Receive a voucher to take the AZ-900 for free!!

Receive a voucher to take the AZ-900 for free!!

Microsoft has decided to run a number of multiple full day virtual training events on the Fundamentals of Azure! This is excellent news for all those affected by Covid19 as there is no excuse not to attend 🙂 also in attending the attend your will receivey a free Microsoft Exam voucher so you can go take the AZ-900 Exam from home.

The course details are as followed;


To create your vision for tomorrow, you need to understand what the cloud can do for you and your company today. Microsoft Azure Virtual Training Day: Fundamentals explains cloud-computing concepts, models, and services, covering topics such as public, private, and hybrid cloud as well as infrastructure as a service, platform as a service, and software as a service. 

  • Common cloud concepts 
  • Benefits of Azure 
  • Strategies for transitioning to Azure cloud 
  • Azure computing, networking, storage and security basis 
AZ-900 Free

During this free virtual event you will learn: 

By attending the event, you will have the knowledge needed to take the AZ-900 Microsoft Azure Fundamentals certification exam and receive a voucher to take the exam for free at a date and time of your choice. 

Virtual training will be in English.


So here are the options available for attending the virtual event.

April 21st , GMT+2 timezone :
https://info.microsoft.com/CE-AzureINFRA-WBNR-FY20-04Apr-21-MicrosoftAzureVirtualTrainingDayFundamentalsMaster-SRDEM17525_LP01Registration-ForminBody.html

May 5th, Eastern Time Zone:
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentalsMaster-may5-none.html?ls=Website&lsd=AzureWebsite

June 17th (Pacific Time Zone):
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentalsMaster-jun17-none.html?ls=Website&lsd=AzureWebsite

June 2nd (Eastern Time Zone):
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentalsMasterJun02-none.html?ls=Website&lsd=AzureWebsite

Two day Virtual Event

This will be the same content but delivered over two days. Each day will deliver 2 of the 4 modules listed above.

May 12 – 13 (Eastern Time Zone):
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentalsMaster-none.html?ls=Website&lsd=AzureWebsite

May 27 – 28 (Pacific Time Zone):
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentalsMastermay27-none.html?ls=Website&lsd=AzureWebsite

June 24 – 25 (Pacific Time Zone):
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentals-None.html?ls=Website&lsd=AzureWebsite

There are more options available and you can see them all over here: https://azure.microsoft.com/en-ca/community/events/?query=Microsoft+Azure+Training+Day%3A+Fundamentals

PS: Additional assistance available for passing your exam as Pluralsight is also free for the entire month of April 2020

Regards
The Author – Blogabout.Cloud

Deploying Firefox Settings using Microsoft Endpoint Manager

Deploying Firefox Settings using Microsoft Endpoint Manager

During a number of my recent deployment of Microsoft Endpoint Manager and conversation I have had with customers. One thing that always comes up is security from the different browsers the end-users run to perform their daily tasks. A recent discussion we touched on Mozilla Firefox and how it can be managed using Microsoft Endpoint Manager as they currently perform this tasks with on-premises GPOs.

Like Google Chrome, Firefox can also be managed using a Custom configuration profile for Windows 10. The policy consists of two parts. The first part is used to deploy the Firefox ADMX file to the Intune managed device. The second part of the policy is used to manage the settings ofchoice.

Ingest the Firefox ADMX file

The Firefox ADMX file has been made available on GitHub. Download this file as it will be required later within this blog post.

We now need to sign-in to the Microsoft Endpoint Manager portal.

  • Sign-in to the Endpoint Management Portal
  • Browse to the following location (1) Devices – (2) Windows
  • On the (3) Configuration Profiles tab click (4) Create profile
Create Policy

Select Windows 10 and later –> Custom –> Create

Windows 10 or later –> Custom –> Create

We will now need to populate the Name field for this profile, you can also provide a description to get more information about what this profile does. Once you have populated the required information press Configure under Settings and Add

Now we are going to be adding rows to the profile, the first row will be ingestion of the Firefox ADMX file followed by any Firefox profiles you would like to introduce. Please follow the text and screenshots below

Name: Firefox ADMX Ingestion
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Firefox/Policy/FirefoxAdmx
Data Type: String
Value: As value copy the entire content of the ADMX file in the value field

The value information could be different to what is shown in the screenshot above, so to validate this open the .admx in Notepad or another program.

At the top of the opened file you will see the value which will need to copy and added to your row.

<?xml version=”1.0″ encoding=”utf-8″?>
<policyDefinitions revision=”1.14″ schemaVersion=”1.0″>
<policyNamespaces>
<target prefix=”firefox” name=”Mozilla.Policies.Firefox”/>
<using prefix=”Mozilla” name=”Mozilla.Policies”/>
</policyNamespaces>
<resources minRequiredRevision=”1.14″/>

Understanding the OMA-URL for configuring policies

Now this was something very new to me and I have had to learn exactly how to intepret the ADMX file to obtain the required information to create the OMA-URL for each setting I would like to apply.

Lets split up the OMA-URI in separate parts to make sure you fully understand how the OMA-URL is put together. First of all the default for managing applications using an ADMX file:
./Device/Vendor/MSFT/Policy/Config/
So you will always require this when adding a new row for a policy. I am going to use DisablePrivatingBrowsing as an example of how we achieve the required outcome.

The part that comes next is not always the same, we need to follow some rules:

It starts with Firefox (this is the file name of the admx template firefox.admx) followed by Policy and every word is separated with the following sign ~ as shown below.

Firefox~Policy~


The next part is split into two different categories. The first category is always found at the top of the ADMX file and as you can see its called “firefox”

The next category will be one of the following;

  • firefox
  • Authentication
  • Popups
  • Cookies
  • Addons
  • Flash
  • Bookmarks
  • Homepage
  • Certificates
  • Extensions
  • Search
  • Permissions
  • Camera
  • Microphone
  • Location
  • Notifications
  • Autoplay
  • Preferences
  • SanitizeOnShutdown
  • TrackingProtection

As we are configure DisablePrivateBrowsing the catergory required is called firefox so my complete OMA-URL would be ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~firefox/DisablePrivateBrowsing including /settingname as shown below

Now that we understand the OMA-URI, we now need to provide string value information to enable this new policy. For this particular policy, we just need to put <enabled/>. In order to make it active.

Now you have completed the basics you can go visit the ReadMe file to see what other policy settings you can implement https://github.com/mozilla/policy-templates/blob/master/README.md

Regards
The Author – Blogabout.Cloud

Beating enforced home working due to Covid-19 using Microsoft Security Management.

Beating enforced home working due to Covid-19 using Microsoft Security Management.

Unless you have been living under a rock for the past couple of months, Covid-19 has forced organisations to promote home-working. The issue with this is that most organisations today, are just not prepared for home-working. So in this post I will look at the quick wins which can be implemented using Microsoft Security Management tools to first of all identify and protect against potential threats to your Cloud platform. So Microsoft Security Management is just a name for a number of its products and features, as today I am going to go through what can be used to improve your environment.

