Windows 10 in cloud configuration

Microsoft has released a handy guide called

Windows 10 in cloud configuration

that walks you through a recommended best practice configuration of you Windows 10 devices using Endpoint Manager. what they are now doing, as highlighted by my video, is begin to roll this into a wizard inside the Endpoint Manager portal, allowing you to quickly and easily create and apply policies to protection your Windows 10 machines.

I believe this in only the beginning of what Microsoft plans to roll out and I expect to see lots more configuration coming very soon, not only for Windows 10 but also iOS and Android.

Watch this space.

Attack surface reduction for Windows 10

You may not be aware, but Microsoft has a number of ways that you can implement Attack Surface Reduction (ASR) settings in your Windows 10 environment. You read about these here:

Reduce attack surfaces with attack surface reduction rules

In essence, these rules reduce the items that maybe exploited by attacks on Windows 10 desktops. In reality, they are a good thing to enable if you want to be more secure.

Microsoft has a number of ways you can implement these.


The preferred option is to use Microsoft EndPoint Manager as shown above. To do this navigate to:

Select Endpoint security on the left, then Attack surface reduction and create a new policy on the right.


You can then enable all the settings you wish such as:

Block executable content from email client and webmail

Once you save the policy, it can be deployed to the devices configured in Microsoft EndPoint Manager. This will typically mean those devices have a license for Intune and use that or Configuration manager to deploy such policies. However, it will also support others forms of basic MDM that you may have (like the basic Device management that comes with most Microsoft 365 plans)


You can also deploy these using the EndPoint protection configuration policies for Intune as shown above. You’ll find the ASR items under the Microsoft Defender Exploit Guard area in the policy.

Group policy setting showing a blank attack surface reduction rule ID and value of 1

You can also use Group policy as seen above.

And of course you can also do it via PowerShell. if you do elect to use PowerShell, which is great for a stand alone machine, there is a handy tool you can use here:

which, when run, looks like:


All you then need to do is select your options and save them to update the policies on the local machine.

The options above, plus more are detailed here:

Enable attack surface reduction rules

and I encourage you to visit the page and implement the option that works for you and your environment. For me, using Microsoft EndPoint Manager is the quickest and easiest method to deploy it across my devices. However, you can use PowerShell to quickly and easily implement it for a single device. Using ASR will make your Windows 10 devices more secure, and we all want that, so what are you waiting for?

Windows 10 mobile hot spotting

Annoyingly, I currently have an issues with my ADSL on my phone line. I am getting about a 25% packet loss, which effectively makes the connection unusable. I’ve done everything at my end to troubleshoot the issue and now it is up to the ISP to hopefully resolve the issue.

The problem is that I need internet to work! Luckily, I have a 4G mobile plan that includes unlimited (yes, I said unlimited data). I can easily turn my phone into a hot spot and connect my devices. Problem, is I then I can’t access my local resources and easily share between machines.


The solution I found is to turn my phone into a hot spot as normal and connect one of my devices that is on my internal network to it. I then share that device connection out using the hot spotting capabilities built into Windows as shown above.


On the other machines, I connect to the Windows 10 hotspot to gain Internet connectivity but I also go into these connections and change the option Set as metered connection to Off as shown above. This means the other Windows devices will see this Windows 10 hotspot like a LAN connection, thus giving it a higher priority for data than a ‘metered connection’.

Just to be 100% sure I have turned off the modem to my problem ADSL connection to ensure that traffic doesn’t try and head that way.

Now all my machines can work together as normal on the LAN but also be connected to the Internet via their own WiFi to the Windows hot spotted machine that is ‘sharing’ my 4G mobile connection.

In many ways, it is better that what I had with ADSL!

All the Defenders


Microsoft unfortunately has quite a few products under the ‘Defender’ banner that I see causing confusion out there. Most believe that ‘Defender’ is only an anti-virus solution, but that could not be further from the case. Hopefully, I can show you here how broad the ‘Defender’ brand is here and hopefully give you a basic idea of what each ‘Defender’ product is.

To start off with there are products that are considered ‘Window Defender’ products, although I see the Windows and Microsoft brand intermingled regularly. Here is a list of specific ‘Windows Defender’ products:

Windows Defender Application Control – WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients.

Windows Defender Firewall – By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device.

Windows Defender Exploit Guard – Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps.

Windows Defender Credential Guard –  Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.

In contrast, here are the ‘Microsoft Defender’ products :

Microsoft Defender Smart screen – Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.

Microsoft Defender Antivirus – Brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your organization.

