Managing your Antivirus in Endpoint Manager is now in preview.

Managing your Antivirus in Endpoint Manager is now in preview.

Hello there,

When looking at my Microsoft Endpoint Manager dashboard today, I noticed a number of new preview features have arrived. First up, I am going to be looking at Antivirus capabilities via Endpoint Security.

Microsoft Endpoint Manager has a new home

Access to the Microsoft Endpoint Manager now has a new URL http://endpoint.microsoft.com replacing http://devicemanagement.microsoft.com

This new preview feature supports the following scenarios;

Windows 10 and later (Microsoft Defender Antivirus)

Configuration Settings

Cloud Protection

SettingActionDefinition
Turn on cloud-delivered protection Not configured / Yes / No When set to Yes, Defender will send information to Microsoft about any problems it finds. If set to Not configured, the client will return to default which enables the feature but allows the user to disable it.
Cloud-delivered protection level Not configured / High / High plus / Zero tolerance Specify the level of cloud-delivered protection. Not Configured uses the default Microsoft Defender Antivirus blocking level and provides strong detection without increasing the risk of detecting legitimate files. High applies a strong level of detection. High + uses the High level and applies addition protection measures (may impact client performance). Zero tolerance blocks all unknown executables While unlikely, setting to High may cause some legitimate files to be detected. We recommend you set this to the default level (Not configured).
Defender Cloud Extended Timeout In Seconds

Microsoft Defender Antivirus Exclusions

SettingActionDefinition
Defender Processes To Exclude
File extensions to exclude from scans and real-time protection
Defender Files And Folders To Exclude

Real-time protection

SettingActionDefinition
Turn on real-time protection Not configured / Yes / No When this setting is set to Yes, real-time monitoring will be enforced and the user cannot disable it. When set to Not configured, the setting is returned to client default which is on, but the user can change it.
Enable on access protection Not configured / Yes / No Virus protection that’s continuously active, as opposed to on demand.
Monitoring for incoming and outgoing files Monitor all files / Only monitor incoming files / Only monitor outgoing files Configure this setting to determine which NTFS file and program activity is monitored. Monitor all files is the default, but for certain specific scenarios you may want to configure scanning for only incoming or outgoing files (i.e., server scenarios)
Turn on behavior monitoring Not configured / Yes / No When this setting is set to Yes, behavior monitoring will be enforced and the user cannot disable it. When set to Not configured, the setting is returned to client default which is on, but the user can change it.
Turn on network protection Not configured / Yes / No When this setting is set to Yes, behavior monitoring will be enforced and the user cannot disable it. When set to Not configured, the setting is returned to client default which is on, but the user can change it.
Scan all downloaded files and attachments Not configured / Yes / No
Scan scripts that are used in Microsoft browsers Not configured / Yes / No When this setting is set to Yes, all downloaded files and attachments will be scanned. When set to Not configured, the setting is returned to client default which is on, but the user chan change it.
Scan network files Not configured / Yes / No When this setting is set to Yes, the Windows Defender Script Scanning functionality will be enforced and the user cannot turn them off. When set to Not configured, the setting is returned to client default which is to enable script scanning, however the user can turn it off.
Scan emails Not configured / Yes / No When set to Yes, e-mail mailbox and mail files such as PST, DBX, MNX, MIME and BINHEX will be scanned. When Not configured, the setting will return to client default of e-mail files not being scanned.

Remediation

SettingActionDefinition
Number of days (0-90) to keep quarantined malware Configure this setting to determine the number of days items should be keeps in the quarantine folder before being removed. Leaving this Not configured or setting it to 0 will result in quarantined files never being removed.
Submit samples consent
Action to take on potentially unwanted apps Specify the level of protection for potentially Unwanted applications (PUA’s). Not configured configures the client to default, which is PUA Protection Off. Block turns PUA Protection On, and blocks potentially unwanted applications. Audit allows PUA to detect potentially unwanted applications, but takes no action.
Actions for detected threats Configured / Not configured Allow to specify any valid threat severity levels and the corresponding default action to take. Only enforced in Windows 10 for desktop.