Microsoft Secure Score

Microsoft Secure Score is a measurement of an organization’s security posture, with a higher number indicating more improvement actions taken. Following the Security Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft 365 security center, organizations can monitor and work on the security of their Microsoft 365 identities, data, apps, devices, and infrastructure.

Secure Score helps organizations:

  • Report on the current state of the organization’s security posture.
  • Improve their security posture by providing discoverability, visibility, guidance, and control.
  • Compare with benchmarks and establish key performance indicators (KPIs).

Organizations gain access to robust visualizations of metrics and trends, integration with other Microsoft products, score comparison with similar organizations, and much more. The score can also reflect when third-party solutions have addressed recommended actions.

Browsing to https://securescore.office.com will allow you to direct access your Microsoft Secure Score and see what recommendations have been made.

Check out what’s coming to Microsoft Secure Score. https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-whats-coming?view=o365-worldwide

Audit Logging

Turning on auditing within your Office 365 tenancy is possibly one of the quickest things you can do today. By enabling Audit Logging user and admin activity from your organization is recorded in the audit log and retained for 90 days.

In order to switch on Audit Logging using your tenancy you will need to visit the following URL https://protection.office.com/homepage then go to Search –> Audit Log search

Then simply press Turn on auditing

Microsoft will now prepare Office 365 audit log and this may take up to a couple of hours to complete.

  1. Connect to Exchange Online PowerShell
  2. Run the following PowerShell command to turn on audit log search in Office 365. PowerShell

1
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Office 365 Increased Security

Without reinventing the wheel, I suggest organizations look at the following URL to see where they can make improvement to this Office 365 security. https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security?view=o365-worldwide

Reports!!!

It is important that you review you Reports Dashboard to help identify any potential issues within your environment. Visit the URL below to start you investigations

https://protection.office.com/insightdashboard

Regards,
The Author – Blogabout.Cloud

What’s dropped this month in Microsoft Endpoint Manager – March Update

What’s dropped this month in Microsoft Endpoint Manager – March Update

New URL for the Microsoft Endpoint Manager admin center

To align with the announcement of Microsoft Endpoint Manager at Ignite last year, we have changed the URL for the Microsoft Endpoint Manager admin center (formerly Microsoft 365 Device Management) to https://endpoint.microsoft.com. The old admin center URL (https://devicemanagement.microsoft.com) will continue to work, but we recommend you start accessing the Microsoft Endpoint Manager admin center using the new URL.

For more information, see Simplify IT tasks using the Microsoft Endpoint Manager admin center.

App management

Script support for macOS devices (Public Preview)

You can add and deploy scripts to macOS devices. This support extends your ability to configure macOS devices beyond what is possible using native MDM capabilities on macOS devices. For more information, see Use shell scripts on macOS devices in Intune.

macOS and iOS Company Portal updates

The Profile pane of the macOS and iOS Company Portal has been updated to include the sign-out button. Additionally, UI improvements have been made to the Profile pane in the macOS Company Portal. For more information about the Company Portal, see How to configure the Microsoft Intune Company Portal app.

Retarget web clips to Microsoft Edge on iOS devices

Newly deployed web clips (pinned web apps) on iOS devices that are required to open in a protected browser, will open in Microsoft Edge rather than the Intune Managed Browser. You must retarget pre-existing web clips to ensure they open in Microsoft Edge rather than the Managed Browser. For more information, see Manage web access by using Microsoft Edge with Microsoft Intune and Add web apps to Microsoft Intune.

Use the Intune diagnostic tool with Microsoft Edge for Android

Microsoft Edge for Android is now integrated with the Intune diagnostic tool. Similarly to the experience on Microsoft Edge for iOS, entering “about:intunehelp” into the URL bar (the address box) of Microsoft Edge on the device will start the Intune diagnostic tool. This tool will provide detailed logs. Users can be guided to collect and send these logs to their IT department, or view MAM logs for specific apps.

Updates to Intune branding and customization

We have updated the Intune pane that was named “Branding and customization” with improvements, including:

  • Renaming the pane to Customization.
  • Improving the organization and design of the settings.
  • Improving the settings text and tooltips.

To find these settings in Intune, navigate to the Microsoft Endpoint Manager admin center, select Tenant administration > Customization. For information about existing customization, see How to configure the Microsoft Intune Company Portal app.

User’s personal encrypted recovery key

A new Intune feature is available that enables users to retrieve their personal encrypted FileVault recovery key for Mac devices through the Android Company Portal application or through the Android Intune application. There is a link in both the Company Portal application and Intune application that will open a Chrome browser to the Web Company Portal where the user can see the FileVault recovery key needed to access their Mac devices. For more information about encryption, see Use device Encryption with Intune.

Optimized dedicated device enrollment

We’re optimizing the enrollment for Android Enterprise dedicated devices and making it easier for SCEP certificates associated with Wi-Fi to apply to dedicated devices enrolled prior to November 22, 2019. For new enrollments, the Intune app will continue to install, but end-users will no longer need to perform the Enable Intune Agent step during enrollment. Installment will happen in the background automatically and SCEP certificates associated with Wi-Fi can be deployed and set without end-user interaction.

These changes will be rolling out on a phased basis throughout the month of March as the Intune service backend deploys. All tenants will have this new behavior by the end of March. For related information, see Support for SCEP certificates in Android Enterprise dedicated devices

Configure Delivery Optimization agent when downloading Win32 app content

You can configure the Delivery Optimization agent to download Win32 app content either in background or foreground mode based on assignment. For existing Win32 apps, content will continue to download in background mode. In the Microsoft Endpoint Manager admin center, select Apps > All apps > select the Win32 app > Properties. Select Edit next to Assignments. Edit the assignment by selecting Include under Mode in the Required section. You will find the new setting in the App settings section. For more information about Delivery Optimization, see Win32 app management – Delivery Optimization.

Improved sign-in experience in Company Portal for Android

We’ve updated the layout of several sign-in screens in the Company Portal app for Android to make the experience more modern, simple, and clean for users. For a look at the improvements, see What’s New in the app UI.

Improved user interface experience when creating device restrictions profiles on Android and Android Enterprise devices

When you create a profile for Android or Android Enterprise devices, the experience in the Endpoint Management admin center is updated. This change impacts the following device configuration profiles (Devices > Configuration Profiles > Create profile > Android device administrator or Android Enterprise for platform):

  • Device restrictions: Android device administrator
  • Device restrictions: Android Enterprise device owner
  • Device restrictions: Android Enterprise work profile

For more information on the device restrictions you can configure, see Android device administrator and Android Enterprise.

