Implementing Windows Information Protection

Implementing Windows Information Protection

Windows Information Protection enables organization to create a clear line between what is personal data vs corporate data. When implementing Windows Information Protection (WIP) you might find that none recognized corporate apps may lose the ability to write data to the corporate protected applications and data stores. For example;

You are using GitHub and storing the cloned repos into your OneDrive Known Folders and WIP gets enabled to “Block” access.

That lovely GitHub repo you want to clone will now be blocked 🙁

So how do we implement Windows Information Protection to ensure that are organizations are secure.

Lets start with WIP Learning

So first of all, you would have need to configure App Protection within Microsoft Endpoint Manager for all the apps you want to protect with WIP as show below

WIP Learning is a report that allows you to monitor your WIP-enabled apps and WIP-unknown apps. The unknown apps are the ones not deployed by your organization’s IT department. You can export these apps from the report and add them to your WIP policies to avoid productivity disruption before they enforce WIP in “Block” mode.

In addition to viewing information about WIP-enabled apps, you can view a summary of the devices that have shared work data with websites. With this information, you can determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps.

When working with WIP-enabled apps and WIP-unknown apps, we recommend that you start with Silent or Allow Overrides while verifying with a small group that you have the right apps on your protected apps list. After you’re done, you can change to your final enforcement policy, Block.

What are the protection modes?

Block

WIP looks for inappropriate data sharing practices and stops the user from completing the action. Blocked actions can include sharing info across non-corporate-protected apps, and sharing corporate data between other people and devices outside of your organization.

Allow Overrides

WIP looks for inappropriate data sharing, warning users when they do something deemed potentially unsafe. However, this mode lets the user override the policy and share the data, logging the action to your audit log.

Silent

WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.

Switching on WIP

Browse to your App Protection Policy and go to its Properties, under Required Settings you will be able to select which mode you would like to enable for your organization. Please Note: You will need to define your “Corporate Identity” if you have multiple domains they can added as ‘Protected domains’ under the ‘Network perimeter’ in the ‘Advanced settings’ tab.

Once you have done an initial pilot to discovery the applications being used to access Corporate data, you can generate a report from Apps –> Monitor –> App Protection Protection Status –> Reports –> App Learning report for Windows Information Protection. In my case I can see that my GitHub applications has been discovered.

Now that you have your report you are able to create the required excepts to ensure the non-corporate applications can access corporate data.

Regards
The Author – Blogabout.Cloud

Unleashing the power of Microsoft Endpoint Manager against OneDrive for Business

Unleashing the power of Microsoft Endpoint Manager against OneDrive for Business

Its time to unleash the power of Microsoft Endpoint Manager against OneDrive for Business. If you are licensed for Microsoft Intune you have so many cool features and policies available to you when it comes to configuring OneDrive for Business. In my role as an IT Architect I am seeing more and more customers moving their data to the cloud and leveraging all the functionality available from Microsoft Endpoint Manager.

One of the biggest changes in behaviour I have seen is moving Group Policies to Microsoft Endpoint Manager. Administrative Template is an execlent solution that has grown in not only populaity but functionality as well. An easy way of finding out if you can move your current on-premises Group Policies to Microsoft Intune is available on GitHub. If you haven’t come across it yet, please check out MMAT on GitHub. One of the most powerful tools for gathering data of what is supported via Microsoft Endpoint Manager.

https://github.com/WindowsDeviceManagement/MMAT

Administrative Templates

Administrative Templates is a growing function within Microsoft Endpoint Manager, in recently times it has included more and more great functionality which covers the following;

– Windows
– Office
– Edge

As we are focusing on just OneDrive lets have a look at what is available to us today. Currently we have 31 different settings available for OneDrive for Business and when I am working with my customers I always recommend looking at the following settings;

– Disable the tutorial that appears at the end of OneDrive setup
– Prevent users from changing the locaton of their OneDrive folder
– Prevent users from fetching files remotely
– Prevent users from moving their Windows known folders to OneDrive
– Prevent users from syncing personal OneDrive accounts
– Set the default location for the OneDrive folder
– Silently move Windows known folders to OneDrive
– Silently sign in users to the OneDrive sync client with their Windows credentials

Polices for Office Apps

This is a new kid to the block and only currently has one policies for OneDrive for Business but expect this to change massively over the course of 2020.

And thats your lot, please check out what Microsoft Endpoint Manager can do for you today as you maybe pleasantly surprised how powerful the Microsoft Cloud has become.

