New Endpoint Security Windows Baseline

Microsoft have released an updated Endpoint Security Baseline for Windows 10 and later.

I have updated my Best Practices repository to include the new template JSON file here:

https://github.com/directorcia/bp/blob/main/Intune/Policies/Endpoint/Baselines/win.json

and the older JSON file here:

https://github.com/directorcia/bp/blob/main/Intune/Policies/Endpoint/Baselines/Archive/win.json

I have also found that the Graph endpoint to which these two policies are applied is also different.

The new Security Baseline for Windows 10 now has an enormous area under Administrative templates. It also has a LAPs setting.

You can’t upgrade the older policy to the newer one, you need to create a completely new Security Baseline using the new policy.

This is going to take some time to work through all the new options that have been added, and there are many!

Luckily, I can put Copilot for Security to work to help me!

Copilot for Security–The day after

Having set up Copilot for Security yesterday,

A day with Copilot for Security

and having an initial look around I decided to de-provision it after I was done for the day.

I returned the following day and set it all back up again using the same process as before. No issues.

I had a quick look at the billing in my Azure portal and noticed that some charges had appeared as shown above. They seem to however lag actual usage by at least 24 hours or more, so keep that in mind if you are trying to track costs closely

Because I also have Intune in the environment I took a look at where Copilot for Security is surfaced there. As you can see you get a big message in the homepage of the Intune portal when you navigate there reminding you that Copilot for Intune is available to you as part of Copilot for Security.

If you visit the Intune Tenant Admin area you’ll find a Copilot area as shown above. My check icon was green so I knew everything was working as expected.

I then opened a policy and found a Summarize with Copilot button which I used to generate the summary you see on the right hand side of the policy. Very handy.

I also found a Copilot button when I looked at individual devices. As you can see above, I can use Copilot to give me a comparison between the apps installed on devices. Nice.

I then generated some security ‘incidents’ on a device and checked the device in the Microsoft Security portal to see how Copilot would be surfaced. You’ll see it appears as a pane on the right, as shown above.

You’ll see in the above screen shot, I got Copilot to draft and email to send to the user of the problem machine. Very handy.

After playing around some more I went and looked at the Copilot for Security usage and you can see above, my unit usage was significantly higher than I initially provisioned. I assume I will be billed for those 3.7 units at US$4ph x the time I was actually playing around (about 1 hour). Let’s see when the costing make their way into the Azure portal.

I then went off and asked Copilot for Security about how to make my environment Essential 8 compliant, and you can see the response above.

I also found where you can upload you own company files to the environment to give it even more information you can use in your investigations.

I found an area where there was an option to allow Copilot for Security to access my Microsoft 365 data, shown above.

However, for whatever reason, it did not allow me enable this option as you can see from the error above. I’ll try that again during my next session.

So today’s session has shown me that you can de-commission and re-commission Copilot for Security on demand. At the moment that is a manual process via the GUI, but I expect that I’ll be able to script that with something PowerShell soon enough.

Without Copilot for Security being re-enabled I found that most Copilot menu items in places like Intune remained but failed to operate, not unexpectantly. However, when I re-provisioned Copilot for Security again on the second day, all those options worked again. Some took and little while to ‘refresh’, but they all started working again as on the first day.

I also noticed that all my previous chat sessions where all still available and accessible. This is thanks to retention that is part of Copilot for Security. I just need to find out how long that retention is.

So the main thing I learnt from day 2 with Copilot for Security is that you can utilise it on demand. It doesn’t seem that you actually need to have it running 24/7, which is great new for smaller businesses on a budget. I’m sure you get more out of it if you do indeed leave an SCU running 24/7 but seems to me, so far, that you don’t lose much just enabling it as you need.

I also learned that the cost reporting seems to take at least 24 hours to start appearing which can make budgeting a little butt clenching until the actual cost figure appear in the Azure portal. I also learned that after you enable Copilot for Security the menu option remain in the various portals, even after your de-provision the service. Now, these may indeed disappear after a period time if you don’t re-provision but I’d find any of the disable menu items presented any errors, they just didn’t do anything any more. Which is understandable.

In short, I think Copilot for Security will work in an SMB environment but currently, you’ll need to a bit of manual labour to enable and disable the service but I expect that can be improved with automation down the track.

I’ll be playing with Copilot for Security for another day and I’ll then share my overall thoughts and feedback on what I’ve seen and the ROI it provides. However, I will certainly be implementing this, in an on demand capacity, in my production environment.

More updates soon from day 3.