Scan

SettingActionDefinition
Scan archive files Not configured / Yes / No When set to Yes, archive files such as ZIP or CAB file scanning will be enforced. When set to Not configured, the setting will be returned back to client default which is to scan archived files, however the user may disable this.
Use low CPU priority for scheduled scans Not configured / Yes / No When this setting is set to Yes, scheduled scans will be run with low CPU priority. When set to Not configured, the setting is returned to client default in which no changes to CPU priority will be made.
Disable catch-up full scan Not configured / Yes / No When this setting is set to Yes, catch-up scans for full scans will be enforced and the user cannot disable them. When set to Not configured, the setting is returned to client default which is to enable catch-up scans for full scans, however the user can turn them off.
Disable Catchup Quick Scan Not configured / Yes / No When this setting is set to Yes, catch-up scans for quick scans will be enforced and the user cannot disable them. When set to Not configured, the setting is returned to client default which is to enable catch-up scans for quick scans, however the user can turn them off.
CPU usage limit per scan Configure this with a value that represents the maximum CPU percentage allowed for a scan. The default (and recommended) is 50%.
Scan mapped network drives during full scan Not configured / Yes / No When set to Yes, during a full scan, mapped network drives will be included. When set to not configured, the client will be returned to default which is disabling scanning on mapped network drives.
Run daily quick scan at Not configured / Yes / No Provide a time of day that Windows Defender quick scan should run. This setting is dependent on the scan type selected being ‘quick scan’
Scan type Not configured / Yes / No Specify the scan type to use for a schedule scan
Day of week to run a scheduled scan Not configured / Yes / No Scheduled day for scan.
Time of day to run a scheduled scan Not configured / Yes / No Specify the time for scan to run.

Update

SettingActionDefinition
Enter how often (0-24 hours) to check for security intelligence updates Configure this setting to determine how often to check for signatures. A value of 1 means checking every hour, 2 for every two hours and so on. Selecting Do not check will disable signature updates. When set to Not configured, client default of 8 hours is applied.

User Experience

SettingActionDefinition
Allow user access to Microsoft Defender app Not configured / Yes / No When set to No, the Windows Defender User Interface (UI) will be inaccessible and notifications will be surprised. When set to Not configured, the setting will return to client default in which UI and notifications will be allowed

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

Windows 10 and later (Windows Security experience)