Improved user interface experience when creating configuration profiles on iOS/iPadOS and macOS devices

When you create a profile for iOS or macOS devices, the experience in the Endpoint Management admin center is updated. This change impacts the following device configuration profiles (Devices > Configuration Profiles > Create profile > iOS/iPadOS or macOS for platform):

  • Custom: iOS/iPadOS, macOS
  • Device features: iOS/iPadOS, macOS
  • Device restrictions: iOS/iPadOS, macOS
  • Endpoint protection: macOS
  • Extensions: macOS
  • Preference file: macOS

Hide from user configuration setting in device features on macOS devices

When you create a device features configuration profile on macOS devices, there’s a new Hide from user configuration setting (Devices > Configuration profiles > Create profile > macOS for platform > Device features for profile > Login items).

This feature sets an app’s hide checkmark in the Users & Groups login items apps list on macOS devices. Existing profiles show this setting within the list as unconfigured. To configure this setting, administrators can update existing profiles.

When set to Hide, the hide checkbox is checked for the app, and users can’t change it. It also hides the app from users after users sign in to their devices.

Hide apps on macOS devices after users sign in to the device in Microsoft Intune and Endpoint Manager

For more information on the setting you can configure, see macOS device feature settings.

This feature applies to:

  • macOS

Device configuration

New user experience when creating administrative templates on Windows devices

Based on customer feedback, and our move to the new Azure full screen experience, we’ve rebuilt the Administrative Templates profile experience with a folder view. We haven’t made changes to any settings or existing profiles. So, your existing profiles will stay the same, and will be usable in the new view. You can still navigate all settings options by selecting All Settings, and using search. The tree view is split by Computer and User configurations. You will find Windows, Office and Edge settings in their associated folders.

Applies to:

  • Windows 10 and newer

VPN profiles with IKEv2 VPN connections can use always on with iOS/iPadOS devices

On iOS/iPadOS devices, you can create a VPN profile that uses an IKEv2 connection (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > VPN for profile type). Now, you can configure always-on with IKEv2. When configured, IKEv2 VPN profiles connect automatically, and stay connected (or quickly reconnect) to the VPN. It stays connected even when moving between networks or restarting devices.

On iOS/iPadOS, always-on VPN is limited to IKEv2 profiles.

To see the IKEv2 settings you can configure, go to Add VPN settings on iOS devices in Microsoft Intune.

Applies to:

  • iOS/iPadOS

Delete bundles and bundle arrays in OEMConfig device configuration profiles on Android Enterprise devices

On Android Enterprise devices, you create and update OEMConfig profiles (Devices > Configuration profiles > Create profile > Android Enterprise for platform > OEMConfig for profile type). Users can now delete bundles and bundle arrays using the Configuration designer in Intune.

For more information on OEMConfig profiles, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Applies to:

  • Android Enterprise

Configure the iOS/iPadOS Microsoft Azure AD SSO app extension

The Microsoft Azure AD team created a redirect single sign-on (SSO) app extension to allow iOS/iPadOS 13.0+ users to gain access to Microsoft apps and websites with one sign-on. All apps that previously had brokered authentication with the Microsoft Authenticator app will continue to get SSO with the new SSO extension. With the Azure AD SSO app extension release, you can configure the SSO extension with the redirect SSO app extension type (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device features for profile type > Single sign-on app extension).

Applies to:

  • iOS 13.0 and newer
  • iPadOS 13.0 and newer

For more information about iOS SSO app extensions, see Single sign-on app extension.

Enterprise app trust settings modification setting is removed from iOS/iPadOS device restriction profiles

On iOS/iPadOS devices, you create a device restrictions profile (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile type). The Enterprise app trust settings modification setting is removed by Apple, and is removed from Intune. If you currently use this setting in a profile, it has no impact, and is removed from existing profiles. This setting is also removed from any reporting in Intune.

Applies to:

  • iOS/iPadOS

To see the settings you can restrict, go to iOS and iPadOS device settings to allow or restrict features.

Troubleshooting: Pending MAM policy notification changed to informational icon

The notification icon for a pending MAM policy on the Troubleshooting blade has been change to an informational icon.

UI update when configuring compliance policy

We’ve updated the UI for creating compliance policies in Microsoft Endpoint manager (Devices > Compliance policies > Policies > Create Policy). We’ve a new user experience that includes the same settings and details you’ve used previously. The new experience follows a wizard-like process to create the compliance policy and includes a page where you can add Assignments for the policy, and a Review + Create page where you can review your configuration before creating the policy.

Retire noncompliant devices

We’ve added a new action for noncompliant devices that you can add to any policy, to retire the noncompliant device. The new action, Retire the noncompliant device, results in removal of all company data from the device, and also removes the device from being managed by Intune. This action runs when the configured value in days is reached and at that point the device becomes eligible to be retired. The minimum value is 30 days. Explicit IT admin approval will be required to retire the devices by using the Retire Non-compliant devices section, where admins can retire all eligible devices.

Support for WPA and WPA2 in iOS Enterprise Wi-Fi profiles

Enterprise Wi-Fi profiles for iOS now support the Security type field. For Security type, you can select either of WPA Enterprise or WPA/WPA2 Enterprise, and then specify a selection for the EAP type. (Devices > Configuration profiles > Create profile and select iOS/iPadOS for Platform and then Wi-Fi for Profile).

The new Enterprise options are like those that have been available for a Basic Wi-Fi profile for iOS.

New user experience for certificate, email, VPN, and Wi-Fi, VPN profiles

We’ve updated the user experience in the Endpoint Management Admin Center (Devices > Configuration profiles > Create profile) for creating and modifying the following profile types. The new experience presents the same settings as before, but uses a wizard-like experience that doesn’t require as much horizontal scrolling. You won’t need to modify existing configurations with the new experience.

  • Derived credential
  • Email
  • PKCS certificate
  • PKCS imported certificate
  • SCEP certificate
  • Trusted certificate
  • VPN
  • Wi-Fi

Device enrollment

Configure if enrollment is available in Company Portal for Android and iOS

You can configure whether device enrollment in the Company Portal on Android and iOS devices is available with prompts, available without prompts, or unavailable to users. To find these setting in Intune, navigate to the Microsoft Endpoint Manager admin center and, select Tenant administration > Customization > Edit > Device enrollment.

Support for the device enrollment setting requires end users have these Company Portal versions:

  • Company Portal on iOS: version 4.4 or later
  • Company Portal on Android: version 5.0.4715.0 or later

For more information about existing Company Portal customization, see How to configure the Microsoft Intune Company Portal app.

Device management

New Android report on Android Devices overview page

We’ve added a report to the Microsoft Endpoint Manager admin console in the Android Devices overview page that displays how many Android devices have been enrolled in each device management solution. This chart (like the same chart already in the Azure console) shows work profile, fully managed, dedicated, and device administrator enrolled device counts. To see the report, choose Devices > Android > Overview.

Guide users from Android device administrator management to work profile management

We’re releasing a new compliance setting for the Android device administrator platform. This setting lets you make a device non-compliant if it’s managed with device administrator.

