Need to Know podcast–Episode 211

Where’s Brenton? Share your thoughts here – http://bit.ly/whereisbj

Microsoft has rolled back it’s recent planned partner changes. we have some new Intune security baseline policies to try (and troubleshoot) and Teams leads Slack in user numbers. I speak with Marc Kean to get the low down on what Azure storage is all about. All this and a lot more on this episode.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-211-azure-storage/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@marckean

@directorcia

Updates to partner program (again)

Microsoft Intune announces security baselines

Exchange Online PowerShell WinRM issue

What is Azure Lighthouse?

Without-enrollment and Outlook for iOS and Android

Teams reaches 13 million active users

Planner and To-Do integration

New PowerApps and Flow licensing

Azure storage

Azure File Sync

Exchange Online PowerShell WinRM issue

image

I went into my PowerShell ISE today, as I always do, and tried to connect to Exchange Online. However, as you can see from the above error message:

Connecting to remote server outlook.office365.com failed with the following error message: The WinRM client cannot process the request.

I couldn’t connect! Why was this I wondered? It was working last time. I then proceeded to waste a good amount of time trying to troubleshoot WinRM errors to no avail. Only at the point of frustration did I actually read more of what the error message actually said:

Basic authentication is currently disabled in the client configuration. Change the client configuration and try the request again.

I then tried to connect to Exchange Online via PowerShell using another machine of mine and received the same error. I then tried a VM in Azure and that worked fine. It was at this point that I started to suspect it was something to do with my Intune policies as the Azure VM was stand alone.

I had just recently implemented the Security Baselines provided by Microsoft.

image

I was working my way through some of the reports of conflicts and misconfigurations by adjust my existing best practices policies to suit. I didn’t appreciate that these Security Baselines actually implement policies that get pushed out to devices! I thought they just compared your settings to what Microsoft recommended as best practice.

image

When I went to the affected workstations and ran the command:

winrm get winrm/config/client/auth

I got the above in which you can see that the Basic auth setting is indeed set to false but that it is set by a GPO. Ok, so where is this GPO I wondered? Given that all the affected machines were Azure AD joined without a local domain controller it meant that the GPO was going to be Intune, as that is where the policies are pushed from in my case.

image

When I repeated that winrm command on a machine that worked I saw the above, Basic = true and no Source=”GPO”.

I then tried in vain to change the GPO locally using PowerShell and the GP console to alter the setting but with no luck.

Suspecting Intune and my policy fiddling, I totally disabled all configuration policies for the device but the problem continued. I then deleted the Security Baseline policies I had created and BAM, everything worked!

Ok, so the problem was the Security Baseline policies, but how? Well, it turns out that these Security Baselines actually do apply an additional policy to your devices once you enable it. Now my question was, where exactly does it do this and can I alter the Security Baseline if desired?

image

Turns out, that the location for what affected me is in the Remote Management section of the MDM Security Baseline policy as shown above.

image

Unfortunately, I had breezed over these options when I first set up the policy using the wizard. You can expand each of the options there and make adjustments if you need! D’Oh!

The lessons here are, firstly that if your implement the MDM Security Baseline or the Microsoft Defender ATP baseline, these will create policies and apply these to your environment. Secondly, you can customise these baselines if you wish, both during the creation process and afterward if you wish. Thirdly, you need to be careful with these policies as they set a lot of settings that you may not seem to immediately come from Intune.

I’ll spend some more time looking at these in detail and reporting back. My own personal best practice policies are pretty close to the Microsoft ones, but it is great that I can do a comparison between them and improve my own.

A frustrating self inflicted issue to resolve but I have learned much in nutting it out and I hope if you have the same issues that this information saves you the time I had to invest to resolve it!

Key skills for an IT Professional

accuracy-action-active-433077

If you are an IT professional working in with Microsoft 365 then I would suggest the following are the top five skills that you need to have to be successful going forward. My pick, in order is:

1. PowerShell

2. Azure AD

3. Security

4. Intune

5. SharePoint

and here’s why:

PowerShell

PowerShell gives you the ability to script commands for both cloud and on premises Microsoft services. There are many things you can also only do using PowerShell, however more importantly, you can begin to automate what you do. This reduces the time it takes to complete processes as well as giving more consistent results. It also means that you can potentially offload these tasks to others who only need to know how to run the scripts you have created not understand what they entail.

