Blogabout.Cloud

New URL for the Microsoft Endpoint Manager admin center

To align with the announcement of Microsoft Endpoint Manager at Ignite last year, we have changed the URL for the Microsoft Endpoint Manager admin center (formerly Microsoft 365 Device Management) to https://endpoint.microsoft.com. The old admin center URL (https://devicemanagement.microsoft.com) will continue to work, but we recommend you start accessing the Microsoft Endpoint Manager admin center using the new URL.

For more information, see Simplify IT tasks using the Microsoft Endpoint Manager admin center.

App management

Script support for macOS devices (Public Preview)

You can add and deploy scripts to macOS devices. This support extends your ability to configure macOS devices beyond what is possible using native MDM capabilities on macOS devices. For more information, see Use shell scripts on macOS devices in Intune.

macOS and iOS Company Portal updates

The Profile pane of the macOS and iOS Company Portal has been updated to include the sign-out button. Additionally, UI improvements have been made to the Profile pane in the macOS Company Portal. For more information about the Company Portal, see How to configure the Microsoft Intune Company Portal app.

Retarget web clips to Microsoft Edge on iOS devices

Newly deployed web clips (pinned web apps) on iOS devices that are required to open in a protected browser, will open in Microsoft Edge rather than the Intune Managed Browser. You must retarget pre-existing web clips to ensure they open in Microsoft Edge rather than the Managed Browser. For more information, see Manage web access by using Microsoft Edge with Microsoft Intune and Add web apps to Microsoft Intune.

Use the Intune diagnostic tool with Microsoft Edge for Android

Microsoft Edge for Android is now integrated with the Intune diagnostic tool. Similarly to the experience on Microsoft Edge for iOS, entering “about:intunehelp” into the URL bar (the address box) of Microsoft Edge on the device will start the Intune diagnostic tool. This tool will provide detailed logs. Users can be guided to collect and send these logs to their IT department, or view MAM logs for specific apps.

Updates to Intune branding and customization

We have updated the Intune pane that was named “Branding and customization” with improvements, including:

• Renaming the pane to Customization.
• Improving the organization and design of the settings.
• Improving the settings text and tooltips.

To find these settings in Intune, navigate to the Microsoft Endpoint Manager admin center, select Tenant administration > Customization. For information about existing customization, see How to configure the Microsoft Intune Company Portal app.

User’s personal encrypted recovery key

A new Intune feature is available that enables users to retrieve their personal encrypted FileVault recovery key for Mac devices through the Android Company Portal application or through the Android Intune application. There is a link in both the Company Portal application and Intune application that will open a Chrome browser to the Web Company Portal where the user can see the FileVault recovery key needed to access their Mac devices. For more information about encryption, see Use device Encryption with Intune.

Optimized dedicated device enrollment

We’re optimizing the enrollment for Android Enterprise dedicated devices and making it easier for SCEP certificates associated with Wi-Fi to apply to dedicated devices enrolled prior to November 22, 2019. For new enrollments, the Intune app will continue to install, but end-users will no longer need to perform the Enable Intune Agent step during enrollment. Installment will happen in the background automatically and SCEP certificates associated with Wi-Fi can be deployed and set without end-user interaction.

These changes will be rolling out on a phased basis throughout the month of March as the Intune service backend deploys. All tenants will have this new behavior by the end of March. For related information, see Support for SCEP certificates in Android Enterprise dedicated devices

Configure Delivery Optimization agent when downloading Win32 app content

You can configure the Delivery Optimization agent to download Win32 app content either in background or foreground mode based on assignment. For existing Win32 apps, content will continue to download in background mode. In the Microsoft Endpoint Manager admin center, select Apps > All apps > select the Win32 app > Properties. Select Edit next to Assignments. Edit the assignment by selecting Include under Mode in the Required section. You will find the new setting in the App settings section. For more information about Delivery Optimization, see Win32 app management – Delivery Optimization.

Improved sign-in experience in Company Portal for Android

We’ve updated the layout of several sign-in screens in the Company Portal app for Android to make the experience more modern, simple, and clean for users. For a look at the improvements, see What’s New in the app UI.

Improved user interface experience when creating device restrictions profiles on Android and Android Enterprise devices

When you create a profile for Android or Android Enterprise devices, the experience in the Endpoint Management admin center is updated. This change impacts the following device configuration profiles (Devices > Configuration Profiles > Create profile > Android device administrator or Android Enterprise for platform):

• Device restrictions: Android device administrator
• Device restrictions: Android Enterprise device owner
• Device restrictions: Android Enterprise work profile

For more information on the device restrictions you can configure, see Android device administrator and Android Enterprise.

Improved user interface experience when creating configuration profiles on iOS/iPadOS and macOS devices

When you create a profile for iOS or macOS devices, the experience in the Endpoint Management admin center is updated. This change impacts the following device configuration profiles (Devices > Configuration Profiles > Create profile > iOS/iPadOS or macOS for platform):

• Custom: iOS/iPadOS, macOS
• Device features: iOS/iPadOS, macOS
• Device restrictions: iOS/iPadOS, macOS
• Endpoint protection: macOS
• Extensions: macOS
• Preference file: macOS

Hide from user configuration setting in device features on macOS devices

When you create a device features configuration profile on macOS devices, there’s a new Hide from user configuration setting (Devices > Configuration profiles > Create profile > macOS for platform > Device features for profile > Login items).

This feature sets an app’s hide checkmark in the Users & Groups login items apps list on macOS devices. Existing profiles show this setting within the list as unconfigured. To configure this setting, administrators can update existing profiles.

