also use other frameworks like .NET and Xamarin. If so, do you mind taking a brief survey at ? Look for us to share highlights from the last couple of surveys in the next month or so. We are still ruminating over the responses and the individual discussions we had with those of you who opted in. Thanks!...(read more)

Internet Explorer begins blocking out-of-date ActiveX controls

MSDN Blogs - Wed, 08/06/2014 - 11:05

As part of our ongoing commitment to delivering a more secure browser, starting August 12th Internet Explorer will block out-of-date ActiveX controls. ActiveX controls are small apps that let Web sites provide content, like videos and games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or by let someone else control your computer remotely.

For example, according to the latest Microsoft Security Intelligence Report, Java exploits represented 84.6% to 98.5% of exploit kit-related detections each month in 2013. These vulnerabilities may have been fixed in recent versions, but users may not know to upgrade. To help avoid this situation with ActiveX controls, an update to Internet Explorer on August 12, 2014 will introduce a new security feature, called out-of-date ActiveX control blocking.

Out-of-date ActiveX control blocking lets you:

  • Know when Internet Explorer prevents a Web page from loading common, but outdated, ActiveX controls.
  • Interact with other parts of the Web page that aren’t affected by the outdated control.
  • Update the outdated control, so that it’s up-to-date and safer to use.
  • Inventory the ActiveX controls your organization is using.

We wanted to share some guidance ahead of next week’s update, to help you understand this feature and decide the best course of action. If you are an end user and see the notification bar, we suggest updating to the latest version. If you are an IT Pro, you can decide how to implement this feature.

Supported Configurations

The out-of-date ActiveX control blocking feature works with:

  • On Windows 7 SP1, Internet Explorer 8 through Internet Explorer 11
  • On Windows 8 and up, Internet Explorer for the desktop
  • All Security Zones—such as the Internet Zone—but not the Local Intranet Zone and the Trusted Sites Zone

This feature does not warn about or block ActiveX controls in the Local Intranet Zone or Trusted Sites Zone.

What does the out-of-date ActiveX control blocking notification look like?

It is important to note that, by default, this feature warns users, with options to update the control or override the warning. When Internet Explorer blocks an outdated ActiveX control, you will see a notification bar similar to this, depending on your version of Internet Explorer:

Internet Explorer 9 through Internet Explorer 11

Internet Explorer 8

From the notification about the outdated ActiveX control, clicking “update” will take you to the control’s Web site to download its latest version. Optionally, in managed environments, IT can configure the feature to block—and not just warn—a user from running out-of-date ActiveX controls.

Out-of-date ActiveX control blocking also gives you a security warning that tells you if a Web page tries to launch specific outdated apps, outside of Internet Explorer:

How does Internet Explorer decide which ActiveX controls to block?

Internet Explorer uses a Microsoft-hosted file, versionlist.xml, to determine whether an ActiveX control should be stopped from loading. This file is updated with newly-discovered out-of-date ActiveX controls, which Internet Explorer automatically downloads to your local copy of the file. We are initially flagging older versions of Java, but over time will add other outdated ActiveX controls to the list.

As of August 12, 2014, this feature will provide users with notifications when Web pages try to load the following versions of Java ActiveX controls:

  • J2SE 1.4, everything below (but not including) update 43
  • J2SE 5.0, everything below (but not including) update 71
  • Java SE 6, everything below (but not including) update 81
  • Java SE 7, everything below (but not including) update 65
  • Java SE 8, everything below (but not including) update 11

You can view Microsoft’s complete list of out-of-date ActiveX controls at Internet Explorer version list.

Out-of-date ActiveX control blocking for managed environments

Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and Trusted Sites Zone, to help ensure that intranet Web sites and trusted line-of-business apps can continue to use ActiveX controls without disruption. Some customers may want more granular control over how this feature works on managed systems. IT Pros may want to turn on ActiveX control logging, enforce blocking, allow select domains to use out-of-date ActiveX controls, or—although it is not recommended—disable the feature altogether.

To support these scenarios, Internet Explorer includes four new Group Policy settings that you can use to manage out-of-date ActiveX control blocking.

  • Logging can tell you what ActiveX controls will be allowed or flagged for warning or blocking, and for what reason. Creating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits—but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization’s readiness for blocking out-of-date ActiveX controls and enabling EPM. This Group Policy is “Turn on ActiveX control logging in Internet Explorer,” and can be used separately or in conjunction with the other three policies.
  • Enforced blocking prevents users from overriding the warning for out-of-control ActiveX controls. Users will not see the “Run this time” button. This Group Policy is “Remove Run this time button for outdated ActiveX controls in Internet Explorer.”
  • Selected domains can be managed for which Internet Explorer will not block or warn about outdated ActiveX controls. This policy is “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” and includes a list of top level domains, host names, or files.
  • This feature can be turned off by using the policy “Turn off blocking of outdated ActiveX controls for Internet Explorer.” This might be used temporarily in combination with logging, to assess ActiveX controls before re-enabling the feature. This can also be enabled, like all four policies, with a registry key—in this case, a REG_DWORD “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\VersionCheckEnabled" with value of zero.

