Cloud App Security release 181

Cloud App Security release 181

Microsoft have just released version 181 of Cloud App Security. In this release we have 1 new item and a name change.

  • New Cloud Discovery Menlo Security log parser
    Cloud App Security Cloud Discovery analyzes a wide range of traffic logs to rank and score apps. Now Cloud Discovery includes a built-in log parser to support the Menlo Security CEF format. For a list of supported log parsers, see Supported firewalls and proxies.
  • Azure Active Directory (AD) Cloud App Discovery name displays in portal
    For Azure AD P1 and P2 licenses, we’ve updated the product name in the portal to Cloud App Discovery. Learn more about Cloud App Discovery.

Regards
The Author – Blogabout.Cloud

Whats new in the Microsoft 365 Roadmap today (14/07/20)

Whats new in the Microsoft 365 Roadmap today (14/07/20)

Additions : 5 Updates : 8 More Details At: www.roadmapwatch.com

New FeaturesCurrent Status
Excel: Office Scripts for task and workflow automation in ExcelRolling Out
Microsoft Information Protection: Teams DLP for Adaptive CardsIn Development
Microsoft Information Protection: Data loss prevention for Microsoft Teams in GCC-High and DoDIn Development
Forms: Print a blank FormIn Development
Microsoft Information Protection: UI for configuring Exact Data MatchIn Development
Updated FeaturesCurrent StatusUpdate Type
Microsoft Teams: New file sharing experienceRolling OutStatus
Automated Incident Response for compromised user accountsLaunchedDescription
Advanced eDiscovery Graph APIsIn DevelopmentDescription
Microsoft Graph: [TO DO TASKS] Tasks API (Preview)In DevelopmentDescription
Microsoft Teams – raise hands in Teams meetings for GCCLaunchedStatus
Communication Compliance: Detect adult contentLaunchedStatus
Microsoft Information Protection: Double Key EncryptionLaunchedStatus
Exchange online: Client Access rules support for OAuth POP and IMAPRolling OutStatus

Regards
The Author – Blogabout.Cloud

Managing firmware updates for Jabra Devices with Microsoft Endpoint Manager

Managing firmware updates for Jabra Devices with Microsoft Endpoint Manager

After an interesting call today understanding the offerings from Jabra, my little mind got spinning on how to manage Jabra Devices so firmware patches can be applied. Jabra has 2 different solution approaches, Jabra Xpress and Jabra Direct so let’s incorporate this into Microsoft Endpoint Manager for full modern workspace experience.

Jabra Xpress

This solutions allows you control deployment, settings and firmware updates for all your Jabra devices within your organisation. Heres a quick video from Jabra about Xpress.

https://www.jabra.co.uk/software-and-services/jabra-xpress

The best part of Jabra Xpress it’s completely FREE!! unlike its competitors who charge for the same functionality.

Dealing with different kinds of roommates – the Absent One, the ...

Jabra Direct

This solution allows the end-user to control updates to their Jabra device, this would only apply where Jabra Xpress is not utilized. In many organizations you may come across a mixture of device vendors so this approach may be better if theres only a handful of devices.

Heres a quick video from Jabra about Xpress.

How does this work with Microsoft Endpoint Manager?

Microsoft Endpoint Manager has the ability to push both client MSI files to the end user workstations or even make it available in the Company Portal.

Jabra Xpress

The MSI package for Jabra Xpress is created within the console, so whether if you have Cloud or On-Premises edition. The client will talk directly back to you corporate console to check for updates.

Once you have downloaded your Jabra Xpress msi installed, head over to https://endpoint.microsoft.com

Browse to All Apps via Apps and Click Add

Select Line-of-Business App and press Select

Select the MSI file and Press Ok.

Enter a publisher’s name, as you won’t be able to continue from this point until it has been completed. You may also would like to include an image which will appear in the Company Portal, then Press Next

If you are using Scope Tags, select the one relevant to you and Press Next

Define your assignments of the installation of the new application and Press Next

Press Create

This will now install the Jabra Xpress client on my Windows 10 Virtual Machines.