Windows Security

SettingActionDefinition
Enable tamper protection to prevent Microsoft Defender being disabled Not configured / Enable / Disabled Not Configured state is default and will have no impact.
Enabled will enable the Tamper Protection restrictions.
Disabled will disable the Tamper Protection restrictions.
When the Enabled or Disabled state exists on a client, deploying Not configured will have no impact on the setting. To change the state from currently Enabled/Disabled, you must deploy the opposite setting to have effect
Hide the Virus and threat protection area in the Windows Security app Yes / Not Configured By setting this to Yes, the virus and threat protection area in the Windows Security app will be hidden from end-users. Also, virus and threat protection related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Ransomware data recovery option in the Windows Security app Yes / Not Configured By setting this to Yes, the virus and threat protection area in the Windows Security app will be hidden from end-users. Also, virus and threat protection related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Account protection area in the Windows Security app Yes / Not Configured By setting this to Yes, the Account protection area in the Windows Security app will be hidden from end-users. Also, account protection-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Firewall and network protection area in the Windows Security app Yes / Not Configured By setting this to Yes, the firewall and network protection area in the Windows Security app will be hidden from end-users. Also, firewall and network protection-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the App and browser control area in the Windows Security app Yes / Not Configured By setting this to Yes, the app and browser control area in the Windows Security app will be hidden from end-users. Also, app and browser control-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Device security area in the Windows Security app Yes / Not Configured By setting this to Yes, the hardware protection area in the Windows Security app will be hidden from end-users. Also, hardware protection-related notifications will be suppressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Device performance and health area in the Windows Security app Yes / Not Configured By setting this to Yes, the device performance and health area in the Windows Security app will be hidden from end-users. Also, device performance and health related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Hide the Family options area in the Windows Security app Yes / Not Configured By setting this to Yes, the family options area in the Windows Security app will be hidden from end-users. Also, family options related notifications will be supressed. By setting this to Not configured, the setting will return to client default which is to allow user access and notifications.
Windows Security app notifications Not configured / Block non-critical notifications / Block all notifications You can control Windows Security app notifications per feature by using the proceeding settings. Alternatively, use this setting to block all Windows Security notifications from your users. By setting Not configured, all Windows Security app notifications that are not controlled by another setting will be allowed. By setting Block non-critical notifications, notifications such as scan completions will be blocked. By setting Block all notifications, critical and non-critical notifications will be blocked for all Windows Security features.
Hide the Windows Security icon from the notification area Yes / Not Configured Setting this to Yes will hide the Windows Security icon from the users system tray. Not configured will return the client to default which is to show the icon. For this setting to take effect, the user needs to either sign out/in, or reboot the computer.
Disable the Clear TPM option in the Windows Security app Yes / Not Configured Setting this to Yes will disable access to the clear TPM button in the Windows Security app. Setting it to Not configured will return the setting to client default, which is to allow access to the button.
Prompt users to update TPM firmware if vulnerability is discovered Yes / Not Configured Setting this to Yes will allow Windows to prompt end-users when a potential vulnerability is found in their TPM firmware. They will then be encouraged to run firmware updates to resolve the vulnerability. Setting this to Not configured will return the setting to client default, which is to not prompt users.
Organization’s support contact information Not configured / Display in app and in notifications / Display only in app / Display only in notifications Declare where you would like your IT organization information displayed in the Windows Security app and notifications.

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Creat

macOS (Antivirus)

Microsoft Defender ATP

SettingActionDefinition
Real-time protection Not configured / Configured / DisabledLocates and stops malware from installing or running on your device. You can turn off this setting for a short time before it turns back on automatically.
Cloud-delivered protection Not configured / Configured / Disabled Provides increased, faster protection with access to the latest protection data in the cloud. Works best with automatic sample submission turned on.
Automatic sample submission Not configured / Configured / Disabled Sends sample files to Microsoft to help protect device users and your organization from potential threats.
Diagnostic data collection Not configured / Required / Optional We encourage you to share your diagnostic and usage data with us to help improve Microsoft products and services.
Folders excluded from scan
Files excluded from scan
File types excluded from scan
Processes excluded from scan

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

This completes the list of configurations available in Microsoft Endpoint Manager for Antivirus.

Regards,
The Author – Blogabout.Cloud

Managing your Disk Encryption in Endpoint Manager is now in preview.

Managing your Disk Encryption in Endpoint Manager is now in preview.

Hello there,

When looking at my Microsoft Endpoint Manager dashboard today, I noticed a number of new preview features have arrived. Next up, I am going to be looking at Disk Encryption capabilities via Endpoint Security.

Microsoft Endpoint Manager has a new home

Access to the Microsoft Endpoint Manager now has a new URL http://endpoint.microsoft.com replacing http://devicemanagement.microsoft.com

Windows 10 and later (BitLocker)

While BitLocker isn’t something new to Microsoft Endpoint Manager all the configuration that you would normally perform in configuration profiles have been separated into the Endpoint Security within the new Microsoft Endpoint Management Dashboard.

Now lets run through all the configuration settings and what they actual do.