Microsoft Defender Application Guard – helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet.

Microsoft Defender Security Center – is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.

Microsoft Defender Advanced Threat Protection – is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

Microsoft Defender Browser Protection –  a non Microsoft browser extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.

So, as you can see, there are quite a lot of ‘Defender’ products out there from Microsoft. How and when you get each of these varies greatly as well as their capabilities, since most will integrate together. That however, is beyond the scope of this article but maybe something I explore in upcoming articles.

For now, just be careful to investigate what is actually meant when it says ‘Defender’ in the Microsoft space!

Resolving Windows Application Guard Issues

A while back I wrote about a issue I was having with Windows Defender Application Guard (WDAG). You’ll find it here:

Microsoft Defender App Guard issue

I have now managed to find a solution for this. In short, the issue, as it turns out, has to do with disk encryption. I found some information about the general issue here:

Why does my encryption driver break Windows Defender Application Guard?

which says:

Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (“0x80070013 ERROR_WRITE_PROTECT”).

Chatting with good people at Microsoft, it seems that in my particular case was solved by this update:

and was due to a BitLocker issue (being drive encryption).

So, the good news is that my issue is resolved and I can run Windows Defender Application Guard without any errors.

If you can’t install the KB for some reason and you need a quick work around, the issue was linked the BitLocker “Deny write access to fixed drives not protected by Bitlocker” policy and you should clear any group policy and set the following in Intune to Not configured as well as a work around.



So in the end it was an issue with drive encryption that was rectified with an update. Yeah!

Thanks to the people at Microsoft for the assist on this one. Now onto the next challenge.

Remote Desktop app for WVD doesn’t work with WIP

*** Solution – ensure the WVD feed URL (e.g. is part of the appropriate definitions in your WIP network isolation configuration


When I tried to update the feeds on my Remote Desktop client on Windows 10 for use with the Spring release of WVD I was greeted with the above issue with Windows Information Protection. (WIP). I tried setting the Remote Desktop app (msrdcw.exe) to be a protected app in WIP and still had the same issue. Also tried setting to be an exempt app, but that also didn’t help-. Only disabling WIP seemed to allow me to refresh the feeds. Once you do this you can turn WIP back on if you need to.

Hopefully Microsoft will address this issue in upcoming releases of he Remote Desktop app for Windows 10. Until then, there doesn’t seem to be much option but disabling WIP.

Microsoft Defender App Guard issue

**** Update **** – Solution is here – Resolving Windows Application Guard issues

This article is bit different from most others. In this post I’ll be sharing a current issues I have with Defender Application Guard. If you have some suggestions of any additional troubleshooting, I’d love to hear, because currently, I’m not having much luck finding a solution.


The issue is that if I go into the new Edge browser and select a New Application Guard Window, I end up with:


WDAG Report – Container: Error: 0x80070013, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000

I have tried the wdagtool command line tool with the following result:


I have also run a:

sfc /scannow

across my machine with no integrity issues.

If I dig into Event viewer | Application and services log | Microsoft  | Windows | WDAG-Manager, I see:


A Failure has occurred: HResult = The media is write protected., File = windows\hvsi\hvsimgr\container\hvsicontainer.cpp, LineNumber = 769, Function = NULL, Message = NULL, CallingContext = NULL, Module = hvsimgr.exe, Code = NULL

and in Event viewer | Application and services log | Microsoft  | Windows | WDAG-Service, I see:


Container service failed to start the container: The media is write protected.

I have the App Guard Service enabled in my Windows Features  as well.


I have tried:

  • Re-installing Windows
  • Re-running Windows install again
  • Removing all App Guard components, rebooting, reinstalling all the components again and rebooting
  • Installing Hyper V service
  • Installing Sandboxing Service

I am still trying to resolve this issue, and have tried quite a few knowledgeable people who haven’t had much luck either. So, if you have any suggestion of what may help, please let me know.

Need to Know Podcast–Episode 228

No Brenton still but that doesn’t stop me bringing you the Microsoft Cloud news. For Brenton fans you’ll still hear him with the interview of Lorenzo Coppa about Gluh that is in the second part of this episode. Some aggressive moves by Microsoft in the default browser search space so make sure you are aware of what’s happening and listening along.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think –

You can listen directly to this episode at:

Subscribe via iTunes at:

The podcast is also available on Stitcher at:

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.





New Year new browser

Microsoft will be carbon neutral by 2030

Microsoft Search in Bing through Office Pro Plus

Windows 7 support end