Easy!!!

Jabra Direct

For Jabra Direct the same principle applies to download the installer from https://www.jabra.co.uk/software-and-services/jabra-direct. Add to Apps but under assignment depending on if you have an Azure AD Group for users with Jabra Devices use the “Available for Enrolled Devices” so the end-user can install freely from the Company Portal.

If you would like move information about Jabra Xpress, reach out to Jabra and they will happily provide more information or setup a tech session.

Regards
The Author – Blogabout.Cloud

Whats new in the Microsoft 365 Roadmap today (13/07/20)

Whats new in the Microsoft 365 Roadmap today (13/07/20)

Additions : 0 Updates : 3 More Details At: www.roadmapwatch.com

Updated FeaturesCurrent StatusUpdate Type
Improved user experience for the Admin Center Message CenterLaunchedStatus
Microsoft Lists and SharePoint document libraries – Gallery viewIn DevelopmentTitle, Description
Outlook on the web – New tasks experience for GCCIn DevelopmentTitle

Regards
The Author – Blogabout.Cloud

When was the last time you updated your PowerShell modules?

When was the last time you updated your PowerShell modules?

So how often do you check for PowerShell updates? My guess would be not at all as its hard to keep up to date to ensure you have the latest and greatest module available.

So as an example I have two module installed on my client device which I have updated for a while.

Check out my Get-InstalledModuleUpdate script available on Github aimed to help in this situation. It puts all the installed module into an array and check for the latest versions available on the PowerShell Galley.

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-InstalledModulesUpdate.ps1

Regards
The Author – Blogabout.Cloud

Version 2004 – Windows 10 and Server Security Baseline

Version 2004 – Windows 10 and Server Security Baseline

This week Microsoft has announced the final release of the security configuration baseline settings for Windows 10 and Windows Server version 2004. This version sees 1 additional policy and 1 policy removed, Microsoft has also made 2 recommendations that organizations might worth considering.

Download the Microsoft Security Compliance Toolkit that allows you to test the recommended configurations, and customize/implement as appropriate.

Notable changes are as followed;

TitleDescriptionConfiguration
LDAP Channel Binding Requirements In the Windows Server version 1809 Domain Controller baseline we created and enabled a new custom MS Security Guide setting called Extended Protection for LDAP Authentication (Domain Controllers only) based on the values provided here. This setting is now provided as part of Windows and no longer requires a custom ADMX. An announcement was made in March of this year and now all supported Active Directory domain controllers can configure this policy. The value will remain the same in our baseline, but the setting has moved to the new location. We are deprecating our custom setting. The new setting location is: Security Settings\Local Policies\Security Options\Domain controller: LDAP server channel binding token requirements.
 
Note: this new policy requires the March 10, 2020 security update. (We assume that, as security conscious baselines users, you are patching!) Details of that patch are here.
Policy updated
Microsoft Defender Antivirus File HashMicrosoft Defender Antivirus continues to enable new features to better protect consumers and enterprises alike. As part of this journey Windows has a new setting to compute file hashes for every executable file that is scanned, if it wasn’t previously computed. You can find this new setting here: Computer Configurations\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable file hash computation feature.
 
You should consider using this feature to improve blocking for custom indicators in Microsoft Defender Advanced Threat Protection (MDATP). This new feature forces the engine to compute the full file hash for all executable files that are scanned. This can have a performance cost, which we minimize by only generating hashes on first sight. The scenarios where you may want to test more thoroughly for performance include devices where you frequently create new executable content (for example, developers) or where you install or update applications extremely frequently.
 