Regards
The Author – Blogabout.Cloud

Enabling BitLocker for Windows 10 1903 or higher devices using Microsoft Endpoint Manager

Enabling BitLocker for Windows 10 1903 or higher devices using Microsoft Endpoint Manager

In a world where security and encryption are becoming more and more important for organisations, it’s safe to say Microsoft is doing it’s part in empowering businesses to protect their corporate data on end user devices.

Today we are going look at how easy it is to enable Bitlocker for your corporate devices using Microsoft Endpoint Manager.

So once you have logged into https://devicemanagement.microsoft.com you will need to browse to Devices –> Configuration Policies –> Create Profile

Select Windows 10 or Higher and Endpoint Protection, you will need to provide a profile name in order to save this configuration once complete.

As you can see below, once you go into Endpoint Protection –> Windows Encryption you are able to configure the ability to encrypt your Windows 10 devices. Ensure you read all configuration options to understand how the behaviour will affect your end user computers.

At the next check in once youve assigned this new profile of course, the device will start encrypting.

Regards
The Author – Blogabout.Cloud

Microsoft Endpoint Manager – Converting your Windows 10 Pro devices to Enterprise

Microsoft Endpoint Manager – Converting your Windows 10 Pro devices to Enterprise

Hello Readers,

Recently during a rollout of Microsoft Endpoint Manager, I noticed that my configured Lockscreen and Desktop background where not being applied to my newly enrolled Windows 10 devices. 🙁 After a bit of investigation I noticed that the device was running as Windows 10 Pro, even though the image used to build the machine was Windows 10 Enterprise.

Launch https://devicemanagement.microsoft.com and browse to Device –> Configuration Profiles –> New
– Name = Provide a name
– Description = (Optional)
– Platform = Windows 10 and later
– Profile Type = Edition upgrade and mode switch
– Settings = Select Windows 10 Enterprise and provide your key

Now assign the policy to the affected devices and you will now have Windows 10 Enteprise devices.

Regards
The Author – Blogabout.Cloud

Configuring your time zone with Microsoft Endpoint Manager

Configuring your time zone with Microsoft Endpoint Manager

Isn’t it annoying when your time zone on your Azure AD Join, Hybrid Azure AD Joined or Autopilot enrolled device has the incorrect time?

Is there a simple way of resolving this issue for all devices?

Of course, there is… Now let’s look at how it is done.

First of all log into your Microsoft Endpoint Manager Admin center via https://devicemanagement.microsoft.com/ or the Azure Intune Portal. You will now need to create a new Device Configuration Policy with the following information

Steps

– Name = Something you can identify the profile easily
– Platform = Windows 10 and later
– Profile Type = Custom
Custom Profile – Device Configuration

Steps

Press Add
– Name = Set time zone
– Description: (Optional)
– Platform = ./Device/Vendor/MSFT/Policy/Config/TimeLanguageSettings/ConfigureTimeZone
– Data type = String
– Value = What ever time zone you require (This information can be found here https://support.microsoft.com/en-gb/help/973627/microsoft-time-zone-index-values

Save your newly created policy and assign to the relevant group

Regards
The Author – Blogabout.Cloud

Encrypting your Windows 10 devices using Microsoft Intune and non-admin users

Encrypting your Windows 10 devices using Microsoft Intune and non-admin users

Microsoft Endpoint Manager is great however, if you want to encrypt Windows 10 device silently with a normal standard user logged in then you might find it difficult to do so via the MEM Portal settings. So this is where this blog post will come in handy 🙂

In order to encrypt the device silent you need to create a Custom Configuration Policy. Browse to your Microsoft Endpoint Manager Portal or Intune Portal –> Go to Device Configurations Profile –> Create New Profile

  • Enter a Name for the Profile
  • Select Windows 10 and later from Platform
  • Select Custom from Profile type
  • Select Configure from Settings
  • Press Add

We will now need to enter the following information to configure encryption.

NameOMA-URIData TypeValue
AllowStandardUserEncryption ./Vendor/MSFT/BitLocker/AllowStandardUserEncryption Integer 1

Once you have created the policy, assign it to your required devices and BitLocker will now encrypt the devices.

Oh but wait!!!

In my experience in performing this procedure have ran into an issue where Intune recognises the device has compliant against “Require BitLocker” but non-compliant against “Encryption of data storage on the device”.

This is due to the device not being able to backup the BitLocker Encryption Key to Azure Active Directory. The workaround for this was to deploy a PowerShell script using Intune that forces the key to be backup up.

