Windows 10 mobile hot spotting

Annoyingly, I currently have an issues with my ADSL on my phone line. I am getting about a 25% packet loss, which effectively makes the connection unusable. I’ve done everything at my end to troubleshoot the issue and now it is up to the ISP to hopefully resolve the issue.

The problem is that I need internet to work! Luckily, I have a 4G mobile plan that includes unlimited (yes, I said unlimited data). I can easily turn my phone into a hot spot and connect my devices. Problem, is I then I can’t access my local resources and easily share between machines.

image

The solution I found is to turn my phone into a hot spot as normal and connect one of my devices that is on my internal network to it. I then share that device connection out using the hot spotting capabilities built into Windows as shown above.

image

On the other machines, I connect to the Windows 10 hotspot to gain Internet connectivity but I also go into these connections and change the option Set as metered connection to Off as shown above. This means the other Windows devices will see this Windows 10 hotspot like a LAN connection, thus giving it a higher priority for data than a ‘metered connection’.

Just to be 100% sure I have turned off the modem to my problem ADSL connection to ensure that traffic doesn’t try and head that way.

Now all my machines can work together as normal on the LAN but also be connected to the Internet via their own WiFi to the Windows hot spotted machine that is ‘sharing’ my 4G mobile connection.

In many ways, it is better that what I had with ADSL!

All the Defenders

knight

Microsoft unfortunately has quite a few products under the ‘Defender’ banner that I see causing confusion out there. Most believe that ‘Defender’ is only an anti-virus solution, but that could not be further from the case. Hopefully, I can show you here how broad the ‘Defender’ brand is here and hopefully give you a basic idea of what each ‘Defender’ product is.

To start off with there are products that are considered ‘Window Defender’ products, although I see the Windows and Microsoft brand intermingled regularly. Here is a list of specific ‘Windows Defender’ products:

Windows Defender Application Control – WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients.

Windows Defender Firewall – By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device.

Windows Defender Exploit Guard – Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps.

Windows Defender Credential Guard –  Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.

In contrast, here are the ‘Microsoft Defender’ products :

Microsoft Defender Smart screen – Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.

Microsoft Defender Antivirus – Brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your organization.

Microsoft Defender Application Guard – helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet.

Microsoft Defender Security Center – is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.

Microsoft Defender Advanced Threat Protection – is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

Microsoft Defender Browser Protection –  a non Microsoft browser extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.

So, as you can see, there are quite a lot of ‘Defender’ products out there from Microsoft. How and when you get each of these varies greatly as well as their capabilities, since most will integrate together. That however, is beyond the scope of this article but maybe something I explore in upcoming articles.

For now, just be careful to investigate what is actually meant when it says ‘Defender’ in the Microsoft space!

Resolving Windows Application Guard Issues

A while back I wrote about a issue I was having with Windows Defender Application Guard (WDAG). You’ll find it here:

Microsoft Defender App Guard issue

I have now managed to find a solution for this. In short, the issue, as it turns out, has to do with disk encryption. I found some information about the general issue here:

Why does my encryption driver break Windows Defender Application Guard?

which says:

Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (“0x80070013 ERROR_WRITE_PROTECT”).

Chatting with good people at Microsoft, it seems that in my particular case was solved by this update:

https://support.microsoft.com/en-us/help/4550945/windows-10-update-kb4550945

and was due to a BitLocker issue (being drive encryption).

So, the good news is that my issue is resolved and I can run Windows Defender Application Guard without any errors.

If you can’t install the KB for some reason and you need a quick work around, the issue was linked the BitLocker “Deny write access to fixed drives not protected by Bitlocker” policy and you should clear any group policy and set the following in Intune to Not configured as well as a work around.

image

image

So in the end it was an issue with drive encryption that was rectified with an update. Yeah!

Thanks to the people at Microsoft for the assist on this one. Now onto the next challenge.

Ignite 2019 sessions on YouTube

Not everyone, including me, is able to get to Microsoft Ignite for various reasons. Microsoft, to their credit, live streams and records the sessions. Eventually, these sessions make their way onto YouTube which is my preferred viewing platform. However, what is missing is a catalogue of the links to each session.

image

As in previous years:

Ignite 2017 sessions on YouTube

Ignite 2018 sessions on YouTube

I have started building this index and making it available on my GitHub:

Ignite session 2019 on YouTube

Please note, all the session are not there as yet. I add them as I discover them along the way through the year.