Because this setting is less helpful for customers who are not using MDATP, we have not added it to the baseline, but we felt it was potentially impactful enough to call out. If you chose to enable this setting, we recommend throttling the deployment to ensure you measure the impact on your users’ machines.
Worth considering
Account Password LengthIn the Windows 10 1903 security baselines we announced the removal of the account password expiration policy. We continue to invest in improving this experience. With Windows 10 2004, two new security settings have been added for password policies: ‘Minimum password length audit’ and ‘Relax minimum password length limits’. These new settings can be found under Account Policies\Password Policy.
 
Previously, you could not require passwords/phrases greater than 14 characters. Now you can! Being able to require a length of more than 14 characters (maximum of 128) can help better secure your environment until you can fully implement a multi-factor authentication strategy. Our vision remains unchanged in achieving a password-less future, but we also recognize that this takes time to fully implement across both your users and your existing applications and systems.
 
You should be cautious with this new setting because it can potentially cause compatibility issues with existing systems and processes. That’s why we introduced the ‘Minimum password length audit’ setting, so you can see what will happen if you increase your password/phrase length. With auditing you can set your limit anywhere between 1 and 128. Three new events are also created as part of this setting and will be logged as new SAM events in the System event log: one event for awareness, one for configuration, and one for error.
 
This setting will not be added to the baseline as the minimum password length should be audited before broad enforcement due to the risk of application compatibility issues. However, we urge organizations to consider these two settings. Additional details about these new settings will be found here, once the new article get published in the coming days.
 
(NOTE: As of the today the link is not yet live, we are actively working to ensure it gets posted soon!)
 
As a reminder, length alone is not always the best predictor of password strength, so we strongly recommend considering solutions such as the on-premise Azure Active Directory Password Protection which does sub-string matching using a dictionary of known weak terms, and rejects passwords that don’t meet a certain score.
Worth considering
Turn on Behavior MonitoringIn keeping with our principals of criteria for baseline inclusion we have found that the following setting does not need to be enforced; there is no UI path to the setting, you must be a privileged account to make the change, lastly we do not feel a mis-informed Admin would change this setting.  Based on these principals we are removing Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on behavior monitoringPolicy removed

Regards
The Author – Blogabout.Cloud

Does your organization need to COPE with Corporate Owned devices but Personal Enabled

Does your organization need to COPE with Corporate Owned devices but Personal Enabled

Corporate-owned, personally enabled devices is now in preview

Microsoft Endpoint Manager aka Intune now supports Android Enterprise corporate-owned devices with a work profile for OS versions Android 8 and above. This solution enables Corporate-owned devices to run with a work profile and is a new corporate management scenario for Android Enterprise solution set.

This scenario is targetted for single user devices intended for corporate and personal use. This corporate-owned, personally-enabled (COPE) scenario offers:

  • work and personal profile containerization
  • device-level control for admins
  • a guarantee for end users that their personal data and applications will remain private

While the organization own the devices in my experience, the main thing organizations are mainly concerned about it “Data Security” so leveraging Work Profile to containerize the corporate data. Allowing the end user to use the device as they would if it was personal is a better option for work/life balance.

The first public preview release will include a subset of the features that will be included in the generally available release. Additional features will be added on a rolling basis. The features that will be available in the first preview include:

  • Enrollment: Admins can create multiple enrollment profiles with unique tokens that do not expire. Device enrollment can be done through NFC, token entry, QR code, Zero Touch, or Knox Mobile Enrollment.
  • Device configuration: A subset of the existing fully managed and dedicated device settings.
  • Device compliance: The compliance policies that are currently available for fully managed devices.
  • Device Actions: Delete device (factory reset), reboot device, and lock device.
  • App management: App assignments, app configuration, and the associated reporting capabilities
  • Conditional Access

Video to be release soon !!!

Regards
The Author – Blogabout.Cloud

Microsoft Azure Virtual Training Day: Fundamentals  with Free Exam Voucher

Microsoft Azure Virtual Training Day: Fundamentals with Free Exam Voucher

Microsoft is providing more exam vouchers if you complete the following training. Just to clarify exam voucher can be used for any Microsoft exam

To create your vision for tomorrow, you need to understand what the cloud can do for you and your company today. In this introductory course, Microsoft Azure Virtual Training Day: Fundamentals, you will learn about cloud computing concepts, models and services, covering topics such as public, private and hybrid cloud, as well as infrastructure as a service, platform as a service and software as a service.