Please see the complete technical documentation here, pending publication on August 7. Starting on August 12, you can also download updated Internet Explorer administrative templates from:

  • Windows Server 2003. Download the complete set of (English only) Internet Explorer administrative templates, which include the new settings, from here.
  • Windows Server 2008 and up. Download the complete set of Internet Explorer administrative templates, which include the new settings, from here.
Stay up-to-date with Internet Explorer

We know that many organizations still rely on the capabilities of ActiveX controls, but out-of-date ActiveX controls are a risk today. By helping consumers stay up-to-date—and enabling IT to better manage ActiveX controls, including those that are compatible with Enhanced Protected Mode—Microsoft is helping customers stay safer online. This is another example of delivering on the promise to help get users current with a safer, more secure Internet Explorer.

— Fred Pullen, Senior Product Manager, Internet Explorer

— Jasika Bawa, Program Manager, Security

Save the date: Technical Summit 2014 - DIE Veranstaltung für Entwickler und IT Administratoren im Microsoft-Kosmos von 11.11.2014 bis 13.11.2014 in Berlin

MSDN Blogs - Wed, 08/06/2014 - 10:59

Save the date!
Mit dem Technical Summit 2014 von 11. bis 13. November in Berlin gibt es einen offiziellen Nachfolger der beiden erfolgreichen Konferenzen Visual Studio Evolution und TechNet Conference. Beim Technical Summit 2014 erwartet Euch eine geballte Ladung Information für Entwickler, IT Administratoren und alle Mischwesen, die die Branche so kennt – es sollte also wirklich für jeden was dabei sein!

Wer bereits auf der Visual Studio Evolution war, kann ungefähr erahnen, was auf ihn zukommen wird. Natürlich kommt noch der an Administratoren gerichtete Inhalt der TechNet Conference dazu – heutzutage sind die Grenzen ohnehin fließend! Ich freu mich drauf!  Die Website ist seit ein paar Minuten online, die Agenda wird gerade zusammengestellt, eine Anmeldung wird in Kürze möglich sein. Insofern: Markiert Euch das Datum im Kalender, storniert Urlaubsplanungen und Firmenfeiern, fangt an die Reise zu planen – ich hoffe,  wir sehen uns in Berlin!

Hier geht’s zum Technical Summit 2014: !

The Undocumented "Feature" of Mount-SPContentDatabase

MSDN Blogs - Wed, 08/06/2014 - 10:46

Today we are going to look at an undocumented (as of 8/6/14) functionality related to the Mount-SPContentDatabase PowerShell command for SharePoint 2010/2013.  If you are unfamiliar with this command, I suggest reviewing the TechNet documentation, which can be found here.  I was doing some migration testing for a customer recently and had to mount some content databases.  I opened PowerShell, typed the command, waiting a few minutes for the database to be mounted, and reviewed the PS output.  What!?!  No sites in the database?  That couldn't be right.

At this point, I jumped over to SQL Server Management Studio.  The database was there and it contained all the standard SharePoint tables.  Problem was, these tables were empty.  So what happened to my content?  I checked the create date/time on the database and noticed that it was created a few minutes earlier.  As it turned out, the database did not exist prior to my Mount-SPContentDatabase command execution.  The Mount-SPContentDatabase command is supposed to attach existing databases to a SharePoint farm, so how did this database get created?  Testing revealed that, if the specified database does not exist, the Mount-SPContentDatabase command will create a new database (tested in SharePoint 2010 and 2013).  Creating a new database instead of notifying the user that the database name specified does not exist can lead to frustrating troubleshooting.  So the next time that your migrated content does not appear as expected following the Mount-SPContentDatabase command execution, you might want to check the create date/time on the content database.  Ya gotta love undocumented features.

Project Thali: Giving Users More Flexibility and Control Through a P2P Web

MSDN Blogs - Wed, 08/06/2014 - 09:30

If there’s a common theme among the people on my team, it’s their ability to overcome some of the thorniest technical challenges with what might be considered the most unorthodox of approaches.

Yaron Goland is a great example. Throughout a lengthy career at Microsoft (as well as a six-year hiatus outside the company), one of Yaron’s ambitions has been to create a Web experience built on a P2P model.

Now, as a software architect with the Microsoft Open Technologies Hub, Yaron is finally pursuing this vision through a project he calls Thali. While on-site a few months back for the Accela hackfest, Yaron sat down to talk about his vision for P2P web, as well as Thali’s role within the hackfest. 