A day with Copilot for Security

Given that Copilot for Security has just been released, I thought I’d spin it up in my tenant and see what it looks like.

To get the most from Copilot for Security you’ll first need to have an Azure subscription. You’ll get more out of the service if you also have Intune and Sentinel as well as aggregation of your logs, but an Azure subscription is all you need to get started.

The easiest way to commence the set up process is to visit:

https://securitycopilot.microsoft.com

where you’ll be greeted with the set up wizard shown above.

Prior to setting up Copilot for Security, as I mentioned, you need an Azure subscription and I’d also recommend setting up a dedicated Azure Resource Group to help monitor and manage costs.

It is important to under what this will cost you in the default configuration. That is detailed on this page:

Yup, you read right $2,880 per month is the minimum! That is basically $4 per hour over 730 hours in a month. So, ensure you turn all this OFF once you have finished testing!

Once you complete all the listed fields you can continue.

You’ll need to wait a moment or two as the service is set up.

Since the Azure Resource Group into which I’m placing Copilot for Security is in Australia, my data will also be in Australia.

You’ll then be asked whether you wish to help Copilot improve as shown above. Make your choice and continue.

Next, you get the option to set up any permissions. As this is simply a test and I’ll be the only one using it I didn’t make any changes and just continued.

You should be all good to go as shown above.

If you now return to the initial starting point:

https://securitycopilot.microsoft.com

you should see the above, where you can input your query.

If you look in the Azure back end you will see a new item called Copilot inside your Azure portal, which looks like the above.

Selective the resource displayed the above.

You’ll also notice that you can’t adjust the Security Compute Units (SCU) below 1.

By clicking this button in the prompt

you’ll see all the plugins that can be configured in your environment

So, I went off and had a play to see what results it would give me.

I asked for some summaries.

and I had a look at some inbuilt playbooks.

I them dug around into the Usage monitoring which you’ll find the menu at the top left of the page.

In here I could change the Security compute units and delete them as well. Which I did eventually after play around a bit more.

Clearly, most smaller businesses are not going to justify running this full time. It is therefore VERY important to delete the SCU when you have finished playing around. After doing that and running Copilot for Security I was interested to see my bill, but as yet no amounts have appeared in my Azure portal. I’ll share these when they appear.

I still however believe this can be an effective security tool for SMB, PROVIDED, you enable and disable it as required, kind of on demand. I’m playing with doing that for myself to better understand any limitations on that approach and I’ll report back.

I have more to share on my findings so far so stay tuned.

Time to enable more logging

Having logs enabled is a good thing because it allows you to track down information after the fact. This is especially handy when you are performing a security investigation. Here is some additional logging that I recommend you enable.

Start by navigating to:

https://entra.microsoft.com

You’ll need to login with an administrative account that has rights. Expand the menu on the left of the screen until you see Monitoring & health and shown above.

Under this option you will find the menu item Diagnostic settings as shown above, which you select. This will display your diagnostic settings on the right. Here you can see that I am currently sending logs to a Log Analytics workspace, which is linked to Microsoft Sentinel for analysis. If you aren’t already sending your logs to a Log Analytics workspace you can set one up via the Add diagnostic setting hyperlink. I will assume here you already have something set up.

Select the Edit settings hyperlink and under Edit settings column on the right, as shown above.

Scroll down the categories of logs listed and ensure they are all select so the logging data will be sent to Microsoft Sentinel via the Log Analytics workspace.

If you have already enabled this logging I suggest you go back in and check that all categories are selected as Microsoft has now added some additional items:

– EnrichedOffice365Auditlogs

– MicrosoftGraphActivityLogs

– RemoteNetworkHealthLogs

which I had to enable.

When you have completed your category selections press the Save button in the menu bar at the top of the window to update your preferences.

This now means that you’ll have even more data in your Sentinel environment to help keep you secure.

Centralised Microsoft 365 Add in deployments with PowerShell

Almost 4 years ago I wrote this article:

Centralised Office 365 Add in deployments with PowerShell

Upon review, it seems that the Finedtime addin is no longer available. I have therefore updated the script:

https://github.com/directorcia/Office365/blob/master/o365-addin-deploy.ps1

to remove this and prevent errors.

If you have any Office addins that you believe should be deployed as a ‘standard’ to all users in a tenant, please let me know and I’ll look at adding them to the script.

blockMsolPowerShell blocks all users if set to true

One of the options in the EntraID Authorization policy in the Default user permissions section is a setting blockMsolPowerShell which means when you dig into it:

Specifies whether the user-based access to the legacy service endpoint used by MSOL PowerShell is blocked or not.

