Information about SharePoint, Microsoft 365, Azure, Mobility and Productivity from the Computer Information Agency
Slides from this month’s webinar are at:
April 2021 Microsoft 365 Need to Know Webinar
If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:
http://www.ciaopsacademy.com.au/p/need-to-know-webinars
Watch out for next month’s webinar.
A nice new option I just noticed in Defender for Endpoint web filtering. As shown above, you can now block users navigating to newly registered domains and parked domains that can be used for phishing attacks.
To set this, navigate to Settings, the under Rules select Web content filtering and create or adjust a policy to include all the Uncategorized options as shown above.
Microsoft has released a handy guide called
Windows 10 in cloud configuration
that walks you through a recommended best practice configuration of you Windows 10 devices using Endpoint Manager. what they are now doing, as highlighted by my video, is begin to roll this into a wizard inside the Endpoint Manager portal, allowing you to quickly and easily create and apply policies to protection your Windows 10 machines.
I believe this in only the beginning of what Microsoft plans to roll out and I expect to see lots more configuration coming very soon, not only for Windows 10 but also iOS and Android.
Watch this space.
If you visit Microsoft Endpoint Manager | Endpoint Security | Microsoft Defender for Endpoint and scroll down the page on the right you see the new section App Policy Protection Settings as shown above. Turning this ON will basically allow the state of Microsoft Defender on both Android and iOS to feed into your compliance policies.
Once you have enabled these settings visit Apps | App Protection policies and edit or create an policy. During this process you will find a Conditional launch section. If you then scroll down to the bottom of tat page you will the screen shown above where you can add the setting for Max allowed device threat option. This basically is the threat level you would allow on your device. If the threat level on a device goes above this then the selected action will take place. That action can either be Wipe or Block. Wipe is rather drastic, especially to start with, so Block is probably the best starting point.
You can read more about this new capability here:
Microsoft Defender for Endpoint risk signals available for your App protection policies (preview)
It is a nice integration we are beginning to see more of between device management and Defender for Endpoints.
I have spoken about things like Attack Surface Reduction (ASR) for Windows 10 and how easy they are to implement to improve the security of Windows 10:
Attack surface reduction for Windows 10
Another very important aspect of securing Windows 10 environments is to ensure that the audit policy settings are appropriate to capture the right information to help with any investigation. To that end, I have a free scripts available at:
https://github.com/directorcia/Office365/blob/master/win10-audit-get.ps1
which will show you the current audit policy settings in your environment like so:
As you can see from the above screen gab, many audit settings are not enabled out of the box. Please note, you’ll need to run the script as an administrator for it be able to report the audit policy settings.
You’ll find the best practice recommendations for audit policy settings from Microsoft:
and government departments like the Australian Cyber Security Center:
Hardening Microsoft Windows 10 version 1909 Workstations
Look for the section heading – Audit Event management in the above page.
As always, there are number of different ways to enable these best practice audit policy settings on your Windows 10 devices. To my mind using Microsoft Endpoint Manager that comes with offerings like Microsoft 365 Business Premium is the easiest.
And the quickest way to do this inside Microsoft Endpoint Manager is simply to apply the Windows 10 Security Baseline policies as shown above. To read more about this capability visit:
Use security baselines to configure Windows 10 devices in Intune
In fact, the results from my script are based on the settings found in the Windows 10 Security Baseline policy.
To read more about these security audit policies for Windows 10 I encourage you to take a look at:
Advanced security audit policy settings
and remember, you can configure these settings at the command line if you need to using the:
command, which is exactly what I used in my script to extract the current settings. However, deploying them using Microsoft Manager for Endpoint and baseline policies is going to be far easier across a fleet of devices.
I swear it was all working and now BOOM, it doesn’t! Using PowerShell I had been creating Endpoint Security policies but now those same policies were still being created but WITHOUT the configuration settings I had configured.
You can try this for yourself if you wish, without needing to code. Firstly visit the Microsoft Graph Explorer and authenticate.
Change the method to POST, set the API to beta and use the URL = https://graph.microsoft.com/beta/deviceManagement/templates/6cc38b89-6087-49c5-9fcf-a9b8c2eca81d/createInstance
Then in the Request body use the following:
https://gist.github.com/directorcia/6d8d2e5199c32b22b6fe782739447dc4
If you do you’ll find a new Endpoint Security Attack Surface Reduction – ASR rule has been created like so:
If you look at settings for this policy you’ll see:
all the settings are Not configured!
So, no errors during the POST but no settings! Strange.
If however you return to the Request body and change the word value to settingDelta as shown above and then run the same query.
Now, the Endpoint Security policy is created and the settings are configured.
So in summary, don’t use value any more it seems with the request body, use settingsDelta.
Recently, I did a video demonstrating how PowerShell can be used to automate Endpoint Management:
PowerShell with Endpoint Manager
I’ve now also created a video demonstrating how to automate Azure Conditional Access using PowerShell. As before, I am only making these scripts available via the CIAOPS Paton program.
In this video you’ll see me automatically backup up both Conditional Access locations and policies, then apply best practices locations and policies, finally restore the original policies, all using scripting.
Again, these scripts are not free and part of the CIAOPS Paton program. You’ll find my free stuff at https://www.github.com/directorcia.
Here is video demonstrating what I’ve been working of late. I am only making these scripts available via the CIAOPS Paton program.
The video will show you how I both create and erase policies via script, as well as generate a set of best practice policies and alternatively, importing them from previously saved policies. This saves a huge amount of time when compared creating and assigning policies manually.
Again, these scripts are not free and part of the CIAOPS Paton program. You’ll find my free stuff at https://www.github.com/directorcia.
CIAOPS 