During this training event, you will explore how to:

  • Get started with Azure
  • Integrate Azure with your existing networks
  • Better understand key cloud concepts and core services, including pricing, support and cloud security

After completing this free training, you’ll be eligible to take the Microsoft Azure Fundamentals certification exam at no cost.

Here’s what you can expect:

Part 1Part 2
IntroductionIntroduction
Module 0: Course Introduction
Module 1: Cloud Concepts
Module 2: Security, Privacy, Compliance & Trust
Break: 10 minutesBreak: 10 minutes
Module 3: Core Azure ServicesModule 4: Azure Pricing and Support
ClosingClosing

The Microsoft Azure Virtual Training Day: Fundamentals event and associated vouchers are open to the public and offered at no cost. Prior to registering for this training, government employees must check with their employers to ensure their participation is permitted and in accordance with applicable policies and laws.

DateLink
5th August 2020, 10:00-12:40
6th August 2020, 10:00-12:20
https://mktoevents.com/Microsoft+Event/191076/157-GQE-382?wt.mc_id=AID3018136_QSG_446888
12th August 2020, 10:00-12:40
13th August 2020, 10:00-12:20
https://mktoevents.com/Microsoft+Event/191199/157-GQE-382?wt.mc_id=AID3017870_QSG_446891
19th August 2020, 10:00-12:40
20th August 2020, 10:00-12:20
https://mktoevents.com/Microsoft+Event/191515/157-GQE-382?wt.mc_id=AID3018009_QSG_447872

Regards
The Author – Blogabout.Cloud

Compliance Score now in Public Preview

Compliance Score now in Public Preview

Have you ever wondered how compliant your Microsoft 365 environment is? Well with Microsoft Compliance Score you can now check your environment just like Microsoft Secure Score. This a standalone feature with a simpler, more user-friendly design to help organizations more easily manage compliance.

First Launch

The following screenshots show the experience you will receive when you launch https://compliance.microsoft.com/compliancescore?viewid=overview. The first time setup can take anything between 5-10 minutes to complete depending on your environment.

Once the first time setup has been completed you will welcomed with the following 4 windows.

Microsoft Compliance Score Dashboard

As you can see from the image below it shows your current score, helps you see what needs attention, and guides you to actions to improve your score. Your Compliance Score dashboard will look like this:

https://compliance.microsoft.com/compliancescore?viewid=overview

Improvement Actions

Improvement actions centralize your compliance activities. Each improvement action gives detailed implementation guidance to help you align with data protection regulations and standards. Actions can be assigned to users in your organization to perform implementation and testing work. You can also store documentation, notes, and record status updates within the improvement action.

https://compliance.microsoft.com/compliancescore?viewid=ImprovementActions

Solutions

Solutions list all the Microsoft products which are scored using the Compliance Score dashboard. You are able drill into each solution to understand if any additional configuration is required, as shown beleow.

https://compliance.microsoft.com/compliancescore?viewid=Solutions
Audit

Assessments

An assessment is grouping of controls from a specific regulation, standard, or policy. Completing the actions within an assessment help you meet the requirements of a standard, regulation, or law. For example, you may have an assessment that, when you complete all actions within it, brings your Microsoft 365 settings in line with ISO 27001 requirements.

Assessments have several components:

  • In-scope services: the specific set of Microsoft services applicable to the assessment
  • Microsoft managed controls: controls that Microsoft implements and tests
  • Your controls: controls that you manage
  • Assessment score: the percentage of the points achieved by completing improvement actions within that assessment

When creating assessments, you’ll assign them to a group. You can configure groups in whatever way is most logical for your organization. For example, you may group assessments by year, compliance standard, service, teams within your organization, or some other way. Once you create groups, you can filter you Compliance Score dashboard to view your score by one or more groups.