On these non-compliant devices, on the Update device settings page users will see the Move to new device management setup message. If they tap the Resolve button, they’ll be guided through:

  1. Unenrolling from device administrator management
  2. Enrolling in work profile management
  3. Resolving compliance issues

Google is decreasing device administrator support in new Android releases in an effort to move to modern, richer, and more secure device management with Android Enterprise. Intune can only provide full support for device administrator-managed Android devices running Android 10 and later through Q2 CY2020. Device administrator-managed devices (except Samsung) that are running Android 10 or later after this time won’t be able to be entirely managed. In particular, impacted devices won’t receive new password requirements.

For more information about this setting, see Move Android devices from device administrator to work profile management.

Microsoft Endpoint Manager tenant attach: Device sync and device actions

Microsoft Endpoint Manager is bringing together Configuration Manager and Intune into a single console. Starting in Configuration Manager technical preview version 2002.2, you can upload your Configuration Manager devices to the cloud service and take actions on them in the admin center. For more information, see Features in Configuration Manager technical preview version 2002.2.

Review the Configuration Manager technical preview article before installing this update. This article familiarizes you with the general requirements and limitations for using a technical preview, how to update between versions, and how to provide feedback.

Bulk remote actions

You can now issue bulk commands for the following remote actions: restart, rename, Autopilot reset, wipe, and delete. To see the new bulk actions, go to Microsoft Endpoint Manager admin center > Devices > All devices > Bulk actions.

All devices list improved search, sort, and filter

The All devices list has been improved for better performance, searching, sorting, and filtering. For more information, see this Support Tip.

Change Primary User for Windows devices

You can change the Primary User for Windows hybrid and Azure AD Joined devices. To do so, go to Intune > Devices > All devices > choose a device > Properties > Primary User. For more information, see Change a device’s primary user.

A new RBAC permission (Managed Devices / Set primary user) has also been created for this task. The permission has been added to built-in roles including Helpdesk Operator, School Administrator, and Endpoint Security Manager.

This feature is rolling out to customers globally under preview. You should see the feature within the next few weeks.

Monitor and troubleshoot

The Data Warehouse now provides the MAC address

The Intune Data Warehouse provides the MAC address as a new property (EthernetMacAddress) in the device entity to allow admins to correlate between the user and host mac address. This property helps to reach specific users and troubleshoot incidents occurring on the network. Admins can also use this property in Power BI reports to build richer reports. For more information, see the Intune Data Warehouse device entity.

Additional Data Warehouse device inventory properties

Additional device inventory properties are available using the Intune Data Warehouse. The following properties are now exposed via the devices collection:

  • ‘Model’ – The device model.
  • ‘Office365Version’ – The version of Office 365 that is installed on the device.
  • ‘PhysicalMemoryInBytes` – The physical memory in bytes.
  • TotalStorageSpaceInBytes – Total storage capacity in bytes.

For more information, see Microsoft Intune Data Warehouse API and the Intune Data Warehouse device entity.

Help and support workflow update to support additional services

We’ve updated the Help and support page in the Microsoft Endpoint Manager admin center where you now choose the management type you use. With this change you’ll be able to select from the following management types:

  • Configuration Manager (includes Desktop Analytics)
  • Intune
  • Co-management

Security

Use a preview of security administrator focused policies as part of Endpoint security

As a public preview, we’ve added several new policy groups under the Endpoint security node in the Microsoft Endpoint Management admin center. As a security admin you can use these new policies to focus on specific aspects of device security to manage discrete groups of related settings without the overhead of the larger Device Configuration policy body.

With the exception of the new Antivirus policy for Microsoft Defender Antivirus (see below), the settings in each new of these new preview policies and profiles are the same settings that you might already configure through Device configuration profiles today.

The following are the new policy types that are all in preview, and their available profile types:

The Antivirus profile for Microsoft Defender Antivirus is an exception that introduces a new instance of settings that are found as part of a device restriction profile. These new Antivirus settings:

  • Are the same settings as found in device restrictions, but support a third option for configuration that’s not available when configured as a device restriction.
  • Apply to devices that are co-managed with Configuration Manager, when the co-management workload slider for Endpoint Protection is set to Intune.

Plan to use the new Antivirus > Microsoft Defender Antivirus profile in place of configuring them through a device restriction profile.

  • Windows Security experience – Manage the Windows Security settings that end users can view in the Microsoft Defender Security center and the notifications they receive. These settings are unchanged from those available as a Device configuration Endpoint Protection profile.
  • Disk encryption (Preview):
    • macOS:
      • FileVault
    • Windows 10 and later:
      • BitLocker
  • Firewall (Preview):
    • macOS:
      • macOS firewall
    • Windows 10 and later:
      • Microsoft Defender Firewall
  • Endpoint detection and response (Preview):
    • Windows 10 and later: –Windows 10 Intune
  • Attack surface reduction (Preview):
    • Windows 10 and later:
      • App and browser isolation
      • Web protection
      • Application control
      • Attack surface reduction rules
      • Device control
      • Exploit protection
  • Account protection (Preview):
    • Windows 10 and later:
      • Account protection

Regards
The Author – Blogabout.Cloud

Managing your Account Protection in Endpoint Manager is now in preview

Managing your Account Protection in Endpoint Manager is now in preview

Hello there

When looking at my Microsoft Endpoint Manager dashboard today, I noticed a number of new preview features have arrived. Next up, I am going to be looking at Account Protection capabilities via Endpoint Security.

Microsoft Endpoint Manager has a new home

Access to the Microsoft Endpoint Manager now has a new URL http://endpoint.microsoft.com replacing http://devicemanagement.microsoft.com

This new preview feature supports the following scenario;

Windows 10 and later (Account Protection)

Account Protection

This section is quite brief but very effective if you are looking at options to protect your end-user accounts. In my own environment, I am very much using Windows Hello with credential guard to provide as much security as possible.

SettingActionDefinition
Block Windows Hello for Business Not configured / Disabled / Enabled Windows Hello for Business is an alternative method for signing into Windows by replacing passwords, Smart Cards, and Virtual Smart Cards. If you disable or do not configure this policy setting, the device provisions Windows Hello for Business. If you enable this policy setting, the device does not provision Windows Hello for Business for any user.
Enable to use security keys for sign-in: Yes / Not configured Enable Windows Hello security key as a logon credential for all PCs in the tenant.
Turn on credential guard
Not configured / Enable with UEFI lock / Enable without UEFI lock Turn on credential guard

There is no configuration available for macOS.

Please keep an eye on the upcoming features to Microsoft Endpoint Manager https://docs.microsoft.com/en-us/mem/intune/fundamentals/in-development

Regards
The Author – Blogabout.Cloud

Managing your Endpoint detection and response in Endpoint Manager is now in preview.

Managing your Endpoint detection and response in Endpoint Manager is now in preview.

Hello there,

When looking at my Microsoft Endpoint Manager dashboard today, I noticed a number of new preview features have arrived. Next up, I am going to be looking at Endpoint detection and response capabilities via Endpoint Security.

