Need to Know podcast–Episode 211

Where’s Brenton? Share your thoughts here –

Microsoft has rolled back it’s recent planned partner changes. we have some new Intune security baseline policies to try (and troubleshoot) and Teams leads Slack in user numbers. I speak with Marc Kean to get the low down on what Azure storage is all about. All this and a lot more on this episode.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think –

You can listen directly to this episode at:

Subscribe via iTunes at:

The podcast is also available on Stitcher at:

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.




Updates to partner program (again)

Microsoft Intune announces security baselines

Exchange Online PowerShell WinRM issue

What is Azure Lighthouse?

Without-enrollment and Outlook for iOS and Android

Teams reaches 13 million active users

Planner and To-Do integration

New PowerApps and Flow licensing

Azure storage

Azure File Sync

Exchange Online PowerShell WinRM issue


I went into my PowerShell ISE today, as I always do, and tried to connect to Exchange Online. However, as you can see from the above error message:

Connecting to remote server failed with the following error message: The WinRM client cannot process the request.

I couldn’t connect! Why was this I wondered? It was working last time. I then proceeded to waste a good amount of time trying to troubleshoot WinRM errors to no avail. Only at the point of frustration did I actually read more of what the error message actually said:

Basic authentication is currently disabled in the client configuration. Change the client configuration and try the request again.

I then tried to connect to Exchange Online via PowerShell using another machine of mine and received the same error. I then tried a VM in Azure and that worked fine. It was at this point that I started to suspect it was something to do with my Intune policies as the Azure VM was stand alone.

I had just recently implemented the Security Baselines provided by Microsoft.


I was working my way through some of the reports of conflicts and misconfigurations by adjust my existing best practices policies to suit. I didn’t appreciate that these Security Baselines actually implement policies that get pushed out to devices! I thought they just compared your settings to what Microsoft recommended as best practice.


When I went to the affected workstations and ran the command:

winrm get winrm/config/client/auth

I got the above in which you can see that the Basic auth setting is indeed set to false but that it is set by a GPO. Ok, so where is this GPO I wondered? Given that all the affected machines were Azure AD joined without a local domain controller it meant that the GPO was going to be Intune, as that is where the policies are pushed from in my case.


When I repeated that winrm command on a machine that worked I saw the above, Basic = true and no Source=”GPO”.

I then tried in vain to change the GPO locally using PowerShell and the GP console to alter the setting but with no luck.

Suspecting Intune and my policy fiddling, I totally disabled all configuration policies for the device but the problem continued. I then deleted the Security Baseline policies I had created and BAM, everything worked!

Ok, so the problem was the Security Baseline policies, but how? Well, it turns out that these Security Baselines actually do apply an additional policy to your devices once you enable it. Now my question was, where exactly does it do this and can I alter the Security Baseline if desired?


Turns out, that the location for what affected me is in the Remote Management section of the MDM Security Baseline policy as shown above.


Unfortunately, I had breezed over these options when I first set up the policy using the wizard. You can expand each of the options there and make adjustments if you need! D’Oh!

The lessons here are, firstly that if your implement the MDM Security Baseline or the Microsoft Defender ATP baseline, these will create policies and apply these to your environment. Secondly, you can customise these baselines if you wish, both during the creation process and afterward if you wish. Thirdly, you need to be careful with these policies as they set a lot of settings that you may not seem to immediately come from Intune.

I’ll spend some more time looking at these in detail and reporting back. My own personal best practice policies are pretty close to the Microsoft ones, but it is great that I can do a comparison between them and improve my own.

A frustrating self inflicted issue to resolve but I have learned much in nutting it out and I hope if you have the same issues that this information saves you the time I had to invest to resolve it!

CIAOPS Techwerks 8–Adelaide October 24


I am happy to announce that Techwerks 8 will be held in Adelaide on Thursday the 24th of October. The course is limited to 15 people and you can sign up and reserve your place now! You reserve a place by completing this form:

or  sending me an email ( expressing your interest.