When set to Hide, the hide checkbox is checked for the app, and users can’t change it. It also hides the app from users after users sign in to their devices.

For more information on the setting you can configure, see macOS device feature settings.

This feature applies to:

• macOS

Device configuration

New user experience when creating administrative templates on Windows devices

Based on customer feedback, and our move to the new Azure full screen experience, we’ve rebuilt the Administrative Templates profile experience with a folder view. We haven’t made changes to any settings or existing profiles. So, your existing profiles will stay the same, and will be usable in the new view. You can still navigate all settings options by selecting All Settings, and using search. The tree view is split by Computer and User configurations. You will find Windows, Office and Edge settings in their associated folders.

Applies to:

• Windows 10 and newer

VPN profiles with IKEv2 VPN connections can use always on with iOS/iPadOS devices

On iOS/iPadOS devices, you can create a VPN profile that uses an IKEv2 connection (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > VPN for profile type). Now, you can configure always-on with IKEv2. When configured, IKEv2 VPN profiles connect automatically, and stay connected (or quickly reconnect) to the VPN. It stays connected even when moving between networks or restarting devices.

On iOS/iPadOS, always-on VPN is limited to IKEv2 profiles.

To see the IKEv2 settings you can configure, go to Add VPN settings on iOS devices in Microsoft Intune.

Applies to:

• iOS/iPadOS

Delete bundles and bundle arrays in OEMConfig device configuration profiles on Android Enterprise devices

On Android Enterprise devices, you create and update OEMConfig profiles (Devices > Configuration profiles > Create profile > Android Enterprise for platform > OEMConfig for profile type). Users can now delete bundles and bundle arrays using the Configuration designer in Intune.

For more information on OEMConfig profiles, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Applies to:

• Android Enterprise

Configure the iOS/iPadOS Microsoft Azure AD SSO app extension

The Microsoft Azure AD team created a redirect single sign-on (SSO) app extension to allow iOS/iPadOS 13.0+ users to gain access to Microsoft apps and websites with one sign-on. All apps that previously had brokered authentication with the Microsoft Authenticator app will continue to get SSO with the new SSO extension. With the Azure AD SSO app extension release, you can configure the SSO extension with the redirect SSO app extension type (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device features for profile type > Single sign-on app extension).

Applies to:

• iOS 13.0 and newer
• iPadOS 13.0 and newer

For more information about iOS SSO app extensions, see Single sign-on app extension.

Enterprise app trust settings modification setting is removed from iOS/iPadOS device restriction profiles

On iOS/iPadOS devices, you create a device restrictions profile (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile type). The Enterprise app trust settings modification setting is removed by Apple, and is removed from Intune. If you currently use this setting in a profile, it has no impact, and is removed from existing profiles. This setting is also removed from any reporting in Intune.

Applies to:

• iOS/iPadOS

To see the settings you can restrict, go to iOS and iPadOS device settings to allow or restrict features.

Troubleshooting: Pending MAM policy notification changed to informational icon

The notification icon for a pending MAM policy on the Troubleshooting blade has been change to an informational icon.

UI update when configuring compliance policy

We’ve updated the UI for creating compliance policies in Microsoft Endpoint manager (Devices > Compliance policies > Policies > Create Policy). We’ve a new user experience that includes the same settings and details you’ve used previously. The new experience follows a wizard-like process to create the compliance policy and includes a page where you can add Assignments for the policy, and a Review + Create page where you can review your configuration before creating the policy.

Retire noncompliant devices

We’ve added a new action for noncompliant devices that you can add to any policy, to retire the noncompliant device. The new action, Retire the noncompliant device, results in removal of all company data from the device, and also removes the device from being managed by Intune. This action runs when the configured value in days is reached and at that point the device becomes eligible to be retired. The minimum value is 30 days. Explicit IT admin approval will be required to retire the devices by using the Retire Non-compliant devices section, where admins can retire all eligible devices.

Support for WPA and WPA2 in iOS Enterprise Wi-Fi profiles

Enterprise Wi-Fi profiles for iOS now support the Security type field. For Security type, you can select either of WPA Enterprise or WPA/WPA2 Enterprise, and then specify a selection for the EAP type. (Devices > Configuration profiles > Create profile and select iOS/iPadOS for Platform and then Wi-Fi for Profile).

The new Enterprise options are like those that have been available for a Basic Wi-Fi profile for iOS.

New user experience for certificate, email, VPN, and Wi-Fi, VPN profiles

We’ve updated the user experience in the Endpoint Management Admin Center (Devices > Configuration profiles > Create profile) for creating and modifying the following profile types. The new experience presents the same settings as before, but uses a wizard-like experience that doesn’t require as much horizontal scrolling. You won’t need to modify existing configurations with the new experience.

• Derived credential
• Email
• PKCS certificate
• PKCS imported certificate
• SCEP certificate
• Trusted certificate
• VPN
• Wi-Fi

Device enrollment

Configure if enrollment is available in Company Portal for Android and iOS

You can configure whether device enrollment in the Company Portal on Android and iOS devices is available with prompts, available without prompts, or unavailable to users. To find these setting in Intune, navigate to the Microsoft Endpoint Manager admin center and, select Tenant administration > Customization > Edit > Device enrollment.

Support for the device enrollment setting requires end users have these Company Portal versions:

• Company Portal on iOS: version 4.4 or later
• Company Portal on Android: version 5.0.4715.0 or later

For more information about existing Company Portal customization, see How to configure the Microsoft Intune Company Portal app.