Microsoft Endpoint Manager has a new home

Access to the Microsoft Endpoint Manager now has a new URL http://endpoint.microsoft.com replacing http://devicemanagement.microsoft.com

This new preview feature supports the following scenario;

Windows 10 and later (Microsoft Defender ATP)

Endpoint Detection and Response

Now let’s look at the settings that are available to us today, the information below has been taken directly from the MEM Dashboard.

SettingActionDefinition
Microsoft Defender ATP client configuration package type Not configured / Onboarding Blob / Offboarding Blob Upload a signed configuration package that will be used to onboard the Microsoft Defender ATP client
Sample sharing for all files Yes / Not configured Returns or sets the Microsoft Defender Advanced Threat Protection Sample Sharing configuration parameter.
Expedite telemetry reporting frequency Yes / Not configured Expedite Microsoft Defender Advanced Threat Protection telemetry reporting frequency.

There is no configuration available as of yet for macOS, this may change in the future. Please keep an eye on the upcoming features to Microsoft Endpoint Manager https://docs.microsoft.com/en-us/mem/intune/fundamentals/in-development

Regards
The Author – Blogabout.Cloud

Managing your Firewall in Endpoint Manager is now in preview.

Managing your Firewall in Endpoint Manager is now in preview.

Hello there,

When looking at my Microsoft Endpoint Manager dashboard today, I noticed a number of new preview features have arrived. Next up, I am going to be looking at Firewall capabilities via Endpoint Security.

Microsoft Endpoint Manager has a new home

Access to the Microsoft Endpoint Manager now has a new URL http://endpoint.microsoft.com replacing http://devicemanagement.microsoft.com

This new preview feature supports the following scenarios;

Windows 10 – Microsoft Defender Firewall

Microsoft Defender Firewall

Now let’s look at the settings that are available to us today, the information below has been taken directly from the MEM Dashboard.

SettingActionDefinition
Disable stateful File Transfer Protocol (FTP) Yes / Not configured If not configured, the firewall will use FTP to inspect and filter secondary network connections, which could cause your firewall rules to be ignored.
Number of seconds a security association can be idle before it’s deleted Enter idle time in seconds (300 – 3600) How long the security associations are kept after network traffic is not seen. The number must be from 300 to 3600 seconds. When not configured, the system will delete a security association after it’s been idle for 300 seconds.
Preshared key encoding Not configured / None / UTF8 If you don’t require UTF-8, preshared keys will initially be encoded using UTF-8. After that, device users can choose another encoding method.
Firewall IP sec exemptions allow neighbor discovery Yes / Not configured Firewall IP sec exemptions allow neighbor discovery
Firewall IP sec exemptions allow ICMP Yes / Not configured Firewall IP sec exemptions allow ICMP
Firewall IP sec exemptions allow router discovery Yes / Not configured Firewall IP sec exemptions allow router discovery
Firewall IP sec exemptions allow DHCP Yes / Not configured Firewall IP sec exemptions allow DHCP
Certificate revocation list (CRL) verification Not configured / None / Attempt / Require Specify how certificate revocation list (CRL) verification is enforced. When set to not configured the client default is to disable CRL verification.
Require keying modules to only ignore the authentication suites they don’t support Yes / Not configured When this setting is set to yes, keying modules will ignore unsupported authentication suites.
Packet queuing Not configured / Disabled / Queue Inbound / Queue Outbound / Queue Both Specify how scaling for the software on the receive side is enabled for the encrypted receive and clear text forward for the IPsec tunnel gateway scenario. This ensures that the packet order is preserved. When this is set to not configured, packet queuing will be returned back to client default which is disabled.
Turn on Microsoft Defender Firewall for domain networks Not configured / Yes / No When this setting is set to yes, the Microsoft Defender Firewall for this network type (domain) will be turned on and enforced. When it’s set to not configured, the client will return to default which is to enable firewall. To disable the firewall, set to no.
Turn on Microsoft Defender Firewall for private networks Not configured / Yes / No When this setting is set to yes, the Microsoft Defender Firewall for this network type (private) will be turned on and enforced. When it’s set to not configured, the client will return to default which is to enable firewall. To disable the firewall, set to no.
Turn on Microsoft Defender Firewall for public networks Not configured / Yes / No When this setting is set to yes, the Microsoft Defender Firewall for this network type (public) will be turned on and enforced. When it’s set to not configured, the client will return to default which is to enable firewall. To disable the firewall, set to no.

Once you have created your new policy, make sure you have apply scope tag and assign it to your relevant security groups before saving.

macOS – macOS Firewall

Firewall

Now let’s look at the settings that are available to us today, the information below has been taken directly from the MEM Dashboard.

SettingActionDefinition
Enable Firewall Yes / Not configured Enable Firewall to configure how incoming connections are handled in your environment.
Block all incoming connections Yes / Not configured Block all incoming connections except those required for basic Internet services such as DHCP, Bonjour, and IPSec. This will block all sharing services.
Enable stealth mode Yes / Not configured Enabling stealth mode prevents the computer from responding to probing requests. The computer still answers incoming requests for authorized apps.
Firewall apps Set rules for incoming connections for the following apps.

Once you have created your new policy, make sure you have apply scope tag and assign it to your relevant security groups before saving.

This completes the list of configurations available in Microsoft Endpoint Manager for Firewall.

Regards,
The Author – Blogabout.Cloud

Managing your Antivirus in Endpoint Manager is now in preview.

Managing your Antivirus in Endpoint Manager is now in preview.

Hello there,

When looking at my Microsoft Endpoint Manager dashboard today, I noticed a number of new preview features have arrived. First up, I am going to be looking at Antivirus capabilities via Endpoint Security.

Microsoft Endpoint Manager has a new home

Access to the Microsoft Endpoint Manager now has a new URL http://endpoint.microsoft.com replacing http://devicemanagement.microsoft.com

This new preview feature supports the following scenarios;

Windows 10 and later (Microsoft Defender Antivirus)

Configuration Settings

Cloud Protection

SettingActionDefinition
Turn on cloud-delivered protection Not configured / Yes / No When set to Yes, Defender will send information to Microsoft about any problems it finds. If set to Not configured, the client will return to default which enables the feature but allows the user to disable it.
Cloud-delivered protection level Not configured / High / High plus / Zero tolerance Specify the level of cloud-delivered protection. Not Configured uses the default Microsoft Defender Antivirus blocking level and provides strong detection without increasing the risk of detecting legitimate files. High applies a strong level of detection. High + uses the High level and applies addition protection measures (may impact client performance). Zero tolerance blocks all unknown executables While unlikely, setting to High may cause some legitimate files to be detected. We recommend you set this to the default level (Not configured).
Defender Cloud Extended Timeout In Seconds

Microsoft Defender Antivirus Exclusions

SettingActionDefinition
Defender Processes To Exclude
File extensions to exclude from scans and real-time protection
Defender Files And Folders To Exclude