The content of these all day face to face workshops is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. A special part of this event will be sessions by MVP Amy Babinchak as well as some other surprise guests.

Recent testimonial – “I just wanted to say a big thank you to Robert for the Brisbane Techworks day. It is such a good format with each attendee asking what matters them and the whole interactive nature of the day. So much better than death by PowerPoint.” – Mike H.

The cost to attend is:

Patron Level Price Inc GST
Gold Enterprise Free
Gold $ 33
Silver $ 99
Bronze $ 176
Non Patron $ 399

The CIAOPS Techwerks events are run regularly in major Australian capital cities, so if you can’t make this one or you aren’t in Adelaide on that date, stay tuned for more details and announcements soon. If you are interested in signing up please contact me via emails ( or complete the form:

and I can let you know all the details as well as answer any questions you may have about the event.

I hope to see you there.

CIAOPS Need to Know Microsoft 365 Webinar–July


It’s been a long time between drinks but the free CIAOPS Need to Know webinars are back. I’ve done a technology refresh, which means I’ll be attempting to use Microsoft Teams Live Events now. Given this is the first public attempt at this I welcome you to come along and watch all the stuff ups and gaffs that are no doubt going to plague me as I try and get the technology to work. It’ll be fun. Come join me and make this rebirth memorable.

You’ll also notice that I’ve re-branded the webinars to Microsoft 365, which means I’ll be looking deeper into this “new” service from Microsoft.

You can register for the regular monthly webinar here:

July Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – July 2019
Thursday 26th of July  2019
11am – 12am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

There of course will also be open Q and A so make sure you bring your questions for me and I’ll do my best to answer them.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

or purchase them individually at:

Also feel free at any stage to email me directly via with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Need to Know podcast–Episode 210

Brenton speaks with global Azure black belt Sarah Young about the new Azure Sentinel service. Of course we also update you on all the happenings in the Microsoft Cloud and there has been plenty of late, so listen along to get all the latest and learn about Azure Sentinel.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think –

You can listen directly to this episode at:

Subscribe via iTunes at:

The podcast is also available on Stitcher at:

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.


Sarah Young



Faster, with a modern design, and new features – the new Outlook on the web is here

Tracking failed logins with Cloud App Security

New Azure discount for CSP partners to come live in October

OneDrive Roundup – June 2019

Announcing question and answer in Yammer

First Microsoft Cloud regions in the Middle East now available

Step 10. Detect and investigate security incidents: top 10 actions to secure your environment

All 10 steps

Upload Bitlocker keys to Azure AD

Bitlocker is the Microsoft technology that allows you to full encrypt your Windows PC hard disk. This is a good thing as it provides additional security and protection for that device, especially if that device ever gets lost or stolen. Typically, Bitlocker will use the Trusted Platform Module (TPM) chip on your PC to provide the encryption key for BitLocker. This means that the user doesn’t have to type in a password to unlock their drive for use. Now having an automatically managed key raises a question, what happens if you actually need that key? If everything is automated and I never see the key how can I get access to it if needed? If, say, the original PC died and I wanted to recover the original encrypted drive how would I recover? To do that, you’d need the encryption key.

You can manually backup you BitLocker Recovery key to a file or USB drive however, if your device is Azure AD joined then that Recovery Key should be saved directly into Azure AD. Here’s how you check this.


If you are using something Microsoft 365 Business and Intune navigate to Intune inside the Azure portal. Select Devices.


Select All Devices.


Select the PC in question from the list.


Now select the Recovery keys option.


On the right you should see the Recovery keys listed. You’ll note here that I don’t see the expected BitLocker Key.


If you don’t see the Recovery Key for your device go to that device and open BitLocker management on your PC. Select the option to Back up your recovery key as shown.


Then select the option to Save to your cloud account as shown. This should then upload the Recovery Key to Azure AD, provided you have an Azure AD joined machine first of course.