Device management

New Android report on Android Devices overview page

We’ve added a report to the Microsoft Endpoint Manager admin console in the Android Devices overview page that displays how many Android devices have been enrolled in each device management solution. This chart (like the same chart already in the Azure console) shows work profile, fully managed, dedicated, and device administrator enrolled device counts. To see the report, choose Devices > Android > Overview.

Guide users from Android device administrator management to work profile management

We’re releasing a new compliance setting for the Android device administrator platform. This setting lets you make a device non-compliant if it’s managed with device administrator.

On these non-compliant devices, on the Update device settings page users will see the Move to new device management setup message. If they tap the Resolve button, they’ll be guided through:

1. Unenrolling from device administrator management
2. Enrolling in work profile management
3. Resolving compliance issues

Google is decreasing device administrator support in new Android releases in an effort to move to modern, richer, and more secure device management with Android Enterprise. Intune can only provide full support for device administrator-managed Android devices running Android 10 and later through Q2 CY2020. Device administrator-managed devices (except Samsung) that are running Android 10 or later after this time won’t be able to be entirely managed. In particular, impacted devices won’t receive new password requirements.

For more information about this setting, see Move Android devices from device administrator to work profile management.

Microsoft Endpoint Manager tenant attach: Device sync and device actions

Microsoft Endpoint Manager is bringing together Configuration Manager and Intune into a single console. Starting in Configuration Manager technical preview version 2002.2, you can upload your Configuration Manager devices to the cloud service and take actions on them in the admin center. For more information, see Features in Configuration Manager technical preview version 2002.2.

Review the Configuration Manager technical preview article before installing this update. This article familiarizes you with the general requirements and limitations for using a technical preview, how to update between versions, and how to provide feedback.

Bulk remote actions

You can now issue bulk commands for the following remote actions: restart, rename, Autopilot reset, wipe, and delete. To see the new bulk actions, go to Microsoft Endpoint Manager admin center > Devices > All devices > Bulk actions.

All devices list improved search, sort, and filter

The All devices list has been improved for better performance, searching, sorting, and filtering. For more information, see this Support Tip.

Change Primary User for Windows devices

You can change the Primary User for Windows hybrid and Azure AD Joined devices. To do so, go to Intune > Devices > All devices > choose a device > Properties > Primary User. For more information, see Change a device’s primary user.

A new RBAC permission (Managed Devices / Set primary user) has also been created for this task. The permission has been added to built-in roles including Helpdesk Operator, School Administrator, and Endpoint Security Manager.

This feature is rolling out to customers globally under preview. You should see the feature within the next few weeks.

Monitor and troubleshoot

The Data Warehouse now provides the MAC address

The Intune Data Warehouse provides the MAC address as a new property (EthernetMacAddress) in the device entity to allow admins to correlate between the user and host mac address. This property helps to reach specific users and troubleshoot incidents occurring on the network. Admins can also use this property in Power BI reports to build richer reports. For more information, see the Intune Data Warehouse device entity.

Additional Data Warehouse device inventory properties

Additional device inventory properties are available using the Intune Data Warehouse. The following properties are now exposed via the devices collection:

• ‘Model’ – The device model.
• ‘Office365Version’ – The version of Office 365 that is installed on the device.
• ‘PhysicalMemoryInBytes` – The physical memory in bytes.
• TotalStorageSpaceInBytes – Total storage capacity in bytes.

For more information, see Microsoft Intune Data Warehouse API and the Intune Data Warehouse device entity.

Help and support workflow update to support additional services

We’ve updated the Help and support page in the Microsoft Endpoint Manager admin center where you now choose the management type you use. With this change you’ll be able to select from the following management types:

• Configuration Manager (includes Desktop Analytics)
• Intune
• Co-management

Security

Use a preview of security administrator focused policies as part of Endpoint security

As a public preview, we’ve added several new policy groups under the Endpoint security node in the Microsoft Endpoint Management admin center. As a security admin you can use these new policies to focus on specific aspects of device security to manage discrete groups of related settings without the overhead of the larger Device Configuration policy body.

With the exception of the new Antivirus policy for Microsoft Defender Antivirus (see below), the settings in each new of these new preview policies and profiles are the same settings that you might already configure through Device configuration profiles today.

The following are the new policy types that are all in preview, and their available profile types:

• Antivirus (Preview):
  • macOS:
    • Antivirus – Manage Antivirus policy settings for macOS to manage Microsoft Defender ATP for Mac.
  • Windows 10 and later:
    • Microsoft Defender Antivirus – Manage Antivirus policy settings for cloud protection, Antivirus exclusions, remediation, scan options, and more.

The Antivirus profile for Microsoft Defender Antivirus is an exception that introduces a new instance of settings that are found as part of a device restriction profile. These new Antivirus settings:

• Are the same settings as found in device restrictions, but support a third option for configuration that’s not available when configured as a device restriction.
• Apply to devices that are co-managed with Configuration Manager, when the co-management workload slider for Endpoint Protection is set to Intune.

Plan to use the new Antivirus > Microsoft Defender Antivirus profile in place of configuring them through a device restriction profile.

• Windows Security experience – Manage the Windows Security settings that end users can view in the Microsoft Defender Security center and the notifications they receive. These settings are unchanged from those available as a Device configuration Endpoint Protection profile.
• Disk encryption (Preview):
  • macOS:
    • FileVault
  • Windows 10 and later:
    • BitLocker
• Firewall (Preview):
  • macOS:
    • macOS firewall
  • Windows 10 and later:
    • Microsoft Defender Firewall
• Endpoint detection and response (Preview):
  • Windows 10 and later: –Windows 10 Intune
• Attack surface reduction (Preview):
  • Windows 10 and later:
    • App and browser isolation
    • Web protection
    • Application control
    • Attack surface reduction rules
    • Device control
    • Exploit protection
• Account protection (Preview):
  • Windows 10 and later:
    • Account protection

Regards
The Author – Blogabout.Cloud

Hello there

When looking at my Microsoft Endpoint Manager dashboard today, I noticed a number of new preview features have arrived. Next up, I am going to be looking at Account Protection capabilities via Endpoint Security.