Of course, if you have a link to a session that I don’t have up there yet, please send it along so I can add it and we can all benefit.

Thanks again to Microsoft for doing this and uploading the sessions to YouTube. They are a great source of learning and allows people like me would couldn’t get to Ignite the ability to work through the content.

Swapped “ and @ on keyboard

One day you are merrily typing away as you always have, and all of a sudden you find that what you typed is wrong. You retype it again and find that the key you press is not actually the key that appears! What the??

In my case the @ (SHIFT+2) was being replaced by “ (SHIFT+’).  Luckily, I remembered that this had happened before and involved the English pound (£) symbol.

SNAGHTML6446008

The reason is because I have 2 keyboards types installed on my desktop PC as you can see above. You can view your keyboards by selecting the language icon in the system tray which is next to the clock.

Once I re-selected the English (Australia) keyboard I was back in business with the correct keys.

image

Always wanting to know how this could happen, I received my answer when I moused over that same icon as shown above. The keyboard is swapped when you press the Windows key + space. I use the Windows key + another key on my keyboard all the time so I had obviously fat fingered the secret sequence to change the default keyboard! The things my subconscious does to try and distract me.

Hopefully, this helps someone else out because it can be very frustrating to solve the first time it happens.

Allowing extensions with Edge Baseline

image

One of the handy things that Microsoft has now enabled is the ability to control the modern Edge browser (i.e. the one based on Chromium) via policy and services like Intune. In fact, if you visit Intune and look for Security Baseline you’ll find a new Microsoft Edge Baseline policy as shown above.

image

There are lots of great settings you can enforce by using this baseline to create a policy as you can see above.

I enabled the policy without making any changes initially so I could determine the impact, if any. It turns out that the default baseline actually disables any and all existing browser extensions you may have and also prevents you from adding new extensions.

I understand that this approach makes your environment more secure but I really can’t live with both the Lastpass and GetPocket extensions.

image

Unfortunately, by default with the baseline policy, these got blocked as you see above. This meant that I needed to adjust the policy.

image

As it turned out, you need to set the option:

Control which extensions can be installed = Not Configured

Just disabling and removing other options didn’t seem to do the trick.

image

After making that change and forcing the updated policy to sync to the workstation, I was back in business as you see above. I didn’t need to do anything in the browser, the previously disabled extensions were re-enabled automatically.

Enabling extensions is the only change I have made to the default baseline policy so far and now everything is working as expected and is more secure which I like.

I’d like the option to select ‘approved’ extensions so the baseline policy could be applied in total. Hopefully, that feature will make an appearance in the policy soon as I thing many will want it. However, this is quick and easy way to lock down the new Edge browser and another reason that, like me, it is my primary browser.

Edge Enterprise Preview

image

Just in case you weren’t aware, the Edge Insider Preview has an Enterprise option that allows you to sign in with your Office 365 credentials.

image

and is also available for MacOS.

I will also say that having now used Edge Insider Preview for a while, I can thoroughly recommend it and have never had any troubles. I really like all this integration when you look at Windows 10, Azure AD, Microsoft 365, Office and now Edge.

CIAOPS Techwerks 4–Perth April 12

bw-car-vehicle

The next instructor lead, all day, technical whiteboarding workshop session I’ll be doing on Microsoft Cloud Technologies (Office 365, Microsoft 365, Azure, Intune, Windows 10, etc) will be held in Perth on Friday April 12th, 2019. The course is limited to 15 people and you can sign up and reserve your place now!

The content of these events is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. So far, the greatest votes are for deeper dives into Intune, security and PowerShell configuration and scripts, however that isn’t finalised until the day.

Recent testimonial – “I just wanted to say a big thank you to Robert for the Brisbane Techworks day. It is such a good format with each attendee asking what matters them and the whole interactive nature of the day. So much better than death by PowerPoint.” – Mike H.

The cost to attend is:

Patron Level

Price inc GST

Gold Enterprise Free
Gold $ 33
Silver $ 99
Bronze $ 176
Non Patron $ 399

To learn more about the benefits of the CIAOPS Patron program visit www.ciaopspatron.com.

To register, simply email me – director@ciaops.com and I’ll take care of everything from there.

The CIAOPS Techwerks events are run regularly in major Australian capital cities, so if you can’t make this one or you aren’t in Perth on that date, stay tuned for more details and announcements soon. If you are interested in signing up please contact me via emails (director@ciaops.com) and I can let you know all the details as well as answer any questions you may have about the event.

I hope to see you there.