Microsoft Azure Active Directory (Azure AD) and Microsoft Intune bring the power of the intelligent cloud to Windows 10 device management, including management capabilities for BitLocker. Some of these capabilities work on Windows 10 Pro, while other capabilities require Windows 10 Enterprise or Education editions.
The first step to managing BitLocker using Microsoft Intune is to visit the new Microsoft Endpoint Manager admin center. Select Endpoint security > Disk encryption, and then Create policy. Enter in the Platform and Profile indicated in the screen capture below, and then select Create.
Next, enter the basics, such as the name of the policy and an optional description,
Then move on to Configuration settings. Notice you can search for a specific setting, like “fixed drive policy,” or you can scroll through the settings.
Also notice the options offered for key rotation.
As you enable settings, additional settings may appear. For example, Enabling Fixed drive encryption expands more options: Recovery key file creation and Configure BitLocker recovery key package.
Finally, add Scope tags (optional), assign the new policy to specific groups of users or devices, and select Create.
The settings that can be configured here include:
BitLocker – Base Settings
Enable full disk encryption for OS and fixed data drives
Require storage cards to be encrypted (mobile only)
When integrating your Windows 10 devices into Microsoft Endpoint Manager, you may encounter policy conflicts where the same setting is configured both on-premises via GPO and Intune. When this happens it can be a complete nightmare, so in this post I will show you how to identify GPOS not supported by MDM.
When integrating your Windows 10 devices into Microsoft Endpoint Manager, you may encounter policy conflicts where the same setting is configured both on-premises via GPO and Intune. When this happens it can be a complete nightmare, so in this post I will show you how to configure Microsoft Endpoint Manager so that your MDM policies rein over GPO.
Lets get to it and launch Microsoft Endpoint Manager dashboard –> Go to Devices –> Configuration Profile –> Create Profile
Platform – Windows 10 and later Profile – Custom
Click Add and enter the below
Name: ConflictPolicyConflict Description: Enter value if required OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP Data type: Integer Value: 1
Click Save –> Press Next
If you are using Scope Tags – Define your tags and Press Next
Define your selected groups of machines for the profile and Press Next
Define applicability rules if in use and Press Next
This will now force MDM Policies to win over Group Policies assigned to a Windows 10 device.
First, you need to “wrap” all the required files into an Endpoint Manager (Intune) format. To do so, Microsoft has a tool that will “convert” your application into a .intunewin file at the end of the process. The generated .intunewin file contains all compressed and encrypted source setup files and the encryption information to decrypt it.
To view help, run IntuneWinAppUtil.exe -h.
Download the Microsoft Win32 Content Prep Tool and have the desired application source files.
Open a command prompt as admin and browse to the folder of IntuneWinAppUtil.exe
Select Windows app (Win32) from the App type drop list
On the App Information pane click Select App package file and select the previously created .intunewin file and click Ok
Complete the missing App Information. Click Next
Depending on the application format, install and uninstall command lines will be auto-completed. Adjust the parameter if needed. Click Next
On the Requirement pane, OS architecture and minimum OS are required. Click Next
Detection rules work the same way as in ConfigMgr application model. In the case of an MSI, it is simple. Select Manually configure detection rule, select rule type MSI and the MSI Product Code should be auto-populated. Click Next
On the Dependencies tab: Software dependencies are applications that must be installed before this application can be installed. Adjust if needed. Click Next
If you anywhere like me, you will share a pet hate for Windows 10 Bloatware new brand new devices. In the “good old days” you would get an image without the crap installed and that would be it but with Windows Autopilot deployments the bloatware is preinstalled so how do we deal with this challenge today?
First of all, we need a script that will remove the Windows 10 Bloatware, here a script that I have modified to make it a bit smoother for what we are trying to achieve.
Select Windows 10 not macOS then provide the name of the script and a brief description
Under script location browse to the required PowerShell script on your client device.
Understanding this section
Run this script using the logged on credentials: Select Yes to run the script with the user’s credentials on the device. Choose No (default) to run the script in the system context. Many administrators choose Yes. If the script is required to run in the system context, choose No.
Enforce script signature check: Select Yes if the script must be signed by a trusted publisher. Select No (default) if there isn’t a requirement for the script to be signed.
Run script in 64-bit PowerShell host: Select Yes to run the script in a 64-bit PowerShell (PS) host on a 64-bit client architecture. Select No (default) runs the script in a 32-bit PowerShell host.
Specify Tags if you are utilizing them in your environment and once you completed that section, select the groups where you want the scripts applied.
Review your settings and press Add
This script will now apply to your Windows 10 device and remove all the unwanted Windows 10 Bloatware.
This week Microsoft has announced the final release of the security configuration baseline settings for Windows 10 and Windows Server version 2004. This version sees 1 additional policy and 1 policy removed, Microsoft has also made 2 recommendations that organizations might worth considering.
In the Windows Server version 1809 Domain Controller baseline we created and enabled a new custom MS Security Guide setting called Extended Protection for LDAP Authentication (Domain Controllers only) based on the values provided here. This setting is now provided as part of Windows and no longer requires a custom ADMX. An announcement was made in March of this year and now all supported Active Directory domain controllers can configure this policy. The value will remain the same in our baseline, but the setting has moved to the new location. We are deprecating our custom setting. The new setting location is: Security Settings\Local Policies\Security Options\Domain controller: LDAP server channel binding token requirements.
Note: this new policy requires the March 10, 2020 security update. (We assume that, as security conscious baselines users, you are patching!) Details of that patch are here.