Microsoft Endpoint Manager has a new home

Access to the Microsoft Endpoint Manager now has a new URL http://endpoint.microsoft.com replacing http://devicemanagement.microsoft.com

This new preview feature supports the following scenario;

Windows 10 and later (Account Protection)

Account Protection

This section is quite brief but very effective if you are looking at options to protect your end-user accounts. In my own environment, I am very much using Windows Hello with credential guard to provide as much security as possible.

Setting	Action	Definition
Block Windows Hello for Business	Not configured / Disabled / Enabled	Windows Hello for Business is an alternative method for signing into Windows by replacing passwords, Smart Cards, and Virtual Smart Cards. If you disable or do not configure this policy setting, the device provisions Windows Hello for Business. If you enable this policy setting, the device does not provision Windows Hello for Business for any user.
Enable to use security keys for sign-in:	Yes / Not configured	Enable Windows Hello security key as a logon credential for all PCs in the tenant.
Turn on credential guard	Not configured / Enable with UEFI lock / Enable without UEFI lock	Turn on credential guard

There is no configuration available for macOS.

Please keep an eye on the upcoming features to Microsoft Endpoint Manager https://docs.microsoft.com/en-us/mem/intune/fundamentals/in-development

Regards
The Author – Blogabout.Cloud

Hello there,

When looking at my Microsoft Endpoint Manager dashboard today, I noticed a number of new preview features have arrived. Next up, I am going to be looking at Endpoint detection and response capabilities via Endpoint Security.

Microsoft Endpoint Manager has a new home

Access to the Microsoft Endpoint Manager now has a new URL http://endpoint.microsoft.com replacing http://devicemanagement.microsoft.com

This new preview feature supports the following scenario;

Windows 10 and later (Microsoft Defender ATP)

Endpoint Detection and Response

Now let’s look at the settings that are available to us today, the information below has been taken directly from the MEM Dashboard.

Setting	Action	Definition
Microsoft Defender ATP client configuration package type	Not configured / Onboarding Blob / Offboarding Blob	Upload a signed configuration package that will be used to onboard the Microsoft Defender ATP client
Sample sharing for all files	Yes / Not configured	Returns or sets the Microsoft Defender Advanced Threat Protection Sample Sharing configuration parameter.
Expedite telemetry reporting frequency	Yes / Not configured	Expedite Microsoft Defender Advanced Threat Protection telemetry reporting frequency.

There is no configuration available as of yet for macOS, this may change in the future. Please keep an eye on the upcoming features to Microsoft Endpoint Manager https://docs.microsoft.com/en-us/mem/intune/fundamentals/in-development

Regards
The Author – Blogabout.Cloud

Hello there,

When looking at my Microsoft Endpoint Manager dashboard today, I noticed a number of new preview features have arrived. Next up, I am going to be looking at Firewall capabilities via Endpoint Security.

Microsoft Endpoint Manager has a new home

Access to the Microsoft Endpoint Manager now has a new URL http://endpoint.microsoft.com replacing http://devicemanagement.microsoft.com

This new preview feature supports the following scenarios;

Windows 10 – Microsoft Defender Firewall

Microsoft Defender Firewall

Now let’s look at the settings that are available to us today, the information below has been taken directly from the MEM Dashboard.

Setting	Action	Definition
Disable stateful File Transfer Protocol (FTP)	Yes / Not configured	If not configured, the firewall will use FTP to inspect and filter secondary network connections, which could cause your firewall rules to be ignored.
Number of seconds a security association can be idle before it’s deleted	Enter idle time in seconds (300 – 3600)	How long the security associations are kept after network traffic is not seen. The number must be from 300 to 3600 seconds. When not configured, the system will delete a security association after it’s been idle for 300 seconds.
Preshared key encoding	Not configured / None / UTF8	If you don’t require UTF-8, preshared keys will initially be encoded using UTF-8. After that, device users can choose another encoding method.
Firewall IP sec exemptions allow neighbor discovery	Yes / Not configured	Firewall IP sec exemptions allow neighbor discovery
Firewall IP sec exemptions allow ICMP	Yes / Not configured	Firewall IP sec exemptions allow ICMP
Firewall IP sec exemptions allow router discovery	Yes / Not configured	Firewall IP sec exemptions allow router discovery
Firewall IP sec exemptions allow DHCP	Yes / Not configured	Firewall IP sec exemptions allow DHCP
Certificate revocation list (CRL) verification	Not configured / None / Attempt / Require	Specify how certificate revocation list (CRL) verification is enforced. When set to not configured the client default is to disable CRL verification.
Require keying modules to only ignore the authentication suites they don’t support	Yes / Not configured	When this setting is set to yes, keying modules will ignore unsupported authentication suites.
Packet queuing	Not configured / Disabled / Queue Inbound / Queue Outbound / Queue Both	Specify how scaling for the software on the receive side is enabled for the encrypted receive and clear text forward for the IPsec tunnel gateway scenario. This ensures that the packet order is preserved. When this is set to not configured, packet queuing will be returned back to client default which is disabled.
Turn on Microsoft Defender Firewall for domain networks	Not configured / Yes / No	When this setting is set to yes, the Microsoft Defender Firewall for this network type (domain) will be turned on and enforced. When it’s set to not configured, the client will return to default which is to enable firewall. To disable the firewall, set to no.
Turn on Microsoft Defender Firewall for private networks	Not configured / Yes / No	When this setting is set to yes, the Microsoft Defender Firewall for this network type (private) will be turned on and enforced. When it’s set to not configured, the client will return to default which is to enable firewall. To disable the firewall, set to no.
Turn on Microsoft Defender Firewall for public networks	Not configured / Yes / No	When this setting is set to yes, the Microsoft Defender Firewall for this network type (public) will be turned on and enforced. When it’s set to not configured, the client will return to default which is to enable firewall. To disable the firewall, set to no.