BitLocker – Base Settings

Configuration SettingActionDefinition
Enable full disk encryption for OS and fixed data drives Yes / Not ConfiguredIf set to not configured, no Bitlocker enforcement will take place.
If the drive was encrypted before the policy, no additional action.
If the encryption method and options match that of this policy, the configuration should return success
Require storage cards to be encrypted (mobile only) Yes / Not Configured When this setting is set to Yes, encryption on storage cards will be required for mobile devices. When set to not configured, the setting will return to OS default which is to not require storage card encryption. This setting is only applicable to Windows Mobile and Mobile Enterprise SKU devices.
Hide prompt about third-party encryption Yes / Not Configured If BitLocker is enabled on a system that has already been encrypted by a third-party encryption product, it may render the device unusable. Data loss may occur and you may need to reinstall Windows. It is highly suggested to never enable BitLocker on a device that has third-pary encryption installed or enabled. As part of the BitLocker setup wizard, users are informed and asked to confirm that no third-party encryption is in place. When this setting is set to Yes, this warning prompt will be surpressed. When set to not configured, the setting will return to default which is to warn users about third-party encryption. If BitLocker silent enable features are required, the third-party encryption warning must be hidden as any required prompt breaks silent enablement workflows.
Allow standard users to enable encryption during Autopilot Yes / Not Configured When set to Yes, during Azure Active Directory Join (AADJ) silent enable scenarios, users do not need to be local administrators to enable BitLocker. When set to not configured, the setting will be left as client default which is to require local admin access to enable BitLocker. For non-silent enablement/Autopilot scenarios, the user must be a local admin to complete the BitLocker setup wizard.
Enable client-driven recovery password fo Not Configurated / Disabled / Azure AD-joined devices / Azure AD and Hybrid-joined devices Setting this as Not configured means the client will not rotate BitLocker recovery keys when disclosed on the client. Setting it to Key rotation enabled for Azure AD-joined devices will allow key rotation for AADJ devices. Setting it to Key rotation enabled for Azure AD-joined devices and Hybrid-joined devices will allow key rotation for AADJ or Hybrid-joined devices. Add Work Account (AWA, formally Workplace Joined) devices are not supported for key rotation.

BitLocker – Fixed Drive

Configuration SettingActionDefinition
BitLocker fixed drive policy Yes / Not Configured This policy setting is used to control the encryption method and cipher strength. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
Fixed drive recovery Yes / Not Configured Control how BitLocker-protected fixed data-drives are recovered in the absence of the required startup key information. Selecting “Enable” allows you to configure various drive recovery techniques. By selecting “Not configured”, the default recovery options are supported including DRA, the end user can specify recovery options and recovery information is not backed up to Azure Active Directory.
Block write access to fixed data-drives not protected by BitLocker Yes / Not Configured When set to Yes, Windows will not allow any data to be written to fixed drives that are not BitLocker protected. If a fixed drive is not encrypted, the user will need to complete the BitLocker setup wizard for the drive before write access is granted. Setting this to not configured will allow data to be written to non-encrypted fixed drives.
Configure encryption method for fixed data-drives Not Configured / AES 128bit CBC / AES 256bit CBC / AES 128bit XTS / AES 256bit XTS Select the desired encryption method for fixed data-drives disks. XTS- AES 128-bit is the Windows default encryption method and the recommended value. Note that 256-bit encryption may have performance impacts on low spec hardware. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. To change the encryption method, the drive must be decrypted first.