If you return to the device in Intune and refresh the display, you should now see the Recovery key for you device as shown above.


If you do not have access to the Intune portal, perhaps because you are not an administrator, simply navigate to:

and login with your Microsoft 365/Office 365 credentials and view your profile. You should then see any registered device plus the option to get the BitLocker keys as shown. Remember BitLocker is for Windows devices, not iOS or Android.

Even though Azure AD joined machines should save BitLocker keys automatically, I’d suggest you go and have a look and make sure that they are indeed actually there! Best be sure I say.

Tracking failed logins using Cloud App Security

Previously, I have said that Office365/Microsoft Cloud App Security is

A great security add on for Microsoft 365

I’ve also detailed the differences in the plans here:

Cloud App Discovery/Security

What many people want to know more information about is failed logins to their tenant, so Cloud App Security to the rescue!


Start by navigating to the Cloud App Security Activity log as shown above. Then select the Advanced option in the top right as shown.


Doing so should reveal the ability to define filters as show above.

I’d also recommend that you go and define a “safe” range of IP addresses like I have detailed here:

Define an IP range in Cloud App Security

In my case I have defined some known safe IP’s as “Corporate”.


So the first line of my query basically excludes any of these known IP addresses in the results. That is, I’m looking for failed logins outside my corporate environment. This will generally exclude average users failing to login to their accounts inside my environment, which happens a lot. The idea with this is simply to reduce the noise of lots of alerts, but if you want to know about all failed logins to your tenant, just exclude this condition.


The second part of the filter is to show activities that equal ‘Failed log on’ as shown. You can customise this further if you want to make it more granular, but for now let’s track any failed login to the tenant.


So the final query should look like the above.


You should be not surprised to see the number of results you get as shown above. In my case, there are failed logins from the US, China, Russia, Italy, etc.

Now of course, I can drill into each item for more details but what I really want is a way for me to be alerted about these when they happen. Cloud App Security to the rescue again.


At the top of the results you should find a button as shown that says New policy from search, which you should select.


You should now see a page like shown above where you can define your policy. You’ll need to give it a name and description. You may want to increase the severity or change the category to suit. You can also select between single or repeated activity.


Now if you want an email alert then you’ll need to select the option Send alert as email and put in your email address as shown above. You may also want to change the Daily alert limit to suit your needs.

When you have completed the configuration, scroll to the bottom of the page and select the Create button.


You should now see that policy in the list in your tenant as shown above.

Cloud App Security is a really powerful tool that I believe is a must have for every Microsoft 365 tenant, because not only can you create your own custom queries but you can also convert those into alerts as I have shown.

MVP for 2019-20


I’m proud to say that Microsoft has graciously awarded me as a Most Valued Professional (MVP) for 2019 in the Office Servers and Services category. This makes it now eight awards in a row for me, which is very special and honouring. I thank Microsoft for this special award and acknowledge the responsibilities it entails.

However, this award is not possible without members of the community out there who take the time to do things like read my blog, watch my YouTube channel, attend events where I speak and more. Thanks everyone.

I’m committed to continuing to provide more information and insight into the fantastic products and services Microsoft creates. I can’t wait each day to see what new stuff Microsoft has brought us and how it can be implemented for users. With the rapid development rate in the cloud I am always amazed at all the new stuff that becomes available but it is really great to have that challenge of staying current.

Having attended my first MVP Summit this  year I’m looking forward to next year’s one so I can again visit Redmond and learn from Microsoft and fellow MVPs. Being an MVP is being part of a unique community of very dedicated and smart people who truly love to share their knowledge. I aim to live up to the example they set and continue to improve and grow. I congratulate all those who were also awarded for this year and look forward to seeing you at the MVP Summit in 2020.

But again, I thank Microsoft for this honour and will work hard to live up top the expectations it sets again for 2019-20 so I can make it nine years ins 2020!