As you can see from the screenshot below during the initial first launch, the default Data Protection Baseline assessment will be ran.

https://compliance.microsoft.com/compliancescore?viewid=Assessments

This will give you a base understanding of their compliance footprint once it has completed.

Regards
The Author – Blogabout.Cloud

Whats new in Microsoft Intune (Service Release 2007)

Whats new in Microsoft Intune (Service Release 2007)

As of 13th July Microsoft have introduced Service Release 2007 here whats available now

App management

Win32 app installation notifications and the Company Portal

End users can now decide whether the applications shown in the Microsoft Intune Web Company Portal should be opened by the Company Portal app or the Company Portal website. This option is only available if the end user has the Company Portal app installed and launches a Web Company Portal application outside of a browser.

Exchange On-Premises Connector support

Intune is removing support for the Exchange On-Premises Connector feature from the Intune service beginning in the 2007 (July) release. Existing customers with an active connector will be able to continue with the current functionality at this time. New customers and existing customers that do not have an active connector will no longer be able to create new connectors or manage Exchange ActiveSync (EAS) devices from Intune. For those customers, Microsoft recommends the use of Exchange hybrid modern authentication (HMA) to protect access to Exchange on-premises. HMA enables both Intune App Protection Policies (also known as MAM) and Conditional Access through Outlook Mobile for Exchange on-premises.

S/MIME for Outlook on iOS and Android Enterprise devices managed without enrollment

You can now enable S/MIME for Outlook on iOS and Android Enterprise devices using app configuration polices for devices managed without enrollment. In Microsoft Endpoint Manager admin center, select Apps > App configuration policies > Add > Managed apps. Additionally, you can choose whether or not to allow users to change this setting in Outlook. For general information about S/MIME, see S/MIME overview to sign and encrypt email in Intune. For more information about Outlook configuration settings, see Microsoft Outlook configuration settings and Add app configuration policies for managed apps without device enrollment. For Microsoft Exchange specific S/MIME information, see S/MIME scenarios and Configuration keys – S/MIME settings.

Device configuration

New VPN settings for Windows 10 and newer devices

When you create a VPN profile using the IKEv2 connection type, there are new settings you can configure (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > VPN for profile > Base VPN):

  • Device Tunnel: Allows devices to automatically connect to VPN without requiring any user interaction, including user log on. This feature requires you to enable Always On, and use Machine certificates as the authentication method.
  • Cryptography suite settings: Configure the algorithms used to secure IKE and child security associations, which allow you to match client and server settings.

To see the settings you can configure, go to Windows device settings to add VPN connections using Intune.

Applies to:

  • Windows 10 and newer

Configure more Microsoft Launcher settings in a device restrictions profile on Android Enterprise devices (COBO)

On Android Enterprise Fully Managed devices, you can configure more Microsoft Launcher settings using a device restrictions profile (Devices > Configuration profiles > Create profile > Android Enterprise for platform > Device Owner only > Device restrictions > Device experience > Fully managed).

To see these settings, go to Android Enterprise device settings to allow or restrict features.

You can also configure the Microsoft Launcher settings using an app configuration profile.

Applies to:

  • Android Enterprise device owner fully managed devices (COBO)

New features for Managed Home Screen on Android Enterprise device owner dedicated devices (COSU)

On Android Enterprise devices, administrators can use device configuration profiles to customize the Managed Home Screen on dedicated devices using multi-app kiosk mode (Devices > Configuration profiles > Create profile > Android Enterprise for platform > Device Owner Only > Device Restrictions for profile > Device experience > Dedicated device > Multi-app).

Specifically, you can:

  • Customize icons, change the screen orientation , and show app notifications on badge icons
  • Hide the Managed Settings shortcut
  • Easier access to the debug menu
  • Create an allowed list of Wi-Fi networks
  • Easier access to the device information

For more information, see Android Enterprise device settings to allow or restrict features and this blog.