BitLocker – OS Drive Settings

Configuration SettingActionDefinition
BitLocker system drive policy Configured / Not Configured This policy setting is used to control the encryption method and cipher strength. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
Startup authentication required Yes / Not Configured Selecting “Require” allows you to configure the additional authentication requirements at system start up, including utilizing the use of Trusted Platform Module (TPM) or startup PIN requirements.
Compatible TPM startup Blocked / Required / Allowed etting this to Allow TPM will enable BitLocker using the TPM if it’s present. Setting this to Do not allow TPM will enable BitLocker without utilizing the TPM. Setting this to Require TPM will only enable BitLocker if TPM is present and usable. It is recommended to require a TPM for BitLocker. This setting only applies when first enabling BitLocker. If BitLocker is already enabled prior to applying this setting, it will have no effect.
Compatible TPM startup PIN Blocked / Required / Allowed Setting this to Allow startup PIN with TPM will enable BitLocker using the TPM if present, and allow a startup PIN be configured by the user. Setting this to Do not allow startup PIN with TPM will block the use of a PIN. Setting this to Require startup PIN with TPM will require BitLocker have a PIN and TPM present to return success. For silent enable scenarios (including Autopilot) this setting cannot be successful, as user interaction is required. It is recommended that PIN is disabled where silent enablement of BitLocker is required.
Compatible TPM startup key Blocked / Required / Allowed and will allow a startup key (such as a USB drive) be present to unlock the drives. Setting this to Do not allow a startup key will block the use of startup keys. Setting this to Require a startup key with TPM will require bitLocker have a startup key and TPM present to enable BitLocker. For silent enable scenarios (including Autopilot) this setting canot be sucessful, as user interaction is required. It is recommended that startup keys be disabled where silent enablement of BitLocker is required.
Disable Bitlocker on devices where TPM is incompatible Blocked / Required / Allowed Setting this to Yes will disable BitLocker from being configured without a compatible TPM chip. This setting may be helpful for testing, but it is not suggested to enable BitLocker without a TPM. If no TPM is present, BitLocker will require a password or USB drive for startup. This setting only applies when first enabling BitLocker. If BitLocker is already enabled prior to applying this setting, it will have no effect.
Enable preboot recovery message and url Yes / Not Configured Setting this to Yes will allow you to customize the pre-boot recovery message and URL. The pre-boot message and URL is seen by users when they’re locked out of their PC in recovery mode. The message and URL can be customized to help your users understand how to find their recovery password. Setting this to Not configured will leave the default BitLocker recovery information.
Preboot recovery message
Yes / Not Configured Use this option to declare if a custom recovery message or URL is desired.
Preboot recovery url Use this option to declare if a custom recovery message or URL is desired.
System drive recovery Use this option to declare if a custom recovery URL.
Configure encryption method for Operating System drives Configured / Not Configured Control how BitLocker-protected OS drives are recovered in the absence of the required startup key information. Selecting “Enable” allows you to configure various drive recovery techniques. By selecting “Not configured”, the default recovery options are supported including DRA, the end user can specify recovery options and recovery information is not backed up to Azure Active Directory.
Minimum PIN length Select the desired encryption method for OS drives. XTS- AES 128-bit is the Windows default encryption method and the recommended value. Note that 256-bit encryption may have performance impacts on low spec hardware. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. To change the encryption method, the drive must be decrypted first.

BitLocker – Removable Drive Settings

Configuration SettingActionDefinition
BitLocker removable drive policyConfigured / Not Configured This policy setting is used to control the encryption method and cipher strength. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
Configure encryption method for removable data-drives Not Configured / AES 128bit CBC / AES 256bit CBC / AES 128bit XTS / AES 256bit XTS Select the desired encryption method for removable data-drives disks. You should use AES-CBC 128/256-bit if the drive will be used in other devices that are not running Windows 10, 1511 or earlier. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. To change the encryption method, the drive must be decrypted first.
Block write access to removable data-drives not protected by BitLocker Yes / Not Configured When set to Yes, Windows will not allow any data to be written to removable drives that are not BitLocker protected. If an inserted removable drive is not encrypted, the user will need to complete the BitLocker setup wizard for the drive before write access is granted. Setting this to not configured will allow data to be written to non-encrypted removable drives.
Block write access to devices configured in another organization Yes / Not Configured Setting this to Block will require removable drives to be accessed unless they were encrypted on a computer owned by your organization. Setting this to Not configured will allow any BitLocker encrypted drive to be used.

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

macOS (FileVault)

Encryption

Configuration SettingActionDefinition
Enable FileVault Yes / Not ConfiguredIf not already enabled, FileVault will be enabled at the next logout.
Recovery key type Determine which type(s) of recovery key should be generated for this device.
Personal recovery key rotation Not configured or number of months Specify how frequently in months (1-12) the device’s personal recovery key will rotate.
Escrow location description of personal recovery keyDisplay a short message to the user that explains how they can retrieve their personal recovery key. This text will be inserted into the message the user sees when enabling FileVault.
Number of times allowed to bypass Not configured / 1-10 / No limit, always prompt Set the value to -1 to disable the setting. Set the value to 0 to always prompt the user to enable FileVault, although they can ignore the prompt. Set the value from 1 to 10 to allow the user to bypass the prompt that many times until they are required to encrypt the device.
Allow deferral until sign out Yes / Not Configured Defer the prompt until the user signs out. Only ‘yes’ is supported.
Disable prompt at sign out Yes / Not Configured Disable the prompt for the user to enable FileVault when they sign out.