Once you have created your new policy, make sure you have apply scope tag and assign it to your relevant security groups before saving.

macOS – macOS Firewall

Firewall

Now let’s look at the settings that are available to us today, the information below has been taken directly from the MEM Dashboard.

Setting	Action	Definition
Enable Firewall	Yes / Not configured	Enable Firewall to configure how incoming connections are handled in your environment.
Block all incoming connections	Yes / Not configured	Block all incoming connections except those required for basic Internet services such as DHCP, Bonjour, and IPSec. This will block all sharing services.
Enable stealth mode	Yes / Not configured	Enabling stealth mode prevents the computer from responding to probing requests. The computer still answers incoming requests for authorized apps.
Firewall apps		Set rules for incoming connections for the following apps.

Once you have created your new policy, make sure you have apply scope tag and assign it to your relevant security groups before saving.

This completes the list of configurations available in Microsoft Endpoint Manager for Firewall.

Regards,
The Author – Blogabout.Cloud

Hello there,

When looking at my Microsoft Endpoint Manager dashboard today, I noticed a number of new preview features have arrived. First up, I am going to be looking at Antivirus capabilities via Endpoint Security.

Microsoft Endpoint Manager has a new home

Access to the Microsoft Endpoint Manager now has a new URL http://endpoint.microsoft.com replacing http://devicemanagement.microsoft.com

This new preview feature supports the following scenarios;

Windows 10 and later (Microsoft Defender Antivirus)

Cloud Protection

Setting	Action	Definition
Turn on cloud-delivered protection	Not configured / Yes / No	When set to Yes, Defender will send information to Microsoft about any problems it finds. If set to Not configured, the client will return to default which enables the feature but allows the user to disable it.
Cloud-delivered protection level	Not configured / High / High plus / Zero tolerance	Specify the level of cloud-delivered protection. Not Configured uses the default Microsoft Defender Antivirus blocking level and provides strong detection without increasing the risk of detecting legitimate files. High applies a strong level of detection. High + uses the High level and applies addition protection measures (may impact client performance). Zero tolerance blocks all unknown executables While unlikely, setting to High may cause some legitimate files to be detected. We recommend you set this to the default level (Not configured).
Defender Cloud Extended Timeout In Seconds

Microsoft Defender Antivirus Exclusions

Setting	Action	Definition
Defender Processes To Exclude
File extensions to exclude from scans and real-time protection
Defender Files And Folders To Exclude

Real-time protection

Setting	Action	Definition
Turn on real-time protection	Not configured / Yes / No	When this setting is set to Yes, real-time monitoring will be enforced and the user cannot disable it. When set to Not configured, the setting is returned to client default which is on, but the user can change it.
Enable on access protection	Not configured / Yes / No	Virus protection that’s continuously active, as opposed to on demand.
Monitoring for incoming and outgoing files	Monitor all files / Only monitor incoming files / Only monitor outgoing files	Configure this setting to determine which NTFS file and program activity is monitored. Monitor all files is the default, but for certain specific scenarios you may want to configure scanning for only incoming or outgoing files (i.e., server scenarios)
Turn on behavior monitoring	Not configured / Yes / No	When this setting is set to Yes, behavior monitoring will be enforced and the user cannot disable it. When set to Not configured, the setting is returned to client default which is on, but the user can change it.
Turn on network protection	Not configured / Yes / No	When this setting is set to Yes, behavior monitoring will be enforced and the user cannot disable it. When set to Not configured, the setting is returned to client default which is on, but the user can change it.
Scan all downloaded files and attachments	Not configured / Yes / No
Scan scripts that are used in Microsoft browsers	Not configured / Yes / No	When this setting is set to Yes, all downloaded files and attachments will be scanned. When set to Not configured, the setting is returned to client default which is on, but the user chan change it.
Scan network files	Not configured / Yes / No	When this setting is set to Yes, the Windows Defender Script Scanning functionality will be enforced and the user cannot turn them off. When set to Not configured, the setting is returned to client default which is to enable script scanning, however the user can turn it off.
Scan emails	Not configured / Yes / No	When set to Yes, e-mail mailbox and mail files such as PST, DBX, MNX, MIME and BINHEX will be scanned. When Not configured, the setting will return to client default of e-mail files not being scanned.

Remediation

Setting	Action	Definition
Number of days (0-90) to keep quarantined malware		Configure this setting to determine the number of days items should be keeps in the quarantine folder before being removed. Leaving this Not configured or setting it to 0 will result in quarantined files never being removed.
Submit samples consent
Action to take on potentially unwanted apps		Specify the level of protection for potentially Unwanted applications (PUA’s). Not configured configures the client to default, which is PUA Protection Off. Block turns PUA Protection On, and blocks potentially unwanted applications. Audit allows PUA to detect potentially unwanted applications, but takes no action.
Actions for detected threats	Configured / Not configured	Allow to specify any valid threat severity levels and the corresponding default action to take. Only enforced in Windows 10 for desktop.