I also find that understanding the PowerShell side of a process gives you a a much deeper understanding of that process and what is possible. I also think that having to do a bit of coding is a benefit to everyone. It helps you to think more logically, plan and structure what you want to achieve. You however don’t need to become a developer, it is easy to CTL-C and CTRL-V good scripts from various places and integrate them into your processes while making a few changes along the way. You can go as deep as you wish and create really amazing scripts that really make life in IT so much easier, while allowing you to do your job faster.

Remember, software will eat the world.

Azure AD

Identity is key to our modern world. You don’t get access to “stuff” until you prove who you are. Importantly, Azure AD is not the same a traditional on premises Active Directory. It is a subset, where the additional options can be added as needed. However, you need a good understanding of where a user’s primary identity is and how it is managed and secured in the cloud. Without this fundamental knowledge you are really going to struggle to understand things like modern device management and security.

All Microsoft services are underpinned by identity and Microsoft cloud services are underpinned by Azure AD. Thus, to administer, configure, troubleshoot these you need a good understanding of Azure AD.

Security

With so much of our assets now being digital, protecting them is paramount. We need to do this in a way that doesn’t inhibit productivity and that is a real challenge. Poor security to me indicates a fundamental lack of knowledge about the products in question. It also demonstrates a lack of discipline and consistency which are the hallmarks of your adversaries out there trying to gain access to systems you protect.

Security will never be an absolute and that makes it hard for many “IT types” to deal with who like to have a tangible end goal. There is not a finite end point with security, there is simply an ongoing challenge to stay one step ahead of the bad actors. Some see that as a burden while the true security professional sees it as a challenge. The protection of our future lies with good security and the challenges that brings. It therefore, will be a skill that will be in continuing high demand.

Intune

As mentioned, Azure AD doesn’t contain the same resources that on premises Active Directory did. The best example of this is probably Group Policy, which is something that Azure AD does not incorporate. To a large extent, that is now handled by Intune and this why it is such an important skill going forward for IT Professionals to become skilled with. It can also be implemented using things like PowerShell, which again goes to the point of how important this list of skills is across all Microsoft services today.

A key factor with Intune is its ability to configure mobile devices. This is something traditionally IT Professionals have not been able to do. However, with the growing numbers of mobile devices in use and their criticality to businesses of every size, it is now more important than ever to be able to easily configure and secure them directly from the Internet.

SharePoint

Most IT Professionals have some skill or familiarity with Exchange and emails which easily translates to services like Exchange Online. However, when it comes to files and folders in the cloud the service of choice is going to be SharePoint, for which there are a decided lack of skills even though SharePoint has been with us for many years now. As I have spoken about many, many time here, SharePoint is more than just simple storage, it is a collaboration system and needs to be approached in that manner to get the most from it. Not doing so results in lots of pain for both administrators and end users.


So there you have it. If I had to pick five skills in order that characterise a modern IT Professional, these would be they. You don’t need to be an elite ninja in each but likewise you can’t remain ignorant of them. if you work with Microsoft cloud technologies you should be familiar and comfortable with them all. If not, then you need to start investing some time and learning them because they will serve you well now and into the future.

Need to Know podcast–Episode 208

Jeffa is back! Jeff Alexander from Microsoft that is. Jeff is here to talk to about the modern desktop including things like Intune, Identity, Device Management and more. Modern desktops require a modern approach and thinking when it comes to everything from roll outs through to updating, so listen in for all the details on how to jump on board. Of course, Brenton and I give you an update on new things in the Microsoft Cloud so you’ll right up to date after this episode.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-208-jeff-alexander/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@Jeffa36

About Jeff

@Contactbrenton

@directorcia

New to Microsoft 365 in May

Adding the SharePoint Starter Kit

Provisioning Microsoft 365 Learning pathways

Get started with Intune

Locking installed apps to Windows Store only

image

If you go into your settings in Windows 10 and select Apps you should see the above dialog.

image

You can see the options that are available to you as shown above. You’ll see that one of the options available is Allow apps from Store only. Although not a fool-proof security option but setting this would reduce the chances of malware executing on the desktop because the only method of installation is from the Microsoft curated Store. A random piece of malware, delivered via email say, could not execute since it doesn’t come from the Microsoft Store I would suggest.

image

Using Intune we can apply this setting across a range of Windows 10 desktops using a Windows 10 Device Restriction Policy as you see above. Simply locate the App Store option, then Apps from store only and set the value to Require as shown.

In a short period of time, once the policy has deployed, those devices will only be able to install software from the Microsoft Store, preventing installation from anywhere else and hopefully also preventing malware installations.

The good thing about this restriction is the user can still be a local administrator of their machine if you desire and installations will be restricted. The other good things is that it is policy based, which means it is easy to turn on and off as required or exclude users if need be.