Applies to:

  • Android Enterprise device owner, dedicated devices (COSU)

Administrative templates updated for Microsoft Edge 84

The ADMX settings available for Microsoft Edge have been updated. End users can now configure and deploy new ADMX settings added in Edge 84. For more information, see the Edge 84 release notes.

Device enrollment

Corporate-owned, personally enabled devices (preview)

Intune now supports Android Enterprise corporate-owned devices with a work profile for OS versions Android 8 and above. Corporate-owned devices with a work profile is one of the corporate management scenarios in the Android Enterprise solution set. This scenario is for single user devices intended for corporate and personal use. This corporate-owned, personally-enabled (COPE) scenario offers:

  • work and personal profile containerization
  • device-level control for admins
  • a guarantee for end users that their personal data and applications will remain private

The first public preview release will include a subset of the features that will be included in the generally available release. Additional features will be added on a rolling basis. The features that will be available in the first preview include:

  • Enrollment: Admins can create multiple enrollment profiles with unique tokens that do not expire. Device enrollment can be done through NFC, token entry, QR code, Zero Touch, or Knox Mobile Enrollment.
  • Device configuration: A subset of the existing fully managed and dedicated device settings.
  • Device compliance: The compliance policies that are currently available for fully managed devices.
  • Device Actions: Delete device (factory reset), reboot device, and lock device.
  • App management: App assignments, app configuration, and the associated reporting capabilities
  • Conditional Access

For more information about corporate-owned with work profile preview, see the support blog.

Device management

Updates to the remote lock action for macOS devices

Changes to the remote lock action for macOS devices include:

  • The recovery pin is displayed for 30 days before deletion (instead of 7 days).
  • If an admin has a second browser open and tries to trigger the command again from a different tab or browser, Intune lets the command to go through. But the reporting status is set to failed rather than generating a new pin.
  • The admin isn’t allowed to issue another remote lock command if the previous command is still pending or if the device hasn’t checked back in. These changes are designed to prevent the correct pin from being overwritten after multiple remote lock commands.

Device actions report differentiates between wipe and protected wipe

The Device actions report now differentiates between the wipe and protected wipe actions. To see the report, go to Microsoft Endpoint Manager admin center > Devices > Monitor > Device Actions (under Other).

Device security

Microsoft Defender Firewall rule migration tool preview

As a public preview, we’re working on a PowerShell based tool that will migrate Microsoft Defender Firewall rules. When you install and run the tool, it automatically creates endpoint security firewall rule policies for Intune that are based on the current configuration of a Windows 10 client. For more information, see Endpoint security firewall rule migration tool overview.

Endpoint detection and response policy for onboarding Tenant Attached devices to MDATP is Generally Available

As part of endpoint security in Intune, the Endpoint detection and response (EDR) policies for use with devices managed by Configuration Manager are no longer in preview and are now Generally Available.

To use EDR policy with devices from a supported version of Configuration Manager, configure Tenant attach for Configuration Manager. After you complete the tenant attach configuration, you can deploy EDR policies to onboard devices managed by Configuration Manager to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).

Bluetooth settings are available in Device Control profiles for Endpoint security Attack surface reduction policy

We’ve added settings to manage Bluetooth on Windows 10 devices to the Device control profile for Endpoint security Attack surface Reduction policy. These are the same settings as those that have been available in Device restriction profiles for Device configuration.

Manage source locations for definition updates with endpoint security antivirus policy for Windows 10 devices

We’ve added two new settings to the Updates category of endpoint security antivirus policy for Windows 10 devices that can help you manage how devices get update definitions:

  • Define file shares for downloading definition updates
  • Define the order of sources for downloading definition updates

With the new settings you can add UNC file shares as download source locations for definition updates, and define the order in which different source locations are contacted.