Real-time protection

SettingActionDefinition
Turn on real-time protection Not configured / Yes / No When this setting is set to Yes, real-time monitoring will be enforced and the user cannot disable it. When set to Not configured, the setting is returned to client default which is on, but the user can change it.
Enable on access protection Not configured / Yes / No Virus protection that’s continuously active, as opposed to on demand.
Monitoring for incoming and outgoing files Monitor all files / Only monitor incoming files / Only monitor outgoing files Configure this setting to determine which NTFS file and program activity is monitored. Monitor all files is the default, but for certain specific scenarios you may want to configure scanning for only incoming or outgoing files (i.e., server scenarios)
Turn on behavior monitoring Not configured / Yes / No When this setting is set to Yes, behavior monitoring will be enforced and the user cannot disable it. When set to Not configured, the setting is returned to client default which is on, but the user can change it.
Turn on network protection Not configured / Yes / No When this setting is set to Yes, behavior monitoring will be enforced and the user cannot disable it. When set to Not configured, the setting is returned to client default which is on, but the user can change it.
Scan all downloaded files and attachments Not configured / Yes / No
Scan scripts that are used in Microsoft browsers Not configured / Yes / No When this setting is set to Yes, all downloaded files and attachments will be scanned. When set to Not configured, the setting is returned to client default which is on, but the user chan change it.
Scan network files Not configured / Yes / No When this setting is set to Yes, the Windows Defender Script Scanning functionality will be enforced and the user cannot turn them off. When set to Not configured, the setting is returned to client default which is to enable script scanning, however the user can turn it off.
Scan emails Not configured / Yes / No When set to Yes, e-mail mailbox and mail files such as PST, DBX, MNX, MIME and BINHEX will be scanned. When Not configured, the setting will return to client default of e-mail files not being scanned.

Remediation

SettingActionDefinition
Number of days (0-90) to keep quarantined malware Configure this setting to determine the number of days items should be keeps in the quarantine folder before being removed. Leaving this Not configured or setting it to 0 will result in quarantined files never being removed.
Submit samples consent
Action to take on potentially unwanted apps Specify the level of protection for potentially Unwanted applications (PUA’s). Not configured configures the client to default, which is PUA Protection Off. Block turns PUA Protection On, and blocks potentially unwanted applications. Audit allows PUA to detect potentially unwanted applications, but takes no action.
Actions for detected threats Configured / Not configured Allow to specify any valid threat severity levels and the corresponding default action to take. Only enforced in Windows 10 for desktop.

Scan

SettingActionDefinition
Scan archive files Not configured / Yes / No When set to Yes, archive files such as ZIP or CAB file scanning will be enforced. When set to Not configured, the setting will be returned back to client default which is to scan archived files, however the user may disable this.
Use low CPU priority for scheduled scans Not configured / Yes / No When this setting is set to Yes, scheduled scans will be run with low CPU priority. When set to Not configured, the setting is returned to client default in which no changes to CPU priority will be made.
Disable catch-up full scan Not configured / Yes / No When this setting is set to Yes, catch-up scans for full scans will be enforced and the user cannot disable them. When set to Not configured, the setting is returned to client default which is to enable catch-up scans for full scans, however the user can turn them off.
Disable Catchup Quick Scan Not configured / Yes / No When this setting is set to Yes, catch-up scans for quick scans will be enforced and the user cannot disable them. When set to Not configured, the setting is returned to client default which is to enable catch-up scans for quick scans, however the user can turn them off.
CPU usage limit per scan Configure this with a value that represents the maximum CPU percentage allowed for a scan. The default (and recommended) is 50%.
Scan mapped network drives during full scan Not configured / Yes / No When set to Yes, during a full scan, mapped network drives will be included. When set to not configured, the client will be returned to default which is disabling scanning on mapped network drives.
Run daily quick scan at Not configured / Yes / No Provide a time of day that Windows Defender quick scan should run. This setting is dependent on the scan type selected being ‘quick scan’
Scan type Not configured / Yes / No Specify the scan type to use for a schedule scan
Day of week to run a scheduled scan Not configured / Yes / No Scheduled day for scan.
Time of day to run a scheduled scan Not configured / Yes / No Specify the time for scan to run.

Update

SettingActionDefinition
Enter how often (0-24 hours) to check for security intelligence updates Configure this setting to determine how often to check for signatures. A value of 1 means checking every hour, 2 for every two hours and so on. Selecting Do not check will disable signature updates. When set to Not configured, client default of 8 hours is applied.

User Experience

SettingActionDefinition
Allow user access to Microsoft Defender app Not configured / Yes / No When set to No, the Windows Defender User Interface (UI) will be inaccessible and notifications will be surprised. When set to Not configured, the setting will return to client default in which UI and notifications will be allowed

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

Windows 10 and later (Windows Security experience)

Windows Security

SettingActionDefinition
Enable tamper protection to prevent Microsoft Defender being disabled Not configured / Enable / Disabled Not Configured state is default and will have no impact.
Enabled will enable the Tamper Protection restrictions.
Disabled will disable the Tamper Protection restrictions.
When the Enabled or Disabled state exists on a client, deploying Not configured will have no impact on the setting. To change the state from currently Enabled/Disabled, you must deploy the opposite setting to have effect
Hide the Virus and threat protection area in the Windows Security app Yes / Not Configured By setting this to Yes, the virus and threat protection area in the Windows Security app will be hidden from end-users. Also, virus and threat protection related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Ransomware data recovery option in the Windows Security app Yes / Not Configured By setting this to Yes, the virus and threat protection area in the Windows Security app will be hidden from end-users. Also, virus and threat protection related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Account protection area in the Windows Security app Yes / Not Configured By setting this to Yes, the Account protection area in the Windows Security app will be hidden from end-users. Also, account protection-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Firewall and network protection area in the Windows Security app Yes / Not Configured By setting this to Yes, the firewall and network protection area in the Windows Security app will be hidden from end-users. Also, firewall and network protection-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the App and browser control area in the Windows Security app Yes / Not Configured By setting this to Yes, the app and browser control area in the Windows Security app will be hidden from end-users. Also, app and browser control-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Device security area in the Windows Security app Yes / Not Configured By setting this to Yes, the hardware protection area in the Windows Security app will be hidden from end-users. Also, hardware protection-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Device performance and health area in the Windows Security app Yes / Not Configured By setting this to Yes, the device performance and health area in the Windows Security app will be hidden from end-users. Also, device performance and health related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Family options area in the Windows Security app Yes / Not Configured By setting this to Yes, the family options area in the Windows Security app will be hidden from end-users. Also, family options related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Windows Security app notifications Not configured / Block non-critical notifications / Block all notifications You can control Windows Security app notifications per feature by using the proceeding settings. Alternatively, use this setting to block all Windows Security notifications from your users. By setting Not configured, all Windows Security app notifications that are not controlled by another setting will be allowed. By setting Block non-critical notifications, notifications such as scan completions will be blocked. By setting Block all notifications, critical and non-critical notifications will be blocked for all Windows Security features.
Hide the Windows Security icon from the notification area Yes / Not Configured Setting this to Yes will hide the Windows Security icon from the users system tray. Not configured will return the client to default which is to show the icon. For this setting to take effect, the user needs to either sign out/in, or reboot the computer.
Disable the Clear TPM option in the Windows Security app Yes / Not Configured Setting this to Yes will disable access to the clear TPM button in the Windows Security app. Setting it to Not configured will return the setting to client default, which is to allow access to the button.
Prompt users to update TPM firmware if vulnerability is discovered Yes / Not Configured Setting this to Yes will allow Windows to prompt end-users when a potential vulnerability is found in their TPM firmware. They will then be encouraged to run firmware updates to resolve the vulnerability. Setting this to Not configured will return the setting to client default, which is to not prompt users.
Organization’s support contact information Not configured / Display in app and in notifications / Display only in app / Display only in notifications Declare where you would like your IT organization information displayed in the Windows Security app and notifications.