As I said earlier, it is not a fool proof method of preventing malware being installed on a Windows 10 desktop, but would certainly make it much more difficult. In this day and age, we need all the help we can get to counter the threats. Hopefully, this will help.

Unable to enable Javascript on iOS device

While setting up a new iPhone that was enrolled in MDM and using Intune, I came across an issue when setting up the Qantas app on iOS.

When you attempt to login to the Qantas app to set it up for the first time you are shelled out to Safari and here it needs to use Javascript to complete its login process. Unfortunately, if you have Javascript disabled then you get a nasty error message that you need to enable it and you can go no further.

file

No problem, you think. I’ll just go into the device Settings, Safari then Advanced where you expect to see the above Javascript option. Only problem is, that for some reason, you can’t change this option because it is disabled for some reason.

image

In my case, the reason why it was disabled is because I had an Intune Device Restrictions policy in place that was blocking Javacript. You change this option by going into the iOS restriction policy, selecting Settings, Built-in Apps, Safari, Javascript as shown above. Change the setting from Block to Not configured, then Save the policy change and allow a few minutes for the policy to be applied to the device.

After that, I was able to re-run the Qantas app configuration and set up everything as expected. You could then, if course change the policy back if you wished to block Javascript going forward.

The lesson here is, that if something is blocked on your device that is managed by Intune, then most likely that setting is being controlled by an Intune policy and you’ll need to make the change there.

Windows Information Protection (WIP) in action

Windows Information Protection:

“helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps”

It is a technology that is limited to Windows 10 desktops and is typically deployed via Intune using App Protection Policies.

image

To get there you’ll need to navigate to the Microsoft Intune service in the Azure portal and then select Client apps from the menu on the left.

image

You’ll then need to select App protection policies.

image

You’ll need to create a policy if one does not already exist.

For Windows 10 there are two policy options, with and without enrolment. The difference is that “with” enrolment the machine is effective using MDM (device management) and is typically directly connected to Azure AD. “Without” enrolment is typically just MAM (only application management) and is typically not directly joined to Azure AD. I’ll focus on a “with enrolment” option here but “without” is pretty much identical in the options provided.

image

Once the policy is in place don’t forget that you’ll also have to assign it to a group of users for it to take action. However, before you actually assign it to live set of users in your environment, you may want to take a moment to understand the ramifications of what the policy will do.

If you examine the Required settings of the policy, as seen above, you will see that you can set an option for the Windows Information Protection mode. If you are just testing things and don’t want to impact or change your environment then I recommend the Silent option. If however, you want to have the policy protections enabled but want a choice when it is applied, select Allow Overrides (recommended). If you want to be totally strict about applying the policy to your Windows 10 devices, select Block.

The domain for your tenant should appear in the Corporate identity field below. If you have any addition domains you use, ensure they are entered in this field.

image

If you then examine Advanced options, as shown above, you should see that an existing entry for Cloud resources already exists. When you drill into this, it should contain your Office 365 environment. I spoke about this location more in a previous post:

Intune App Protection blocking browser

and noted that you may need to make some adjustments to it to allow non Microsoft browsers on Windows 10 machines.

The interesting part is now if you also have on premises infrastructure you wish protected. So, imagine the Windows 10 devices are accessing data from Office 365 and from a local file server. By default, this local infrastructure will be considered ‘personal’ and won’t allow saving of corporate data there. In essence, Windows Information Protection (WIP) prevents corporate data being saved to personal locations. By default, your Microsoft 365 environment will be configured as a corporate data location but local fileservers will not be. Thus, if you wish to have your local infrastructure also classified as corporate data, then you need to specify your local DNS domain and IP range as I have done above as a Network Boundary. However, be warned, this has other implications that you need to consider which I’ll speak about later.

image

There are additional options if you scroll down further. When data that is protected by WIP is stored on a device covered by this policy, it will be protected by WIP encryption at rest. An option here in the policy allows you to revoke these encryption keys if the device is ‘unenrolled’ from Azure AD. That means, the moment the device is removed from Azure AD, any corporate data will be unable to be read since the encryption keys will be revoked for the device. You can generate and upload a recovery agent as you see above if required, however modern Windows 10 releases will actually recover the key from Azure AD if that same machine is re-joined again to Azure AD.

I have also select the option to Show the enterprise data protection icon which will appear on documents WIP considers corporate data. This is always a good way to distinguish corporate data, so my best practices is to have it there as a reminder.