So lets add a script to Intune which will execute the required steps; First go to Device Configuration –> Scripts –> Add

Provide a Name which will easily identify the script in the Intune Portal.

Browse to the script location on your local machine or network drive
Tick Yes to Run script in 64 bit PowerShell host.

And save then assign to the required AAD Group to execute on the client macine.

I cannot take any credit for the script but it resolves the issue I encountered and my compliant policy was once again “Compliant” for all devices. I have made this script available via my GitHub account.

https://github.com/TheWatcherNode/blogaboutcloud

Regards,
The Author – Blogabout.Cloud

Removing the need for Windows Group Policies using the capability of the Microsoft Cloud.

Removing the need for Windows Group Policies using the capability of the Microsoft Cloud.

Back in July Microsoft announced that it is now possible to configure enrolled Windows 10 devices with Administrator templates that are very similar to Windows Group Policies. Since this announcement Microsoft has made further progress introducing administrative templates for Windows, Office and most recently Edge.

Microsoft Endpoint Manager is becoming more common as businesses around the globe adapt, adopt and migrate more of their workloads to the Microsoft Cloud.

Let’s dive into the reasoning for removing Windows 10 Group Policies and adopting Administrative Templates from Microsoft Intune. One of the most valuable things that any business can do is enrol their Windows 10 devices in Microsoft Endpoint Manager as it provides a lot of additional functionality which cannot be deployed using the conventional on-premises infrastructure.

This modern management of Windows 10 allows businesses to apply policies to devices that may not be connected to the corporate LAN but have an internet connection. This provides the protection, configuration and compliance to the end-user device whether they are in or out of network.

I have been working with several customers recently who have seen huge value from moving their group policy objects (GPO) to Administrative Templates. Many of the organisations deployed legacy or out of date group polices to their end-users which are not needed and in some cases cause a security hole within their Windows 10 build.

Adopting Microsoft Endpoint Manager allows businesses to evaluate their GPO structure and condense their requirements. Condensing your GPO’s with administrative templates is just the start of the journey to modern management.

  • Do you deploy applications via GPOs?
  • Do you deploy registry keys via GPOs?

If you do, these can also be delivered using the power of the Microsoft Cloud and specifically Microsoft Endpoint Manager. I have recently been deploying a large number of core applications to Windows 10 including reg key modifications using a PowerShell script from within the MEM portal. So as soon as the Windows 10 device is enrolled and has an internet connection, all applications and policies are configured with the devices regularly poling for any updates/changes made within the Intune portal.

So isnt time you investigated what Microsoft Endpoint Manager can do for you today?

Regards,
The Author – Blogabout.Cloud

Isn’t it time you switch gears into Windows Autopilot

Isn’t it time you switch gears into Windows Autopilot

Windows Autopilot has increased popularity over the past 3 years since its release in 2017. As a consultant within the Microsoft Cloud space, I had more conversations with customers about how Autopilot can change who they deploy Windows 10 devices to their end-users.

Being able to deliver a brand new Windows 10 device from the OEM Factory to the end-users desk that is already configured with all the required security policies and applications has to be the biggest selling point.

This post is how we can move to Windows Autopilot in 3 easy steps;

Step 1 – Register Devices

Option 1 – (Recommended) Have devices registered automatically;

– Request clean images, choice of Windows 10 version at the same time (if available) not all OEM vendors are able to provide clean images. A useful workaround for this is getting a Windows 10 script I have seen available to remove bloatware. If you haven’t seen it I have dropped a copy on GitHub.
– Specify group tag to help segment device by purpose (depending on the size of your organisation this may not be a requirement)
-Device are automatically tagged with purchase order ID

Option 2 – (Recommended for Piloting) Register devices yourself via Intune for testing and evaluation using Get-WindowsAutopilotInfo PowerShell script created by Microsoft.

Once you have the required CSV file from executing the script you can manually register the device.

Option 3 – Register (harvest) existing Intune-managed devices automatically. If you are an organisation that has already enrolled your Windows 10 devices into Microsoft Intune you can register all devices for Windows Autopilot.

Step 2 – Assign a profile

Use Intune;
– Select profile scenario (user-driven or self-deploying)
– Configure required settings
-Assign to Azure AD group so Intune will automatically assign to all devices in that group. (I am a big fan of dynamic groups)

Use a dynamic Azure AD group to automate this step
– Consider static Azure AD groups for exceptions

Here are the deployment profiles that can be configured today.