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

This completes the list of configurations available in Microsoft Endpoint Manager for Disk Encryption.

Regards
The Author – Blogabout.Cloud

Implementing Windows Information Protection

Implementing Windows Information Protection

Windows Information Protection enables organization to create a clear line between what is personal data vs corporate data. When implementing Windows Information Protection (WIP) you might find that none recognized corporate apps may lose the ability to write data to the corporate protected applications and data stores. For example;

You are using GitHub and storing the cloned repos into your OneDrive Known Folders and WIP gets enabled to “Block” access.

That lovely GitHub repo you want to clone will now be blocked 🙁

So how do we implement Windows Information Protection to ensure that are organizations are secure.

Lets start with WIP Learning

So first of all, you would have need to configure App Protection within Microsoft Endpoint Manager for all the apps you want to protect with WIP as show below

WIP Learning is a report that allows you to monitor your WIP-enabled apps and WIP-unknown apps. The unknown apps are the ones not deployed by your organization’s IT department. You can export these apps from the report and add them to your WIP policies to avoid productivity disruption before they enforce WIP in “Block” mode.

In addition to viewing information about WIP-enabled apps, you can view a summary of the devices that have shared work data with websites. With this information, you can determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps.

When working with WIP-enabled apps and WIP-unknown apps, we recommend that you start with Silent or Allow Overrides while verifying with a small group that you have the right apps on your protected apps list. After you’re done, you can change to your final enforcement policy, Block.

What are the protection modes?

Block

WIP looks for inappropriate data sharing practices and stops the user from completing the action. Blocked actions can include sharing info across non-corporate-protected apps, and sharing corporate data between other people and devices outside of your organization.

Allow Overrides

WIP looks for inappropriate data sharing, warning users when they do something deemed potentially unsafe. However, this mode lets the user override the policy and share the data, logging the action to your audit log.

Silent

WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.

Switching on WIP

Browse to your App Protection Policy and go to its Properties, under Required Settings you will be able to select which mode you would like to enable for your organization. Please Note: You will need to define your “Corporate Identity” if you have multiple domains they can added as ‘Protected domains’ under the ‘Network perimeter’ in the ‘Advanced settings’ tab.

Once you have done an initial pilot to discovery the applications being used to access Corporate data, you can generate a report from Apps –> Monitor –> App Protection Protection Status –> Reports –> App Learning report for Windows Information Protection. In my case I can see that my GitHub applications has been discovered.

Now that you have your report you are able to create the required excepts to ensure the non-corporate applications can access corporate data.

Regards
The Author – Blogabout.Cloud

Unleashing the power of Microsoft Endpoint Manager against OneDrive for Business

Unleashing the power of Microsoft Endpoint Manager against OneDrive for Business

Its time to unleash the power of Microsoft Endpoint Manager against OneDrive for Business. If you are licensed for Microsoft Intune you have so many cool features and policies available to you when it comes to configuring OneDrive for Business. In my role as an IT Architect I am seeing more and more customers moving their data to the cloud and leveraging all the functionality available from Microsoft Endpoint Manager.