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Creat

macOS (Antivirus)

Microsoft Defender ATP

SettingActionDefinition
Real-time protection Not configured / Configured / DisabledLocates and stops malware from installing or running on your device. You can turn off this setting for a short time before it turns back on automatically.
Cloud-delivered protection Not configured / Configured / Disabled Provides increased, faster protection with access to the latest protection data in the cloud. Works best with automatic sample submission turned on.
Automatic sample submission Not configured / Configured / Disabled Sends sample files to Microsoft to help protect device users and your organization from potential threats.
Diagnostic data collection Not configured / Required / Optional We encourage you to share your diagnostic and usage data with us to help improve Microsoft products and services.
Folders excluded from scan
Files excluded from scan
File types excluded from scan
Processes excluded from scan

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

This completes the list of configurations available in Microsoft Endpoint Manager for Antivirus.

Regards,
The Author – Blogabout.Cloud

Managing your Disk Encryption in Endpoint Manager is now in preview.

Managing your Disk Encryption in Endpoint Manager is now in preview.

Hello there,

When looking at my Microsoft Endpoint Manager dashboard today, I noticed a number of new preview features have arrived. Next up, I am going to be looking at Disk Encryption capabilities via Endpoint Security.

Microsoft Endpoint Manager has a new home

Access to the Microsoft Endpoint Manager now has a new URL http://endpoint.microsoft.com replacing http://devicemanagement.microsoft.com

Windows 10 and later (BitLocker)

While BitLocker isn’t something new to Microsoft Endpoint Manager all the configuration that you would normally perform in configuration profiles have been separated into the Endpoint Security within the new Microsoft Endpoint Management Dashboard.

Now lets run through all the configuration settings and what they actual do.

BitLocker – Base Settings

Configuration SettingActionDefinition
Enable full disk encryption for OS and fixed data drives Yes / Not ConfiguredIf set to not configured, no Bitlocker enforcement will take place.
If the drive was encrypted before the policy, no additional action.
If the encryption method and options match that of this policy, the configuration should return success
Require storage cards to be encrypted (mobile only) Yes / Not Configured When this setting is set to Yes, encryption on storage cards will be required for mobile devices. When set to not configured, the setting will return to OS default which is to not require storage card encryption. This setting is only applicable to Windows Mobile and Mobile Enterprise SKU devices.
Hide prompt about third-party encryption Yes / Not Configured If BitLocker is enabled on a system that has already been encrypted by a third-party encryption product, it may render the device unusable. Data loss may occur and you may need to reinstall Windows. It is highly suggested to never enable BitLocker on a device that has third-pary encryption installed or enabled. As part of the BitLocker setup wizard, users are informed and asked to confirm that no third-party encryption is in place. When this setting is set to Yes, this warning prompt will be surpressed. When set to not configured, the setting will return to default which is to warn users about third-party encryption. If BitLocker silent enable features are required, the third-party encryption warning must be hidden as any required prompt breaks silent enablement workflows.
Allow standard users to enable encryption during Autopilot Yes / Not Configured When set to Yes, during Azure Active Directory Join (AADJ) silent enable scenarios, users do not need to be local administrators to enable BitLocker. When set to not configured, the setting will be left as client default which is to require local admin access to enable BitLocker. For non-silent enablement/Autopilot scenarios, the user must be a local admin to complete the BitLocker setup wizard.
Enable client-driven recovery password fo Not Configurated / Disabled / Azure AD-joined devices / Azure AD and Hybrid-joined devices Setting this as Not configured means the client will not rotate BitLocker recovery keys when disclosed on the client. Setting it to Key rotation enabled for Azure AD-joined devices will allow key rotation for AADJ devices. Setting it to Key rotation enabled for Azure AD-joined devices and Hybrid-joined devices will allow key rotation for AADJ or Hybrid-joined devices. Add Work Account (AWA, formally Workplace Joined) devices are not supported for key rotation.

BitLocker – Fixed Drive

Configuration SettingActionDefinition
BitLocker fixed drive policy Yes / Not Configured This policy setting is used to control the encryption method and cipher strength. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
Fixed drive recovery Yes / Not Configured Control how BitLocker-protected fixed data-drives are recovered in the absence of the required startup key information. Selecting “Enable” allows you to configure various drive recovery techniques. By selecting “Not configured”, the default recovery options are supported including DRA, the end user can specify recovery options and recovery information is not backed up to Azure Active Directory.
Block write access to fixed data-drives not protected by BitLocker Yes / Not Configured When set to Yes, Windows will not allow any data to be written to fixed drives that are not BitLocker protected. If a fixed drive is not encrypted, the user will need to complete the BitLocker setup wizard for the drive before write access is granted. Setting this to not configured will allow data to be written to non-encrypted fixed drives.
Configure encryption method for fixed data-drives Not Configured / AES 128bit CBC / AES 256bit CBC / AES 128bit XTS / AES 256bit XTS Select the desired encryption method for fixed data-drives disks. XTS- AES 128-bit is the Windows default encryption method and the recommended value. Note that 256-bit encryption may have performance impacts on low spec hardware. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. To change the encryption method, the drive must be decrypted first.