Coming soon

Azure Hybrid AD join for devices that dont have line of sight to a domain controller, this is currently in testing and will use a VPN to call home. The support has been built into Windows 10 1909.

Step 3 – Deploy

Boot up the device or devices

Connect to a network either wired or wireless

Enter credentials if required (credentials not required for self-deployment profiles)

The device will now go away and provision based on your configuration within Microsoft Endpoint Manager, once complete all that is left to say is…

Welcome to Windows Autopilot!!! I will be writing a more in-depth post about Autopilot soon because off the configuration I am currently using for my home devices.

Image result for Welcome computer

Regards
The Author – Blogabout.Cloud

iOS deployment scenarios with Microsoft Endpoint Manager

iOS deployment scenarios with Microsoft Endpoint Manager

Microsoft has been working with the iOS ecosystem and continues to work with Apple to provide the best possible platform for users and enterprises to work hand in hand. Microsoft has ensured their flagship products are available through the Apple Store as shown below

With Microsoft Intune we have 4 methods of deployment;

iOS App Protection Policies (APP) Managed

This solution is targeted for BYOD devices that are not enrolled but access corporate data from the approved corporate apps, for example; Outlook, Word and Excel. App Protection Policies are placed on the applications that are accessing corporate data to ensure the security requirements are met.

More information can be found via the following url about App Protection Policies. https://docs.microsoft.com/en-us/intune/apps/app-protection-policy

User Enrollment

User Enrollment has been designed with the BYOD user in mind, this enrollment allows administrators enforce Password Restrictions, restrict viewing non-corporate documents in corporate apps, restrict viewing corporate documents in unmanaged apps, require encrypted backup and automatically removed apps if the device is unenrolled.

Device Enrollment

Device enrollment is user-initiated through the company portal and is the most common method of enrolling corporate devices. This option provides the largest range of MDM capabilities available within Microsoft Endpoint Manager.

Automated Device Enrollment

Automated device enrollment is designed for corporate-owned devices synced to Microsoft Endpoint Manager via Apple Business Manager. This enrolled provides supervised-mode MDM capabilities, Secure Kiosk, Classroom device and Lock management to a device.

Regards,
The Author – Blogabout.Cloud

Android deployment scenarios with Microsoft Endpoint Manager

Android deployment scenarios with Microsoft Endpoint Manager

Microsoft has heavily invested in the Android ecosystem and continues to work with Google to provide the best possible platforms for users and enterprises to work hand in hand. Microsoft has ensured their flagship products are available through the Google Play Store as shown below

With Microsoft Intune we have 4 methods of deployment;

Andriod App Protection Policies (APP) Managed

This solution is targeted for BYOD devices that are not enrolled but access corporate data from the approved corporate apps, for example; Outlook, Word and Excel. App Protection Policies are placed on the applications that are accessing corporate data to ensure the security requirements are met.

More information can be found via the following url about App Protection Policies. https://docs.microsoft.com/en-us/intune/apps/app-protection-policy

Android Enterprise Work Profile

This solution is targeted for BYOD devices that are enrolled to define a clear boundary between personal and corporate data. As all corporate data is stored within its own encrypted container whereby settings can be defined to control cross-profile contacts, sharing app push, certificate deployment, resource access configuration. This is the most common approach for handling BYOD devices within businesses around the globe.

More information about enrollment for Work Profile can be found via the following url https://docs.microsoft.com/en-us/intune/enrollment/android-work-profile-enroll

Andriod Enterprise dedicated (kiosk)

This solution is targeted for corporate-owned devices that are designed for a particular task. The easy way to describe this would be;

The Android device(s) are owned by an event management company, they loan out the devices to Exhibitors for lead retrieval. As they only need to access one application the device(s) are locked down to this single app. This solution provides a highly configurable home screen experience with “Managed Home Screen” app and following new capabilities have been launched by Microsoft

  • SCEP certificate-based Wi-Fi (November release)
  • System app support
  • Home screen branding customization
  • Wi-Fi and Bluetooth user controls
  • Kiosk drop-out code

Android Enterprise Fully Managed

This solution is targeted for corporate-owned devices which will be completely managed by the organization but used by one of their members of staff. This scenario provides a fully secure corporate device that the user is unable to tamper with or modify. The Google Play Store is locked down to only applications approved by the organization, this is my personal preference for only corporate devices.

Coming in 2020: Fully Managed with Work Profile

Expected this year, once more information is available. I will be doing into detail about how to leverage a fully managed with work profile 🙂

Regards,
The Author – Blogabout.Cloud