Scan

Setting	Action	Definition
Scan archive files	Not configured / Yes / No	When set to Yes, archive files such as ZIP or CAB file scanning will be enforced. When set to Not configured, the setting will be returned back to client default which is to scan archived files, however the user may disable this.
Use low CPU priority for scheduled scans	Not configured / Yes / No	When this setting is set to Yes, scheduled scans will be run with low CPU priority. When set to Not configured, the setting is returned to client default in which no changes to CPU priority will be made.
Disable catch-up full scan	Not configured / Yes / No	When this setting is set to Yes, catch-up scans for full scans will be enforced and the user cannot disable them. When set to Not configured, the setting is returned to client default which is to enable catch-up scans for full scans, however the user can turn them off.
Disable Catchup Quick Scan	Not configured / Yes / No	When this setting is set to Yes, catch-up scans for quick scans will be enforced and the user cannot disable them. When set to Not configured, the setting is returned to client default which is to enable catch-up scans for quick scans, however the user can turn them off.
CPU usage limit per scan		Configure this with a value that represents the maximum CPU percentage allowed for a scan. The default (and recommended) is 50%.
Scan mapped network drives during full scan	Not configured / Yes / No	When set to Yes, during a full scan, mapped network drives will be included. When set to not configured, the client will be returned to default which is disabling scanning on mapped network drives.
Run daily quick scan at	Not configured / Yes / No	Provide a time of day that Windows Defender quick scan should run. This setting is dependent on the scan type selected being ‘quick scan’
Scan type	Not configured / Yes / No	Specify the scan type to use for a schedule scan
Day of week to run a scheduled scan	Not configured / Yes / No	Scheduled day for scan.
Time of day to run a scheduled scan	Not configured / Yes / No	Specify the time for scan to run.

Update

Setting	Action	Definition
Enter how often (0-24 hours) to check for security intelligence updates		Configure this setting to determine how often to check for signatures. A value of 1 means checking every hour, 2 for every two hours and so on. Selecting Do not check will disable signature updates. When set to Not configured, client default of 8 hours is applied.

User Experience

Setting	Action	Definition
Allow user access to Microsoft Defender app	Not configured / Yes / No	When set to No, the Windows Defender User Interface (UI) will be inaccessible and notifications will be surprised. When set to Not configured, the setting will return to client default in which UI and notifications will be allowed

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

Windows 10 and later (Windows Security experience)

Windows Security

Setting	Action	Definition
Enable tamper protection to prevent Microsoft Defender being disabled	Not configured / Enable / Disabled	Not Configured state is default and will have no impact. Enabled will enable the Tamper Protection restrictions. Disabled will disable the Tamper Protection restrictions. When the Enabled or Disabled state exists on a client, deploying Not configured will have no impact on the setting. To change the state from currently Enabled/Disabled, you must deploy the opposite setting to have effect
Hide the Virus and threat protection area in the Windows Security app	Yes / Not Configured	By setting this to Yes, the virus and threat protection area in the Windows Security app will be hidden from end-users. Also, virus and threat protection related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Ransomware data recovery option in the Windows Security app	Yes / Not Configured	By setting this to Yes, the virus and threat protection area in the Windows Security app will be hidden from end-users. Also, virus and threat protection related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Account protection area in the Windows Security app	Yes / Not Configured	By setting this to Yes, the Account protection area in the Windows Security app will be hidden from end-users. Also, account protection-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Firewall and network protection area in the Windows Security app	Yes / Not Configured	By setting this to Yes, the firewall and network protection area in the Windows Security app will be hidden from end-users. Also, firewall and network protection-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the App and browser control area in the Windows Security app	Yes / Not Configured	By setting this to Yes, the app and browser control area in the Windows Security app will be hidden from end-users. Also, app and browser control-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Device security area in the Windows Security app	Yes / Not Configured	By setting this to Yes, the hardware protection area in the Windows Security app will be hidden from end-users. Also, hardware protection-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Device performance and health area in the Windows Security app	Yes / Not Configured	By setting this to Yes, the device performance and health area in the Windows Security app will be hidden from end-users. Also, device performance and health related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Family options area in the Windows Security app	Yes / Not Configured	By setting this to Yes, the family options area in the Windows Security app will be hidden from end-users. Also, family options related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Windows Security app notifications	Not configured / Block non-critical notifications / Block all notifications	You can control Windows Security app notifications per feature by using the proceeding settings. Alternatively, use this setting to block all Windows Security notifications from your users. By setting Not configured, all Windows Security app notifications that are not controlled by another setting will be allowed. By setting Block non-critical notifications, notifications such as scan completions will be blocked. By setting Block all notifications, critical and non-critical notifications will be blocked for all Windows Security features.
Hide the Windows Security icon from the notification area	Yes / Not Configured	Setting this to Yes will hide the Windows Security icon from the users system tray. Not configured will return the client to default which is to show the icon. For this setting to take effect, the user needs to either sign out/in, or reboot the computer.
Disable the Clear TPM option in the Windows Security app	Yes / Not Configured	Setting this to Yes will disable access to the clear TPM button in the Windows Security app. Setting it to Not configured will return the setting to client default, which is to allow access to the button.
Prompt users to update TPM firmware if vulnerability is discovered	Yes / Not Configured	Setting this to Yes will allow Windows to prompt end-users when a potential vulnerability is found in their TPM firmware. They will then be encouraged to run firmware updates to resolve the vulnerability. Setting this to Not configured will return the setting to client default, which is to not prompt users.
Organization’s support contact information	Not configured / Display in app and in notifications / Display only in app / Display only in notifications	Declare where you would like your IT organization information displayed in the Windows Security app and notifications.