 Building a P2P Web has, of course, been possible for quite some time. But it’s only within the last couple of years that advances in mobile technology have enabled greater flexibility and control. 


There are a number of similar projects underway, but what sets Thali apart from the others is this: Rather than relying on the cloud as a repository for a user’s personal data, Thali anchors it to their personal devices and creates a mesh network that gives the user more control and access to that data from any one of their devices.


Of course, there are some challenges that come with P2P—things like security, discoverability and ensuring the federation of updates across devices. Yaron has been working hard to address these, alongside his colleagues at MS Open Tech, as well as with members of the open source community such as CouchBase and PouchDB,

CouchBase architect Wayne Carter especially appreciated the thoroughness and thoughtfulness that Yaron put into his feedback, and this exchange really sets the standard for how we work together moving forward. 


We’re pretty excited about Thali’s potential but there’s still work to be done, and Yaron and his team would appreciate your help in bringing it to completion. Check out the Thali page on Codeplex for more details about the project and how to get involved. 

Earth's Rising Tempers: Unlocking Volcanoes Insights with Power BI

MSDN Blogs - Wed, 08/06/2014 - 09:00

Volcanoes are one of the most destructive forces of nature and always get a fair amount of attention from the general public and the scientific community.

Volcanic activity generates thousands of data points. Remy Tom, one of our semi-finalist of the Power BI Demo Contest leveraged hundreds of years of volcano eruptions and created some very cool visualizations. As you can see in these visualizations, eruptions happen way more often than people think. In fact, just the day before yesterday a volcano in Kagoshima erupted for the first time in 34 years.

You can explore this dashboard to find out some interesting facts such as:

  • The number of eruptions for each volcano since 1500, with the Etna being the volcano with the most: 1,139 eruptions.
  • The most common type of volcano is a Stratovolcano. Among these you will find the Merapi, the Villarrica and the Etna.
  • The most common type of tectonic setting for an eruption is Compressional Continental.
  • Surprisingly, the countries with more events coming from a single volcano are Italy and France.

You can watch Remy's video submission to the contest where he walks us through all the steps involved in building this model, including Excel's Power Query, Power Pivot, Power View and Power BI's impressive Q&A feature, which allowed him to ask questions in natural language and get visualized volcano answers on the fly.


Ranger Flash – July 2014 … Turbulent weather, events and lots of pizza

MSDN Blogs - Wed, 08/06/2014 - 08:13


You can find the latest flight plan snapshot at

news welcome our new associate ALM rangers

Please welcome the following new ALM Associate Rangers: Alex Belotserkovskiy, Daniel Mann, José Freire Neto and Sergio Romero.
WELCOME! Remember family>job>rangers and have fun!

interesting reads

willy’s cave


tell us about your success stories!

Are you aware of a success story in which the Visual Studio ALM Rangers and/or their solutions have accelerated the adoption of Visual Studio, unblocked an engagement and/or resulted in a happy user? See Tell us about your success stories for details.

review our (your) solutions!

When you download one or more of our solutions please invest a few seconds to rate and optionally review the solution on CodePlex or the Visual Studio Gallery. We need your candid feedback and support in terms of ratings!


ALM Rangers
  • About
  • Publications
  • Solutions
  • Team

ALM Readiness
  • Treasure Map
  • T/Map App

  • VS TFS Team
  • Willy's Reflections

ALM Rangers


Brian Keller's VM
  • Community Feed

Visual Studio
  • Downloads
  • Marketing (ALM)
  • Marketing (VS)

Danny Crone and Robert Bernstein

Semiahamoo bay … tranquility in Vancouver.

Small Basic Comments

MSDN Blogs - Wed, 08/06/2014 - 08:04

This is an excerpt from this great TechNet Wiki article:

Small Basic: Programming Tips by  



A comment in Small Basic starts with an apostrophe ' and is highlighted in green.  Anything after it is ignored to the end of the line.

'Calculate distance between objects distance = Math.SquareRoot((x-a)*(x-a) + (y-b)*(y-b)) '(x,y) is the player

Comments are not just for others reading your code, they help remind you later why you did something.  More importantly they show the thinking behind the code and the ideas about how the program should work.

Try to add comments that explain something complex or why you did something one way or another.  They should remind you and help someone else understand the overall thinking you had when you wrote the program.

The 'more comments the better' is not good, the following comment adds nothing.

x = x+5 'Add 5 to x

Sometimes comments can be used to visually separate sections of your code like the start of subroutines.

'=================================================== 'SUBROUTINES '===================================================



 Read more great tips in this TechNet Wiki article:

Small Basic: Programming Tips by  



Special thanks to LitDev for helping guide our community!

   - Ninja Ed



Subscribe to Randy Riness @ SPSCC aggregator
Drupal 7 Appliance - Powered by TurnKey Linux