Enhanced phishing protection in Windows 11 22H2

image

If you have Windows 11 22H2 and you take a look at your Windows Security settings under App & Browser control, you’ll find some new settings in Reputation-based protection as shown above.

You can read about these here:

Enhanced Phishing Protection in Microsoft Defender SmartScreen

If you want to enable these settings using an Intune Device policy you can do so using the Settings Catalog like so:

image

Remember, at the moment, you need Windows 11 22H2 to configure this.

Windows 11 Hyper V Guest configuration

If you need to create a Windows 11 Hyper V guest machine You’ll need to ensure:

1. You create it as a Generation 2 machine

image

2. Once you have completed the normal set up process of assigning disks and setting up the machine, make sure you don’t power up the machine, but instead go into the Settings for that machine.

image

Select Security and ensure Enable Secure Boot and Enable Trusted Platform Module are checked.

3. Navigate to Processor

image

and ensure the Number of processors is at least 2.

With those basic settings in place you should now be able to install and run a Windows 11 Hyper V guest

image

Edge enhanced security

image

A new security option in Microsoft Edge.You’ll find it in Settings | Privacy, search and services as shown above. Three levels are available once you enable it (it is disabled by default).

What is does according to the documentation is:

Enhanced security in Microsoft Edge helps safeguard against memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation and enabling additional operating system protections for the browser.

and more information is found here:

Enhance your security on the web with Microsoft Edge

There is also the option to white list certain URLs if required.

So, if you want a bit more security when using Edge, turn it on! I have.


Cloud file productivity using Windows Quick Access

Here’s a productivity tip I use to make navigating cloud file location easier on Windows 10 desktops.

image

After have set up any synced locations, like my OneDrive, SharePoint, Teams, etc,  I then locate a frequent folder I need in a cloud location. Here that folder is Customers on my OneDrive for Business. I then right mouse click on that folder and select the option Pin to Quick access as shown above.

image

You should then see that folder in the Quick access area in the top left of Windows Explorer as shown above.

image

Now, if I want to attach an email from that location I can simply browse to a location (web or local doesn’t really matter), because whenever you get Windows Explorer, you also get your Quick access.

image

from which you navigate to the file you need via Quick access in the top left of Windows Explorer. Quick and easy.

image

Because Windows wants to be ‘helpful’ and add recent locations to Quick access by default, I want to disable that so this area doesn’t become cluttered. I want Quick access just to contain the stuff I put in there, nothing else.

To achieve this, I go into the properties of Windows Explorer and in the General tab, under Privacy, I uncheck both options (Show recently used files in Quick access and Show frequently used folder in Quick access) as shown above.

I like to keep my Quick access as small as possible and therefore remove anything that isn’t relevant to my day to day work (i.e. the shortcuts to stuff like Media and Movies).

I haven’t seen many people use Quick access on Windows desktops but I find that once you set it up it is invaluable as it pops up anytime you need to work with files. You can also add, remove and edit over time to customise to your exact needs. For example, if I’m working on a project, I add that location for the duration of time I’m working on that project. This make access very fast and easy.

Hopefully, this productivity approach may also help you when working with files from the cloud.

Teams on the web failing to login

2022-04-04_12-27-42

(Be patient, the video might take a few moments to load)

I recently had an issue accessing Microsoft Teams using a web browser even after logging into Microsoft 365. I could get to just about everything else but Teams, which always threw up a login dialog as shown above.

The issue turned out to be the time of the local device which hadn’t updated for some reason after a change to daylight savings time. Thus, the local devices (Windows 11) for some reason was one hour ahead. After changing this so the workstation had the correct time, everything worked as expected.

Hopefully,this helps someone else who is searching for this strange one.

Implementing Windows Defender Application Control (WDAC)–Part 4

This post is part of a series focused on Windows Defender Application Control (WDAC). The previous article can be found here:

EKUs

Unfortunately, from this point forward, I can find no ‘official’ definition of the syntax of the WDAC XML file anywhere. Thus, I have done my best to try and decipher the file. However, please keep in mind, this is simply the determination that I can make looking at the file.

What I’ll focus on in this post is the FileRules block. This block is defined in the XML with the following boundaries:

<FileRules>

</FileRules>

The documentation I found about FileRules specifically is here:

Windows Defender Application Control file rule levels

which says:

File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as granular as the hash of each binary or as general as a CA certificate. You specify file rule levels when using WDAC PowerShell cmdlets to create and modify policies.

Between these headers can be the following definitions:

1. Generic Files

This would typically appear as:

<FileAttrib ID=”ID_FILEATTRIB_F_1_0_1″ FriendlyName=”Microsoft Teams” ProductName=”MICROSOFT TEAMS” />

2. Allow Files

This would typically appears as:

<Allow ID=”ID_ALLOW_A_1B_ONEDRIVE_1_1″ FriendlyName=”C:\Users\user\AppData\Local\Microsoft\OneDrive\21.119.0613.0001\ErrorPage.js Hash Sha1″ Hash=”25D362DEE9A4B04ACDFD0ABBAB7A415AA494DC98″ />

3. Deny files

<Deny ID=”ID_DENY_BASH” FriendlyName=”bash.exe” FileName=”bash.exe” MinimumFileVersion=”65535.65535.65535.65535″/>

Each of these definitions starts off with a ‘ID’ field either: FileAttrib ID, Allow ID or Deny ID. Next, comes a variable that will be used later to refer to the specifics of that file definition. Here those are: ID_FILEATTRIB_F_1_0_1, ID_ALLOW_A_1B_ONEDRIVE_1_1 and ID_DENY_BASH. From what I can determine, these IDs can be any text.

Next, is the FriendlyName field, which again can be any text but typically will be the file name, with or without the path. From what I can determine, this is simply a ‘tagging’ field. If the FileName or is not specified this Friendlyname field will be used as the actual file name.

The next field options are used to actually define the individual file on the system. This can be achieved in a number of different ways specified, including by path and file name, hash, file path, publisher and more as detailed here:

Windows Defender Application Control policy – file rule levels

The most common types of definitions I have found are:

FileName field, which actually refers to the executable file i.e. bash.exe as shown above.

FilePath field. which refers to the location of the executables i.e. C:\Program Files\*

ProductName can be used to identify the file in question. I assume this refers to a product that is registered with the operating system.

Hash which specifies a unique file hash

It appears that you can also use the field MinimumFileversion when specifying the Fieldname and Productname definitions

These file rule definitions will be utilised by later items in the XML configuration, so they must be present if they are going to referred to.

You can use the

New-CIPolicy

and

New-CIPolicyRule

for drivers

PowerShell command to generate these file rules.

The precedence order of these file rules is defined here:

File rule precedence order

but is basically, deny, then allow, then the rest.

That’s the best I can work out from the documentation and experimenting. I’m sure there is more information somewhere, and if you do find any, please let me know.

Part 5 – Specifying Signers

CIAOPS Need to Know Microsoft 365 Webinar – October

laptop-eyes-technology-computer

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at using eDiscovery and Content search in your environment.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite! Yeah Teams webinars.

You can register for the regular monthly webinar here:

October Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – October 2021
Friday 29th of October 2021
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.