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Creat

macOS (Antivirus)

Microsoft Defender ATP

Setting	Action	Definition
Real-time protection	Not configured / Configured / Disabled	Locates and stops malware from installing or running on your device. You can turn off this setting for a short time before it turns back on automatically.
Cloud-delivered protection	Not configured / Configured / Disabled	Provides increased, faster protection with access to the latest protection data in the cloud. Works best with automatic sample submission turned on.
Automatic sample submission	Not configured / Configured / Disabled	Sends sample files to Microsoft to help protect device users and your organization from potential threats.
Diagnostic data collection	Not configured / Required / Optional	We encourage you to share your diagnostic and usage data with us to help improve Microsoft products and services.
Folders excluded from scan
Files excluded from scan
File types excluded from scan
Processes excluded from scan

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

This completes the list of configurations available in Microsoft Endpoint Manager for Antivirus.

Regards,
The Author – Blogabout.Cloud

Hello there,

When looking at my Microsoft Endpoint Manager dashboard today, I noticed a number of new preview features have arrived. Next up, I am going to be looking at Disk Encryption capabilities via Endpoint Security.

Microsoft Endpoint Manager has a new home

Access to the Microsoft Endpoint Manager now has a new URL http://endpoint.microsoft.com replacing http://devicemanagement.microsoft.com

Windows 10 and later (BitLocker)

While BitLocker isn’t something new to Microsoft Endpoint Manager all the configuration that you would normally perform in configuration profiles have been separated into the Endpoint Security within the new Microsoft Endpoint Management Dashboard.

Now lets run through all the configuration settings and what they actual do.

BitLocker – Base Settings

Configuration Setting	Action	Definition
Enable full disk encryption for OS and fixed data drives	Yes / Not Configured	If set to not configured, no Bitlocker enforcement will take place. If the drive was encrypted before the policy, no additional action. If the encryption method and options match that of this policy, the configuration should return success
Require storage cards to be encrypted (mobile only)	Yes / Not Configured	When this setting is set to Yes, encryption on storage cards will be required for mobile devices. When set to not configured, the setting will return to OS default which is to not require storage card encryption. This setting is only applicable to Windows Mobile and Mobile Enterprise SKU devices.
Hide prompt about third-party encryption	Yes / Not Configured	If BitLocker is enabled on a system that has already been encrypted by a third-party encryption product, it may render the device unusable. Data loss may occur and you may need to reinstall Windows. It is highly suggested to never enable BitLocker on a device that has third-pary encryption installed or enabled. As part of the BitLocker setup wizard, users are informed and asked to confirm that no third-party encryption is in place. When this setting is set to Yes, this warning prompt will be surpressed. When set to not configured, the setting will return to default which is to warn users about third-party encryption. If BitLocker silent enable features are required, the third-party encryption warning must be hidden as any required prompt breaks silent enablement workflows.
Allow standard users to enable encryption during Autopilot	Yes / Not Configured	When set to Yes, during Azure Active Directory Join (AADJ) silent enable scenarios, users do not need to be local administrators to enable BitLocker. When set to not configured, the setting will be left as client default which is to require local admin access to enable BitLocker. For non-silent enablement/Autopilot scenarios, the user must be a local admin to complete the BitLocker setup wizard.
Enable client-driven recovery password fo	Not Configurated / Disabled / Azure AD-joined devices / Azure AD and Hybrid-joined devices	Setting this as Not configured means the client will not rotate BitLocker recovery keys when disclosed on the client. Setting it to Key rotation enabled for Azure AD-joined devices will allow key rotation for AADJ devices. Setting it to Key rotation enabled for Azure AD-joined devices and Hybrid-joined devices will allow key rotation for AADJ or Hybrid-joined devices. Add Work Account (AWA, formally Workplace Joined) devices are not supported for key rotation.

BitLocker – Fixed Drive

Configuration Setting	Action	Definition
BitLocker fixed drive policy	Yes / Not Configured	This policy setting is used to control the encryption method and cipher strength. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
Fixed drive recovery	Yes / Not Configured	Control how BitLocker-protected fixed data-drives are recovered in the absence of the required startup key information. Selecting “Enable” allows you to configure various drive recovery techniques. By selecting “Not configured”, the default recovery options are supported including DRA, the end user can specify recovery options and recovery information is not backed up to Azure Active Directory.
Block write access to fixed data-drives not protected by BitLocker	Yes / Not Configured	When set to Yes, Windows will not allow any data to be written to fixed drives that are not BitLocker protected. If a fixed drive is not encrypted, the user will need to complete the BitLocker setup wizard for the drive before write access is granted. Setting this to not configured will allow data to be written to non-encrypted fixed drives.
Configure encryption method for fixed data-drives	Not Configured / AES 128bit CBC / AES 256bit CBC / AES 128bit XTS / AES 256bit XTS	Select the desired encryption method for fixed data-drives disks. XTS- AES 128-bit is the Windows default encryption method and the recommended value. Note that 256-bit encryption may have performance impacts on low spec hardware. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. To change the encryption method, the drive must be decrypted first.