You’ll also see that you can use Azure RMS (rights management) with WIP if you want. I’ll leave this disable for simplicity now, but if you want that extra protection that Azure RMS gives, then it is available if you have a license for RMS.

image

If those options are now saved to the policy and the policy is actually assigned to a set of users, once the policy has been fully assigned to a device you will see something like the above.

Here you will notice that all the OneDrive for Business files have been classified as corporate data as noted by the briefcase graphic in the file type icon. You will also note a new column as well – File ownership, which contains the domain you configured.

image

If I look at the data on a local file server I see the additional File ownership column again, with all data being owned by my domain.

Thus, all data from Office 365 and my local infrastructure is now considered corporate, not personal, data. This means that it can only be accessed using the apps I have authorised to access corporate data in the policy.

image

So how does this all work in practice? As an example, I created a new data file on the local Windows 10 device subject to the App Protection policy. This file is currently considered a personal file because it doesn’t have the briefcase graphic in the file icon.

image

I can change the file from personal to corporate by right mouse clicking, selecting File ownership and then picking the option that I want. Here’s I’d choose Work (ciaops.com) to swap that file to being considered corporate data.

image

Once I make the option to categorise it as corporate data, you’ll see the logo changes immediately to indicate the file is now managed. The file has also now been encrypted by WIP on the local device for protection. The user doesn’t see this as the WIP encryption/decryption is handled seamlessly behind the scenes on the device.

image

Now that this data is a corporate file, only apps that I have defined as corporate apps can open that file. You’ll see above that Notepad will work on both types of files, corporate and personal, but what happens if you try and open this corporate file with a non corporate app like Wordpad, which, as you can see, says it will only open personal files?

image

What happens, is that the corporate file cannot be opened by the non corporate app as shown above and I get an denied message.

image

You’ll see that I get a similar result if I try and copy data from a corporate app and attempt to paste to a personal app. Because I set the option earlier in my policy to Allow Overrides, I see the options shown above indicating that I can proceed pasting corporate data into a non corporate app but the actions may be tracked.

image

The way that I can tell whether the data in the file is being protected and considered corporate is with a small briefcase icon in the upper right as shown above.

image

If I select this icon I get further information that the app is being managed by my domain as shown.

This means in summary, that you can use WIP applied via Intune App Protection policies to ensure that defined corporate data does not end up in non corporate locations. WIP corporate data while stored on a Windows 10 device is protected at rest by encryption.

Also, remember that not all Windows 10 devices will be enrolled into your Azure AD. Some may just be associated (typically BYOD). By implementing a Windows 10 App Protection policy Without Enrolment you can protect the corporate data that is on these device as well. A good scenario here is to imagine a user’s personal Windows 10 Home machine that they use to access corporate data after hours to work on while not on their corporate joined devices. This means you can protect data even on Windows 10 Home editions machines (via a  non enrolled App Protection policy).

There are some issues to be aware of here, especially when you start mixing WIP with on premises locations. The best way to explain this is via an example I’d suggest. I set up WIP to include my local server and when the policy applied, all the data on that server was considered corporate. The apps that I used are mainly those that were set up in the Intune policy such as Word, Excel, etc as well as some custom apps like Adobe Acrobat Reader which I have detailed how to do here:

Adding Acrobat Reader as an Allowed app

Where things came unstuck a tad was when I wanted to use a not so common app like Keypass. The Keypass app lived on my Windows 10 machine but that data lived in the on premises server. Thus, the Keypass app could only open ‘personal’ data but all the data on the local file server, including the Keypass data file, was now ‘considered’ corporate data thanks to the Network Boundary settings in the policy. In short, I couldn’t open the data when I needed to. Moving the data file to other locations didn’t help either as it was still considered corporate data and the Keypass app could only open personal data. Annoying to say the least.

In the above scenario, with a small number of custom apps required to open data, you could add these custom apps to allowed list of apps in the policy so they are permitted to work with corporate data. If that becomes to hard then you probably need to evaluate whether you want your on premises infrastructure classified as ‘corporate’ data. However, failing to do that means you can’t copy from locations defined as corporate, such as Office 365, to these.

image

As you can see from the above, when I attempt to copy from my OneDrive for Business (corporate location) to a location that is considered non-corporate (local server) I get the above. Because I specified the ability to override I do get a bypass option but you’ll see when I do that, the data I copy will have it’s corporate protection removed and reverted to a personal data.

The key message is therefore that implementing WIP is something you need to think about carefully and plan prior to implementing. If you get it wrong then it will be a huge source of frustration for users, However, implemented correctly it is yet another way to protect your corporate data on both managed and unmanaged Windows 10 devices.