Allowing extensions with Edge Baseline

image

One of the handy things that Microsoft has now enabled is the ability to control the modern Edge browser (i.e. the one based on Chromium) via policy and services like Intune. In fact, if you visit Intune and look for Security Baseline you’ll find a new Microsoft Edge Baseline policy as shown above.

image

There are lots of great settings you can enforce by using this baseline to create a policy as you can see above.

I enabled the policy without making any changes initially so I could determine the impact, if any. It turns out that the default baseline actually disables any and all existing browser extensions you may have and also prevents you from adding new extensions.

I understand that this approach makes your environment more secure but I really can’t live with both the Lastpass and GetPocket extensions.

image

Unfortunately, by default with the baseline policy, these got blocked as you see above. This meant that I needed to adjust the policy.

image

As it turned out, you need to set the option:

Control which extensions can be installed = Not Configured

Just disabling and removing other options didn’t seem to do the trick.

image

After making that change and forcing the updated policy to sync to the workstation, I was back in business as you see above. I didn’t need to do anything in the browser, the previously disabled extensions were re-enabled automatically.

Enabling extensions is the only change I have made to the default baseline policy so far and now everything is working as expected and is more secure which I like.

I’d like the option to select ‘approved’ extensions so the baseline policy could be applied in total. Hopefully, that feature will make an appearance in the policy soon as I thing many will want it. However, this is quick and easy way to lock down the new Edge browser and another reason that, like me, it is my primary browser.

Need to Know podcast–Episode 219

We are just past Halloween and it’s time for something that seems to scare most people who administer Microsoft 365. PowerShell. However, to hold your hand while we dive deep we one of the best in business – Elliot Munro from GCITS – to guide you. Also, Brenton and I bring you all the latest news from the fire hose of Microsoft Ignite 2019, so much so that we’ll have more next time. Holey moley, there lots in the episode, so lean back, listen in an enjoy.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-219-elliot-munro/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Elliot Munro

@contactbrenton

@directorcia

Introducing the new Edge and Bing

Microsoft 365 Productivity score

New Office Mobile App

Microsoft Fluid Framework

Introducing Microsoft 365 Business voice to UK and Canada

What’s new in Microsoft Teams from Ignite

Microsoft Endpoint Manager vision

The future of Yammer

Empower your people with Project Cortex

Check off your To-Do tasks in Teams

Security and Compliance announcements from Ignite

Their sacrifice shall live on

We pause today to remember all of those who gave their lives in war. Soldiers, sailors, airmen, civilians and more. We pause to remember lives cut short. Today, at 11am on the 11th of November is the anniversary of end of World War One in 1918. An anniversary of the first conflict where war truly became industrialised. Where weapons more than men had the advantage on the battlefield and a few could now kill so many thanks to the power of modern weapons.

The Australian landings at Gallipoli in 1915 are largely credited with giving ‘birth’ to Australia as a nation. They marked the beginning of a commitment of 313,814 Australians to the war of which around 53,000 died in France and Belgium alone. 152,171 were also wounded in this theatre as well, so the impacts on a young nation were marked.

It is not only the past the we remember today, it is also the ongoing service of those that protect us today. Not just soldier, sailor and airmen but emergency workers and more. Their service, like their forbearers, stands as a shining beacon of what can be achieved with the service to others. We don’t honour the methods or the reasons, we honour those that chose to serve. Those that put themselves in harms way for others. Those who were asked to perform a duty for others and did so without question, with many paying the ultimate price.

This is why we remember them. This is why we today pause and say:

Lest We Forget

for there would be nothing more tragic or disrespectful than to neglect to say ‘thank you’ to those that made our world a better place to be and gave us the opportunity to enjoy it. If nothing else, we owe them that. So today, take a moment to pause, reflect, say thank you and hopefully ask how you can make the world a better place in some small way as a way of honouring those who did not return because, sadly, there are still those suffering.

For more information on the Australian battlefields of World War One wish my website www.anzacsinfrance.com.

Governance is always important

white-paper-with-note-669986

There are many times I’m called in to help people design their Microsoft 365 compliance environment. In other words, help with SharePoint, Teams, etc. I generally use my trusty framework that I have spoken about here before:

A framework for file migrations to Microsoft 365

Most of the time I find that people have already ‘given it a go’ themselves but generally ‘mucked it up’ and that’s the reason I’m now there.