BitLocker – OS Drive Settings

Configuration Setting	Action	Definition
BitLocker system drive policy	Configured / Not Configured	This policy setting is used to control the encryption method and cipher strength. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
Startup authentication required	Yes / Not Configured	Selecting “Require” allows you to configure the additional authentication requirements at system start up, including utilizing the use of Trusted Platform Module (TPM) or startup PIN requirements.
Compatible TPM startup	Blocked / Required / Allowed	etting this to Allow TPM will enable BitLocker using the TPM if it’s present. Setting this to Do not allow TPM will enable BitLocker without utilizing the TPM. Setting this to Require TPM will only enable BitLocker if TPM is present and usable. It is recommended to require a TPM for BitLocker. This setting only applies when first enabling BitLocker. If BitLocker is already enabled prior to applying this setting, it will have no effect.
Compatible TPM startup PIN	Blocked / Required / Allowed	Setting this to Allow startup PIN with TPM will enable BitLocker using the TPM if present, and allow a startup PIN be configured by the user. Setting this to Do not allow startup PIN with TPM will block the use of a PIN. Setting this to Require startup PIN with TPM will require BitLocker have a PIN and TPM present to return success. For silent enable scenarios (including Autopilot) this setting cannot be successful, as user interaction is required. It is recommended that PIN is disabled where silent enablement of BitLocker is required.
Compatible TPM startup key	Blocked / Required / Allowed	and will allow a startup key (such as a USB drive) be present to unlock the drives. Setting this to Do not allow a startup key will block the use of startup keys. Setting this to Require a startup key with TPM will require bitLocker have a startup key and TPM present to enable BitLocker. For silent enable scenarios (including Autopilot) this setting canot be sucessful, as user interaction is required. It is recommended that startup keys be disabled where silent enablement of BitLocker is required.
Disable Bitlocker on devices where TPM is incompatible	Blocked / Required / Allowed	Setting this to Yes will disable BitLocker from being configured without a compatible TPM chip. This setting may be helpful for testing, but it is not suggested to enable BitLocker without a TPM. If no TPM is present, BitLocker will require a password or USB drive for startup. This setting only applies when first enabling BitLocker. If BitLocker is already enabled prior to applying this setting, it will have no effect.
Enable preboot recovery message and url	Yes / Not Configured	Setting this to Yes will allow you to customize the pre-boot recovery message and URL. The pre-boot message and URL is seen by users when they’re locked out of their PC in recovery mode. The message and URL can be customized to help your users understand how to find their recovery password. Setting this to Not configured will leave the default BitLocker recovery information.
Preboot recovery message	Yes / Not Configured	Use this option to declare if a custom recovery message or URL is desired.
Preboot recovery url		Use this option to declare if a custom recovery message or URL is desired.
System drive recovery		Use this option to declare if a custom recovery URL.
Configure encryption method for Operating System drives	Configured / Not Configured	Control how BitLocker-protected OS drives are recovered in the absence of the required startup key information. Selecting “Enable” allows you to configure various drive recovery techniques. By selecting “Not configured”, the default recovery options are supported including DRA, the end user can specify recovery options and recovery information is not backed up to Azure Active Directory.
Minimum PIN length		Select the desired encryption method for OS drives. XTS- AES 128-bit is the Windows default encryption method and the recommended value. Note that 256-bit encryption may have performance impacts on low spec hardware. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. To change the encryption method, the drive must be decrypted first.

BitLocker – Removable Drive Settings

Configuration Setting	Action	Definition
BitLocker removable drive policy	Configured / Not Configured	This policy setting is used to control the encryption method and cipher strength. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
Configure encryption method for removable data-drives	Not Configured / AES 128bit CBC / AES 256bit CBC / AES 128bit XTS / AES 256bit XTS	Select the desired encryption method for removable data-drives disks. You should use AES-CBC 128/256-bit if the drive will be used in other devices that are not running Windows 10, 1511 or earlier. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. To change the encryption method, the drive must be decrypted first.
Block write access to removable data-drives not protected by BitLocker	Yes / Not Configured	When set to Yes, Windows will not allow any data to be written to removable drives that are not BitLocker protected. If an inserted removable drive is not encrypted, the user will need to complete the BitLocker setup wizard for the drive before write access is granted. Setting this to not configured will allow data to be written to non-encrypted removable drives.
Block write access to devices configured in another organization	Yes / Not Configured	Setting this to Block will require removable drives to be accessed unless they were encrypted on a computer owned by your organization. Setting this to Not configured will allow any BitLocker encrypted drive to be used.

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

macOS (FileVault)

Encryption

Configuration Setting	Action	Definition
Enable FileVault	Yes / Not Configured	If not already enabled, FileVault will be enabled at the next logout.
Recovery key type		Determine which type(s) of recovery key should be generated for this device.
Personal recovery key rotation	Not configured or number of months	Specify how frequently in months (1-12) the device’s personal recovery key will rotate.
Escrow location description of personal recovery key		Display a short message to the user that explains how they can retrieve their personal recovery key. This text will be inserted into the message the user sees when enabling FileVault.
Number of times allowed to bypass	Not configured / 1-10 / No limit, always prompt	Set the value to -1 to disable the setting. Set the value to 0 to always prompt the user to enable FileVault, although they can ignore the prompt. Set the value from 1 to 10 to allow the user to bypass the prompt that many times until they are required to encrypt the device.
Allow deferral until sign out	Yes / Not Configured	Defer the prompt until the user signs out. Only ‘yes’ is supported.
Disable prompt at sign out	Yes / Not Configured	Disable the prompt for the user to enable FileVault when they sign out.

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

This completes the list of configurations available in Microsoft Endpoint Manager for Disk Encryption.

Regards
The Author – Blogabout.Cloud