Using my script:

https://github.com/directorcia/Office365/blob/master/graph-idauthpolicy-get.ps1

you can see whether this is enabled, which it is as shown above.

With this setting blockMsolPowerShell set to True, then all user access to the msolservice PowerShell commands are blocked as shown above. This applies to users, ordinary and administrators (even Global Administrators, which is the result I tested in the above screenshot). The user can connect to the service BUT they can’t run an msol commands as shown above.

Now given that the msolservice module will be deprecated on March 30, 2024 there shouldn’t be any issue disabling this for ALL users. However, you may want to make sure you test any Outlook add-ins or other third party apps you have in place that might have a dependency on the old msolservice module. The easiest way to achieve this is probably to simply disable the settings and see if problems arise. If they do, just make sure you know how to revert the setting back. I think is going to be the fastest way to determine if and what any dependencies you may have.

I would suggest that unless you have a dependency it should be disabled to improve the security of your environment.

Microsoft 365 Backup restore process

In a previous article:

Setting Microsoft 365 Backup policies

I determined that I liked the simplicity of setting up backups with Microsoft 365 Backup but the negative was a lack of reporting or alerting on the execution of these jobs.

I’m sorry to say that I also find the restoration process for Microsoft 365 lacking for a number of reasons.

1. The main reason is, at the moment, there is not really a granular restore option.

2. The restore option is typically all over the top of what is there already, effectively replacing it or restoring everything to a different location and then you have to manually copy the data across.

3. Selecting which actual backup to restore from I also found cumbersome.

4. I found the restoration of Exchange online mailboxes the most tricky to restore a select amount of data. You have to filter what you looking for via a few options. You kind of have to know what you want prior, you can’t just browse.

5. When the restore process actually runs you get no real indication of what it is actually doing, you simply have to wait for it to finish. My 1.28TB test SharePoint site took around 45 minutes to copy to a new location.

This may be me but when I did a restore of a OneDrive for Business to another location, the destination into which it copied the data is blank!

I did this more than once and got the same result. I couldn’t find any new SharePoint sites in my environment or sub folders. As such I am still trying to find out where the data actually restored to, as it does say it is completed!

The good thing is the restore process is pretty straight forward. A wizard takes you through the process as shown above.

For example, if you want to restore a OneDrive for Business you select the item from a list.

You then need to select a time and date to restore from. This is somewhat cumbersome and would be much better if you could simply browse through the available backups. For now you need to select the date and time you want.

I’m not sure what “standard restore” means when you confirm the restore point as shown above.

When you select the destination you’ll see that it typically everything over the top or everything to another location and then you need to manually copy what you need and delete the rest.

You confirm the restore.

and you select Done.

Then at the bottom of the page are the restore tasks as shown above.

Even with the restore in progress, you’ll see you don’t any information of progress or completion time. You’ll also note that the Destination will be available on restore,

but it wasn’t again unfortunately.

I found the mailbox restore process quite cumbersome.

If you want to do selected content as shown above you need to select a time frame

and that time frame is 14 days maximum.

Then you need to add filters from the four options shown above.

Then you have to find any matches and more me, most of the time I didn’t find any in my test environment, which was frustrating.

Remember, Microsoft 365 Backup is still in preview and will continue to improve and develop. However, as it stands now I don’t feel this is a viable alternative for people who do wish to restore their Microsoft 365 environment in a granular manner. I think as a disaster recovery tool, that is, back up everything and restore everything, over the top if needed, it would be fine.

Thus, in summary, for now, I think Microsoft 365 Backup could work as a disaster recovery service but for granular, item level restore – no so much. However, it is still very early days for this product, so keep your eye on what develops. I know I will.

Secure more with Secure Score in M365 online course

The live course Secure more with Secure Score in Microsoft 365 over the past four weeks has now completed. All materials, including recordings of each session are now available on demand.

I think this course does provide a good overview of suitable best practices across the Microsoft 365 environment. You’ll get the most from this course if you are a CIAOPS Patron, thanks to all the Patron script that are part of the subscription. As CIAOPS Patron you’ll also get a sizable discount via a coupon code discount.

The aim of this training is to help configure security best practices inside your Microsoft 365 environment. You’ll learn what settings you should enable and why you should have these enabled. The sessions will also take you through common examples of configuring these settings and the impact they will have on your users. The course covers identities using EntraID, securing emails, devices as well as data using information protection services all included in Microsoft 365.

Watch out for more online courses from CIAOPS coming soon.