BitLocker – OS Drive Settings

Configuration SettingActionDefinition
BitLocker system drive policy Configured / Not Configured This policy setting is used to control the encryption method and cipher strength. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
Startup authentication required Yes / Not Configured Selecting “Require” allows you to configure the additional authentication requirements at system start up, including utilizing the use of Trusted Platform Module (TPM) or startup PIN requirements.
Compatible TPM startup Blocked / Required / Allowed etting this to Allow TPM will enable BitLocker using the TPM if it’s present. Setting this to Do not allow TPM will enable BitLocker without utilizing the TPM. Setting this to Require TPM will only enable BitLocker if TPM is present and usable. It is recommended to require a TPM for BitLocker. This setting only applies when first enabling BitLocker. If BitLocker is already enabled prior to applying this setting, it will have no effect.
Compatible TPM startup PIN Blocked / Required / Allowed Setting this to Allow startup PIN with TPM will enable BitLocker using the TPM if present, and allow a startup PIN be configured by the user. Setting this to Do not allow startup PIN with TPM will block the use of a PIN. Setting this to Require startup PIN with TPM will require BitLocker have a PIN and TPM present to return success. For silent enable scenarios (including Autopilot) this setting cannot be successful, as user interaction is required. It is recommended that PIN is disabled where silent enablement of BitLocker is required.
Compatible TPM startup key Blocked / Required / Allowed and will allow a startup key (such as a USB drive) be present to unlock the drives. Setting this to Do not allow a startup key will block the use of startup keys. Setting this to Require a startup key with TPM will require bitLocker have a startup key and TPM present to enable BitLocker. For silent enable scenarios (including Autopilot) this setting canot be sucessful, as user interaction is required. It is recommended that startup keys be disabled where silent enablement of BitLocker is required.
Disable Bitlocker on devices where TPM is incompatible Blocked / Required / Allowed Setting this to Yes will disable BitLocker from being configured without a compatible TPM chip. This setting may be helpful for testing, but it is not suggested to enable BitLocker without a TPM. If no TPM is present, BitLocker will require a password or USB drive for startup. This setting only applies when first enabling BitLocker. If BitLocker is already enabled prior to applying this setting, it will have no effect.
Enable preboot recovery message and url Yes / Not Configured Setting this to Yes will allow you to customize the pre-boot recovery message and URL. The pre-boot message and URL is seen by users when they’re locked out of their PC in recovery mode. The message and URL can be customized to help your users understand how to find their recovery password. Setting this to Not configured will leave the default BitLocker recovery information.
Preboot recovery message
Yes / Not Configured Use this option to declare if a custom recovery message or URL is desired.
Preboot recovery url Use this option to declare if a custom recovery message or URL is desired.
System drive recovery Use this option to declare if a custom recovery URL.
Configure encryption method for Operating System drives Configured / Not Configured Control how BitLocker-protected OS drives are recovered in the absence of the required startup key information. Selecting “Enable” allows you to configure various drive recovery techniques. By selecting “Not configured”, the default recovery options are supported including DRA, the end user can specify recovery options and recovery information is not backed up to Azure Active Directory.
Minimum PIN length Select the desired encryption method for OS drives. XTS- AES 128-bit is the Windows default encryption method and the recommended value. Note that 256-bit encryption may have performance impacts on low spec hardware. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. To change the encryption method, the drive must be decrypted first.

BitLocker – Removable Drive Settings

Configuration SettingActionDefinition
BitLocker removable drive policyConfigured / Not Configured This policy setting is used to control the encryption method and cipher strength. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
Configure encryption method for removable data-drives Not Configured / AES 128bit CBC / AES 256bit CBC / AES 128bit XTS / AES 256bit XTS Select the desired encryption method for removable data-drives disks. You should use AES-CBC 128/256-bit if the drive will be used in other devices that are not running Windows 10, 1511 or earlier. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. To change the encryption method, the drive must be decrypted first.
Block write access to removable data-drives not protected by BitLocker Yes / Not Configured When set to Yes, Windows will not allow any data to be written to removable drives that are not BitLocker protected. If an inserted removable drive is not encrypted, the user will need to complete the BitLocker setup wizard for the drive before write access is granted. Setting this to not configured will allow data to be written to non-encrypted removable drives.
Block write access to devices configured in another organization Yes / Not Configured Setting this to Block will require removable drives to be accessed unless they were encrypted on a computer owned by your organization. Setting this to Not configured will allow any BitLocker encrypted drive to be used.

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

macOS (FileVault)

Encryption

Configuration SettingActionDefinition
Enable FileVault Yes / Not ConfiguredIf not already enabled, FileVault will be enabled at the next logout.
Recovery key type Determine which type(s) of recovery key should be generated for this device.
Personal recovery key rotation Not configured or number of months Specify how frequently in months (1-12) the device’s personal recovery key will rotate.
Escrow location description of personal recovery keyDisplay a short message to the user that explains how they can retrieve their personal recovery key. This text will be inserted into the message the user sees when enabling FileVault.
Number of times allowed to bypass Not configured / 1-10 / No limit, always prompt Set the value to -1 to disable the setting. Set the value to 0 to always prompt the user to enable FileVault, although they can ignore the prompt. Set the value from 1 to 10 to allow the user to bypass the prompt that many times until they are required to encrypt the device.
Allow deferral until sign out Yes / Not Configured Defer the prompt until the user signs out. Only ‘yes’ is supported.
Disable prompt at sign out Yes / Not Configured Disable the prompt for the user to enable FileVault when they sign out.

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

This completes the list of configurations available in Microsoft Endpoint Manager for Disk Encryption.

Regards
The Author – Blogabout.Cloud

Implementing Windows Information Protection

Implementing Windows Information Protection

Windows Information Protection enables organization to create a clear line between what is personal data vs corporate data. When implementing Windows Information Protection (WIP) you might find that none recognized corporate apps may lose the ability to write data to the corporate protected applications and data stores. For example;

You are using GitHub and storing the cloned repos into your OneDrive Known Folders and WIP gets enabled to “Block” access.

That lovely GitHub repo you want to clone will now be blocked 🙁

So how do we implement Windows Information Protection to ensure that are organizations are secure.

Lets start with WIP Learning

So first of all, you would have need to configure App Protection within Microsoft Endpoint Manager for all the apps you want to protect with WIP as show below

WIP Learning is a report that allows you to monitor your WIP-enabled apps and WIP-unknown apps. The unknown apps are the ones not deployed by your organization’s IT department. You can export these apps from the report and add them to your WIP policies to avoid productivity disruption before they enforce WIP in “Block” mode.

In addition to viewing information about WIP-enabled apps, you can view a summary of the devices that have shared work data with websites. With this information, you can determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps.

When working with WIP-enabled apps and WIP-unknown apps, we recommend that you start with Silent or Allow Overrides while verifying with a small group that you have the right apps on your protected apps list. After you’re done, you can change to your final enforcement policy, Block.

What are the protection modes?

Block

WIP looks for inappropriate data sharing practices and stops the user from completing the action. Blocked actions can include sharing info across non-corporate-protected apps, and sharing corporate data between other people and devices outside of your organization.

Allow Overrides

WIP looks for inappropriate data sharing, warning users when they do something deemed potentially unsafe. However, this mode lets the user override the policy and share the data, logging the action to your audit log.

Silent

WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.

Switching on WIP

Browse to your App Protection Policy and go to its Properties, under Required Settings you will be able to select which mode you would like to enable for your organization. Please Note: You will need to define your “Corporate Identity” if you have multiple domains they can added as ‘Protected domains’ under the ‘Network perimeter’ in the ‘Advanced settings’ tab.

Once you have done an initial pilot to discovery the applications being used to access Corporate data, you can generate a report from Apps –> Monitor –> App Protection Protection Status –> Reports –> App Learning report for Windows Information Protection. In my case I can see that my GitHub applications has been discovered.

Now that you have your report you are able to create the required excepts to ensure the non-corporate applications can access corporate data.

Regards
The Author – Blogabout.Cloud