Microsoft Defender Antivirus File Hash
Microsoft Defender Antivirus continues to enable new features to better protect consumers and enterprises alike. As part of this journey Windows has a new setting to compute file hashes for every executable file that is scanned, if it wasn’t previously computed. You can find this new setting here: Computer Configurations\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable file hash computation feature.
You should consider using this feature to improve blocking for custom indicators in Microsoft Defender Advanced Threat Protection (MDATP). This new feature forces the engine to compute the full file hash for all executable files that are scanned. This can have a performance cost, which we minimize by only generating hashes on first sight. The scenarios where you may want to test more thoroughly for performance include devices where you frequently create new executable content (for example, developers) or where you install or update applications extremely frequently.
Because this setting is less helpful for customers who are not using MDATP, we have not added it to the baseline, but we felt it was potentially impactful enough to call out. If you chose to enable this setting, we recommend throttling the deployment to ensure you measure the impact on your users’ machines.
Account Password Length
In the Windows 10 1903 security baselines we announced the removal of the account password expiration policy. We continue to invest in improving this experience. With Windows 10 2004, two new security settings have been added for password policies: ‘Minimum password length audit’ and ‘Relax minimum password length limits’. These new settings can be found under Account Policies\Password Policy.
Previously, you could not require passwords/phrases greater than 14 characters. Now you can! Being able to require a length of more than 14 characters (maximum of 128) can help better secure your environment until you can fully implement a multi-factor authentication strategy. Our vision remains unchanged in achieving a password-less future, but we also recognize that this takes time to fully implement across both your users and your existing applications and systems.
You should be cautious with this new setting because it can potentially cause compatibility issues with existing systems and processes. That’s why we introduced the ‘Minimum password length audit’ setting, so you can see what will happen if you increase your password/phrase length. With auditing you can set your limit anywhere between 1 and 128. Three new events are also created as part of this setting and will be logged as new SAM events in the System event log: one event for awareness, one for configuration, and one for error.
This setting will not be added to the baseline as the minimum password length should be audited before broad enforcement due to the risk of application compatibility issues. However, we urge organizations to consider these two settings. Additional details about these new settings will be found here, once the new article get published in the coming days.
(NOTE: As of the today the link is not yet live, we are actively working to ensure it gets posted soon!)
As a reminder, length alone is not always the best predictor of password strength, so we strongly recommend considering solutions such as the on-premise Azure Active Directory Password Protection which does sub-string matching using a dictionary of known weak terms, and rejects passwords that don’t meet a certain score.
Turn on Behavior Monitoring
In keeping with our principals of criteria for baseline inclusion we have found that the following setting does not need to be enforced; there is no UI path to the setting, you must be a privileged account to make the change, lastly we do not feel a mis-informed Admin would change this setting. Based on these principals we are removing Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on behavior monitoring
In this video I show how I install all the common PowerShell modules that I use when building/provisioning Windows 10 devices that are registered in MEM.In this video I show how I install all the common PowerShell modules that I use when building/provisioning Windows 10 devices that are registered in MEM.
In recent times I have had to rebuild a number of my Windows 10 devices and reinstall my favourite scripts, applications and tweaks. Which got me thinking there must be a better way of rebuilding my devices, so heres my approach.
Azure Blob Storage
After transitioning from a very UC focused role I have been learning an appreciation for the whole M365 stack and how Microsoft Azure can work hand in hand with potential problems or scenarios. Microsoft have done a very good job in providing a platform to enable businesses and organisations to leverage their subscriptions in more power ways, so with that being said lots looks at Azure Blob Storage.
First of all we need to log into the Azure Portal as this is where all the required work will now take place. Once logged in you will need to search for Storage account as this is where all files will need stored. In my case, I have already created a Storage Account but you can complete this by using the Add button.
As you have now created the Storage Account, you will need to go to Containers as shown below.
Again in my case I already have a container called intuneblogaboutcloud but you can create your container by clicking + Container
We can now upload all required PowerShell scripts, installers, images etc.. depending on what you are attending to achieve. In my container, I have created folders to structure the data.
One of the key things to understand with each file uploaded it has a unique URL, please keep this in mind as later in this post I will be demostrating how I use this URL to deliver customizations to my Windows 10 devices.
So Microsoft Endpoint Manager has the ability to deliver PowerShell scripts to any and all Windows 10 enrolled devices. As I was getting annoyed in having to reinstall PowerShell customizations and tweaks I like to perform on my client machines. I created several scripts that do the hard work for me.
One of the unique features of this script is to check for updated versions of the module from the PSGallery. However, this feature isn’t effective using MEM for delivery unless a modified script is upload to the MEM.
As mentioned in the Azure Blob Storage section the unique URL will have an important part to play. As you can see from the image below, I have highlighted 3 sections
1 – The unique URL with its our unique variable name $chromeinstaller
2 – The download command
3 – The installer command
Even with limited PowerShell experience, you will be able to understand how this script works and customize to your needs. Whether its an .msi, .exe, .ps1 you just modify the script to your needs.
Finally, delivering applications to Windows 10 using the native W32 App method. Microsoft have already made it easier with Microsoft Apps for Enterprise aka Office ProPlus but as you can see I have leverage MEM to install a number of MSI files that I like on my machines. I will not going into detail on this section as its quite straight forward.
So there you have it, customizing my Windows 10 devices with my tweaks, modules and applications via Microsoft Endpoint Manager + Azure Blob Storage and PowerShell.