One of the biggest changes in behaviour I have seen is moving Group Policies to Microsoft Endpoint Manager. Administrative Template is an execlent solution that has grown in not only populaity but functionality as well. An easy way of finding out if you can move your current on-premises Group Policies to Microsoft Intune is available on GitHub. If you haven’t come across it yet, please check out MMAT on GitHub. One of the most powerful tools for gathering data of what is supported via Microsoft Endpoint Manager.

https://github.com/WindowsDeviceManagement/MMAT

Administrative Templates

Administrative Templates is a growing function within Microsoft Endpoint Manager, in recently times it has included more and more great functionality which covers the following;

– Windows
– Office
– Edge

As we are focusing on just OneDrive lets have a look at what is available to us today. Currently we have 31 different settings available for OneDrive for Business and when I am working with my customers I always recommend looking at the following settings;

– Disable the tutorial that appears at the end of OneDrive setup
– Prevent users from changing the locaton of their OneDrive folder
– Prevent users from fetching files remotely
– Prevent users from moving their Windows known folders to OneDrive
– Prevent users from syncing personal OneDrive accounts
– Set the default location for the OneDrive folder
– Silently move Windows known folders to OneDrive
– Silently sign in users to the OneDrive sync client with their Windows credentials

Polices for Office Apps

This is a new kid to the block and only currently has one policies for OneDrive for Business but expect this to change massively over the course of 2020.

And thats your lot, please check out what Microsoft Endpoint Manager can do for you today as you maybe pleasantly surprised how powerful the Microsoft Cloud has become.

Regards
The Author – Blogabout.Cloud

Enabling BitLocker for Windows 10 1903 or higher devices using Microsoft Endpoint Manager

Enabling BitLocker for Windows 10 1903 or higher devices using Microsoft Endpoint Manager

In a world where security and encryption are becoming more and more important for organisations, it’s safe to say Microsoft is doing it’s part in empowering businesses to protect their corporate data on end user devices.

Today we are going look at how easy it is to enable Bitlocker for your corporate devices using Microsoft Endpoint Manager.

So once you have logged into https://devicemanagement.microsoft.com you will need to browse to Devices –> Configuration Policies –> Create Profile

Select Windows 10 or Higher and Endpoint Protection, you will need to provide a profile name in order to save this configuration once complete.

As you can see below, once you go into Endpoint Protection –> Windows Encryption you are able to configure the ability to encrypt your Windows 10 devices. Ensure you read all configuration options to understand how the behaviour will affect your end user computers.

At the next check in once youve assigned this new profile of course, the device will start encrypting.

Regards
The Author – Blogabout.Cloud

Enforcing Cloud Password Policy for Password Synced Users

Enforcing Cloud Password Policy for Password Synced Users

Did you know that Enforce Cloud Password Policy for Password Synced Users exists? and that it is also disabled by default. This means that any user that you sync using Azure Active Directory Connect will not have an expiration timer set against their account. This can be a nightmare for an organization that has strict password policies.

So let’s switch it on and get all your synced users applied

First of all, you will need to run the following command after you have ran Connect-MsolService

PowerShell Command

Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true

You can verify all your users by running the following commands

PowerShell Command

# Output all users to PowerShell console
Get-AzureADUser | Select-Object DisplayName,DirSyncEnabled, PasswordPolicies, AccountEnabled

# Output all users where DirSyncEnabled equal True
Get-AzureADUser | Select-Object DisplayName,DirSyncEnabled, PasswordPolicies, AccountEnabled | Where-Object {$_.DirSyncEnabled -eq $true}

Now let’s apply the following script to ensure that the Password Policy is not disabling password expiration.

PowerShell Command

Get-AzureADUser -All $true | Where-Object { $_.DirSyncEnabled -eq $true -and $_.PasswordPolicies -eq ‘DisablePasswordExpiration’ } | ForEach-Object {
Set-AzureADUser -ObjectId $_.ObjectID -PasswordPolicies None
}

Regards
The Author – Blogabout.Cloud

Getting the most out of GitHub for Microsoft UC Administrators

Getting the most out of GitHub for Microsoft UC Administrators

As a big fan of automation and GitHub, I believe its time a lot of IT Professionals install and adopt GitHub. It provides a wealth of powerful tools and information about Microsoft services we all use today.

Even Microsoft Docs are stored in GitHub and you are able to contribute to the file if you identify something that isn’t 100% correct, allowing the owners to approve or reject your change request. I know this as I have helped with a number of docs pages in recent times.