I have no issues if someone has in fact ‘mucked it up’ because at least they have tried and it is generally easy to rectify. What I do seriously wonder about is the response to the first question I ask them – ‘Why did you do it that way?’.

The answer to this question I receive is generally a blank stare or silence, even a shoulder shrug. I point out that this is largely why things has been ‘mucked up’ in the first place,  because there was no governance.

In short, what I really want to see with collaboration in Microsoft 365 is the fact that thought has been invested beforehand. Why? Simple. A collaboration system in Microsoft 365 is something you build, not something you buy or magically appears. Microsoft 365 gives you the tools to create the best system, in the world for you. Tailored exactly to your business. Uniquely flexible for your business. Able to adapt to your needs, unlike any off the shelf system. However, it can never achieve that if it doesn’t know who you are what you want. You have to tell it (via governance) what you want it to be. In short, it is clay that you need to mould and governance tells you the shape into which you want to mould it.

Like any good project, the secret is to stop and think before acting. Planning before diving in makes a world of difference to the outcome. But most importantly, write down what you want to achieve! The one common thing about EVERY ‘mucked up’ Microsoft 365 collaboration project I see is simply the lack of documentation prior to commencement.

This documentation doesn’t have to be complex or involved and should be at the very minimum a single page that defines the ‘need’ for a collaboration system. What business pain point does it need to solve? What are the expected benefits? Why will it be used? Think of this document like a specification for the project, the plans if you like. You’d never build a house without foundations and plumbing before you put the walls up now would you? A plan helps make sure that you know what the desired outcome is, helps you understand how to get there and how avoid problems along the way. Without that, you are building something effectively blindfolded.

That one page governance document should hopefully be born before the Microsoft 365 collaboration project even starts. However it is by no means a static document. It is a living breathing entity. It should be added to, edited, enhanced, expanded constantly. But above all else, it should become the single point of truth for why we have this thing. Having such a document is both a guide and a reference. As you move through the various stages of development, which occur over a period of time, you can reference this document and understand the reasons for doing things the way you did. As the system grows it again becomes the reasons for what you are looking to achieve and how you approached that. If you don’t already have a governance document for your Microsoft 365 collaboration environment, then now is always the best time to start one.

The importance of this is that at some stage, maybe, the people initially charged to build the collaboration system move on or there is a decision to out source or change builders. If you have a document that sets out your manifesto for the Microsoft 365collaboration system it is so much easier for everyone involved. Everyone is on the same page and knows where to go to get answers if needed. That’s what I want to see if I become involved as a ‘collaboration consultant’. It means I can quickly understand what you want Microsoft 365 to achieve for your business. It is the platform on which your future solution is built. Remember, collaboration in Microsoft 365 is not a product you buy it is a solution you build.

Sadly, even the most generally organised business overlooks the need to have governance in any Microsoft 365 collaboration system. Governance at the very least should be everyone’s understanding of what is project is and what the aim is. The best way to achieve that, is to write it down beforehand! Without it then, there is no a single reference point that be used to guide the outcome and things unsurprisingly get ‘mucked up’.

As they say – ‘failing to plan, is planning to fail’. Governance is important for Microsoft 365 collaboration, if for nothing else because it is succeeding through planning!

CIAOPS Need to Know Microsoft 365 Webinar–November

laptop-eyes-technology-computer

We are expecting a big month in November with news from the Microsoft Ignite event. I’ll do my best to provide you a summary of all the important announcements before we dive deep into all the automation options that are available in Microsoft 365. You’ll actually be surprised at how many there are! There will also be the opportunity to ask questions on your burning Microsoft 365 and Microsoft Cloud topics. You won’t want to miss this month!