Improved security baselines node

We’ve made some changes to improve the usability of the security baseline node in the Microsoft Endpoint Manager admin center. Now when you drill in to Endpoint security > Security baselines and then select a security baseline type like the MDM Security Baseline, your presented with the Profiles pane. On the Profiles pane you view the profiles you’ve created for that Baseline type. Previously the console presented an Overview pane which included an aggregate data roll up that didn’t always match the details found in the reports for individual profiles.

Unchanged, from the Profiles pane you can select a profile to drill-in to view that profiles properties as well as various reports that are available under Monitor. Similarly, at the same level as Profiles you can still select Versions to view a the various versions of that profile type that you’ve deployed. When you drill-in to a version, you also gain access to reports, similar to the profile reports.

Derived credentials support for Windows

You can now use derived credentials with your Windows devices. This will expand on the existing support for iOS/iPadOS and Android, and will be available for the same derived credential providers:

  • Entrust Datacard
  • Intercede
  • DISA Purebred

Support for Widows includes use of a derived credential to authenticate to Wi-Fi or VPN profiles. For Windows devices, the derived credential is issued from the client app that’s provided by the derived credential provider that you use.

Manage FileVault encryption for devices that were encrypted by the device user and not by Intune

Intune can now assume management of FileVault disk encryption on a macOS device that was encrypted by the device user, and not by Intune policy. This scenario requires:

  • The device to receive disk encryption policy from Intune that enables FileVault.
  • The device user to use the Company Portal website to upload their personal recovery key for the encrypted device to Intune. To upload the key, they select the Store recovery key option for their encrypted macOS device.

After the user uploads their recovery key, Intune rotates the key to confirm it is valid. Intune can now manage the key and encryption as if it used policy to encrypt the device directly. Should a user need to recover their device, they can access the recovery key using any device from the following locations:

  • Company Portal website
  • Company Portal app for iOS/iPadOS
  • Company Portal app for Android
  • Intune app

Hide the personal recovery key from a device user during macOS FileVault disk encryption

When you use endpoint security policy to configure macOS FileVault disk encryption, use the Hide recovery key setting to prevent display of the personal recovery key to the device user, while the device is being encrypted. By hiding the key during encryption, you can help keep it secure as users won’t be able to write it down while waiting for the device to encrypt.

Later, if recovery is needed, a user can always use any device to view their personal recovery key through the Intune Company Portal website, the iOS/iPadOS Company Portal, the Android Company Portal, or the Intune app.

Improved view of security baseline details for devices

You can now drill-in to the details for a device to view the settings details for security baselines that apply to the device. The settings appear in a simple, flat list, which includes the setting category, setting name, and status. For more information, see View Endpoint security configurations per device.

Monitor and troubleshoot

Device compliance logs now in English

The Intune DeviceComplianceOrg logs previously only had enumerations for ComplianceState, OwnerType, and DeviceHealthThreatLevel. Now, these logs have English information in the columns.

Role-based access control

Assign profile and Update profile permission changes

Role-based access control permissions has changed for Assign profile and Update profile for the Automated Device Enrollment flow:

Assign profile: Admins with this permission can also assign the profiles to tokens and assign a default profile to a token for Automated Device Enrollment.

Update profile: Admins with this permission can update existing profiles only for Automated Device Enrollment.

To see these roles, go to Microsoft Endpoint Manager admin center > Tenant administration > Roles > All roles > Create > Permissions > Roles.

Scripting

Additional Data Warehouse v1.0 properties

Additional properties are available using the Intune Data Warehouse v1.0. The following properties are now exposed via the devices entity:

  • 1
    ethernetMacAddress
    – The unique network identifier of this device.
  • 1
    office365Version
    – The version of Office 365 that is installed on the device.

The following properties are now exposed via the devicePropertyHistories entity:

  • 1
    physicalMemoryInBytes
    – The physical memory in bytes.
  • 1
    totalStorageSpaceInBytes
    – Total storage capacity in bytes.

For more information, see Microsoft Intune Data Warehouse API.

Regards
The Author – Blogabout.Cloud