Pay a visit to the following site and you will obtain a wealth of knowledge you need for Lync, Skype and Teams https://github.com/MicrosoftDocs/OfficeDocs-SkypeForBusiness

You can even clone the Repo to your end user computer with GitHub Desktop. https://desktop.github.com/



Cloning the repo allows you to keep all the information in an offline mode and when updates are available you can just pull them down.

Regards
The Author – Blogabout.Cloud

Detect, Remove, Update your Windows AutoPilot PowerShell Module

Detect, Remove, Update your Windows AutoPilot PowerShell Module

Sometimes when updating PowerShell modules it doesn’t always remove the previous version in my experience, so let’s do this the PowerShell way.

The script is available at https://github.com/TheWatcherNode/blogaboutcloud

Regards
The Author – Blogabout.Cloud

Microsoft Endpoint Manager – Converting your Windows 10 Pro devices to Enterprise

Microsoft Endpoint Manager – Converting your Windows 10 Pro devices to Enterprise

Hello Readers,

Recently during a rollout of Microsoft Endpoint Manager, I noticed that my configured Lockscreen and Desktop background where not being applied to my newly enrolled Windows 10 devices. 🙁 After a bit of investigation I noticed that the device was running as Windows 10 Pro, even though the image used to build the machine was Windows 10 Enterprise.

Launch https://devicemanagement.microsoft.com and browse to Device –> Configuration Profiles –> New
– Name = Provide a name
– Description = (Optional)
– Platform = Windows 10 and later
– Profile Type = Edition upgrade and mode switch
– Settings = Select Windows 10 Enterprise and provide your key

Now assign the policy to the affected devices and you will now have Windows 10 Enteprise devices.

Regards
The Author – Blogabout.Cloud

Obtaining your ImmutabeID the easy way because hard matching is a nightmare

Obtaining your ImmutabeID the easy way because hard matching is a nightmare

Imagine, your company has just been brought by another organization. The acquiring company what you using Office 365 services as quick as possible so they create you a Cloud Only Account to leverage their existing tenant. Now imagine, you are 12 months into the acquisition and you want to have a single sign-on experience for your end-users.

Now you have a dilemma on your hands, as your primary user principle name on-premises is different from your UPN in the Azure Tenant.

WHAT DO YOU DO!!!

Image result for captain picard head in hand
What did I do??

You engage your Windows PowerShell Console in Administrator Mode and teleport in the Get-ImmutableID.ps1 PowerShell script

Image result for captain picard
Engage!!!
New Features coming soon!!

With this script, you are able to download all the ImmutableIDs from your local Active Directory into a single CSV file to your desktop.

Please Note:

If there are additional fields you would like to see in this script, please submit an update via Github or email alerts@blogabout.cloud

You will need some manual intervention matching your on-premises AD Users and AAD Users but once this is complete you will be able to run the following script to set the ImmutableID in your Azure Active Directory.

PowerShell Script


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
region File Path
 $Filepath1 = Get-Filename -initialdirectory "$env:USERNAME\desktop"
 $csv1 = Import-Csv -Path $filepath1
 endregion
 
Start-Transcript "env:userprofile\desktop\SetAllUserAADtest.txt"

 ForEach($user in $csv1){
 Try  
{ Get-AzureADUSer -ObjectId $user.primarysmtpaddress -ErrorAction Ignore Write-Host "Success:",$user.PrimarySMTPAddress,"was found and set with",$user.ImmutableID -BackgroundColor DarkGreen
Set-AzureADUser -ObjectID $user.PrimarySMTPAddress -ImmutableID $user.ImmutableID }
catch
{ Write-Host "ERROR:",$user.PrimarySMTPAddress,"could not be found" -BackgroundColor DarkRed }

Stop-Transcript

While this is a tried and tested in my own deployments, I am unable to take responsibility for any potential issues you may encounter. Keep safe with responsible scripting, always test in a lab environment first.

Regards
The Author – Blogabout.Cloud