You can register for the regular monthly webinar here:

November Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – November 2019
Thursday 28th of November  2019
10.30am – 11.30am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Need to Know podcast–Episode 218

I talk to industry veteran and Microsoft MVP Tony Redmond about a variety of topics including Exchange Online, Teams, PowerShell as well as his fantastic Office 365 administration eBook offering. He shares lots of great insights on a variety of Microsoft offerings. Brenton and I also talk about news and updates in the Microsoft Cloud and get you ready for what we are potentially expecting from the upcoming Microsoft Ignite conference. Listen along and get ready for the tsunami from Microsoft Ignite.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-218-tony-redmond/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@12knocksinna = Tony Redmond

@contactbrenton

@directorcia

Tony’s blog

Office 365 for IT Pros eBook

Surface laptops are finally repairable

Microsoft’s cloud earnings

CIAOPS MS-101 online training course now available

New Microsoft partner CSP agreement

Microsoft acquires Mover.io

How to check user sign in history

Tamper protection in Microsoft Defender ATP

End user self service for Power Platform

What is Microsoft 365 Business [VIDEO]

Call of Duty – Modern Warfare

What you need for Windows Virtual Desktop (WVD)

banking-checklist-commerce-416322

Windows Virtual Desktop (WVD) is now generally available and I’ll be covering off how to set it up in upcoming articles. However, before you even login to your Azure tenant to start setting this up, here’s what you’ll need:

1. A Windows Virtual Desktop license for every user who want to use the service. These come with all Microsoft 365 and Windows E3 and E5 suites.

2. A paid Azure subscription. The majority of the cost of the WVD service will be your Virtual Machine hosts. The cost of these will vary on how many you want to use and how long they run for.

3. Azure Active Directory. The users who access the WVD service need to be in Azure AD. These users can be cloud only or synced from on premises using Azure AD Connect.

4. A Domain Controller (DC). At this point in time the WVD still requires a ‘traditional’ domain controller to allow the VMs to connect to for access. If you only have cloud users then the easiest option to achieve this is to add Azure AD Domain Services. If you already have an on premises Domain Controller (DC) you’ll need a Site to Site (S2S) VPN to link your on premises network to Azure. Note, that if you have an on premises DC that is using Azure AD Connect you can’t just add Azure AD Domain Services because Azure AD Connect doesn’t sync ‘traditional’ DC attributes. So, if you have an on premises DC, even if it is already using Azure AD Connect, you’ll still require a S2S VPN to Azure to allow the WVD service to connect VMs to that domain.

5. Azure AD tenant ID. Each Azure AD has a unique number which you can get from the web interface or via PowerShell. This is because it is possible to have multiple AD’s inside Azure and each can be configured and connected differently. The WVD service will need to know which specific Azure AD to connect to when provisioning.

6. Azure Subscription ID. The costs of the WVD service need to be applied against a unique subscription inside Azure. again, remember it is possible to have multiple independent subscriptions inside an Azure tenant. The WVD setup will need to know which subscription to bill for the service.

7. Azure tenant admin account. This will typically be a global administrator of your Azure environment. This will typically be the user who sets up, configures and manages WVD. They will also typically be an administrator of the domain that is connected to Azure AD.

8. Domain join account. This is an account that has the rights to join machines to the domain. The WVD service will create a number of VMs that need to be connected to the domain so that users on the domain can login to these machines in your WVD environment. You may wish to have a domain join user who is not a global administrator for security reasons but you should also be aware of the potential password requirement differences between your domain user and the Azure admin account. You may wish to use the same Azure admin account as your domain join account. If so, just beware of the password requirement policy for these.

image

As you can see above, the domain join account has to be at least 12 characters long, plus 3 of the following – 1 lower case character,  1 upper case character, 1 number, a special character. That requirement may be different from what your Azure AD or on premises AD requires. My recommendation would be to create a stand alone domain join account that meets the requirements and is only used for joining machines.

9. Azure Virtual Network (VNET). You’ll need a pre-existing VNET for the WVD machines to connect to. When you implement Azure AD Domain Services or a S2S VPN to connect an on premises DC, you’ll need a VNET. Make sure you understand the IP addressing and subnetting of your Azure VNET when you create it, as changing it later can be very painful.

10. Appropriate skill set. WVD requires a range of skills and understandings including:

– Identity management

– Azure AD

– PowerShell

– Azure IaaS including VNETs, VMs, Storage, etc

– Networking

– Azure backup, imaging, etc

Can you bumble you way through without these? Maybe, but life will be much easier if you do have these skills and really, if you are planning to work in the Microsoft Cloud environment, these should be considered mandatory.

There you have it, ten pre-requisite items to get sorted before you launch into creating a WVD for yourself. Get these sorted prior and your installation will be much smoother!

As I said, I’ll have upcoming articles on how to set this up, so stay tuned.