1. Set desktop background with Intune, but allow modification
2. Push the desktop background from Intune

Set desktop background with Intune, but allow modification

It’s possible to set the desktop background with Intune, very easily. The problem however is let the user changing it afterwards which is not possible. When pushing the desktop background with Intune, changing the background image is greyed out:

The solution is to delete the regkey that is responsible for “locking” the background. Just remove this key, it doesn’t actually remove the background but only removes the lock. Relevant regkey:

1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\DesktopImagePath

Just remove the property “DesktopImagePath” (create a back-up first of course). If you want to do this for multiple users, you can use this PowerShell script:

1
2
3
4
5
6
7
8
9
$path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP"

$PCSP = Get-ItemProperty $path -Name "DesktopImagePath" -ErrorAction SilentlyContinue

if (!$null -eq $PCSP) {

    Remove-ItemProperty -Path $path -Name "DesktopImagePath" -Force

}

}

if ($false -eq (Test-Path "$env:ProgramData\Microsoft\AllowBackgroundPersonalization")) {

    $scriptfile = New-Item -ItemType Directory -Path "$env:ProgramData\Microsoft\AllowBackgroundPersonalization"

}

If you use the Intune “Scripts” option, it’s possible that the script runs earlier than the desktop background is pushed. Since the scripts runs only once, this script doesn’t have any effect. You could create a scheduled task that runs at every logon to work around the problem:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$script = {

    $path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP"

$PCSP = Get-ItemProperty $path -Name "DesktopImagePath" -ErrorAction SilentlyContinue

if (!$null -eq $PCSP) {

    Remove-ItemProperty -Path $path -Name "DesktopImagePath" -Force

}

}

if ($false -eq (Test-Path "$env:ProgramData\Microsoft\AllowBackgroundPersonalization")) {

    $scriptfile = New-Item -ItemType Directory -Path "$env:ProgramData\Microsoft\AllowBackgroundPersonalization"

}

$script | Out-File -FilePath "$scriptfile\AllowBackgroundPersonalization.ps1"



$schtaskName = "AllowBackgroundPersonalization"

$schtaskDescription = "Allow changing the background in Intune"

$trigger = New-ScheduledTaskTrigger -AtLogOn

$principal = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest

$action = New-ScheduledTaskAction -Execute powershell.exe -Argument "-File $scriptfile\AllowBackgroundPersonalization.ps1"

$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries

$null=Register-ScheduledTask -TaskName $schtaskName -Trigger $trigger -Action $action -Principal $principal -Settings $settings -Description $schtaskDescription -Force

Start-ScheduledTask -TaskName $schtaskName

Next step is to push the script by Intune. Since the script is running in system context and getting the regkey from the local system, you can run it in system context:

Push the desktop background from Intune

This is how you push the desktop background by Intune. Go to: https://endpoint.microsoft.com/ Create a new profile:

Fill in an internet-accessible URL:

The post Set desktop background with Intune, but allow modification appeared first on Erjen Rijnders.

Currently, you can only manage WVD through PowerShell. Here you can see the most common commands to manage your enviroment.

You can only assign a user to a desktop pool or app pool, not both. Neither can a desktop pool contain apps (like it isn’t possible in RDS as well). By default, you create a desktop pool, let’s add an app pool now by running the commands below. Always start with this command, signing in, in the WVD-enviroment.

1
 Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"

Add a new WVD App Group

Run these commands to add a new app group.

1
2
3
4
5
$myTenantName = "mytenantname" #If you don't know, try Get-RdsTenant

$hostpoolname = "myhostpoolname" #If you don't know, try Get-RdsHostPool

$rdsremoteappgroupname = "remoteappgroupname"

Get-RdsAppGroup $myTenantName $hostpoolname

New-RdsAppGroup -TenantName $myTenantName -HostPoolName $hostpoolname -Name $rdsremoteappgroupname -ResourceType RemoteApp

Find applications you can publish

If you want to find apps currently able to publish to your new app group, run this command. It will search on your session hosts for apps.

1
Get-RdsStartMenuApp -TenantName $myTenantName -HostPoolName $hostpoolname -AppGroupName $rdsremoteappgroupname

Publish applications

For example, this is how you publish Internet Explorer and Registry Editor.

1
2
New-RdsRemoteApp -TenantName $myTenantName -HostPoolName $hostpoolname -AppGroupName $rdsremoteappgroupname -Name "Internet Explorer" -FilePath "C:\Program Files\internet explorer\iexplore.exe" -IconPath "C:\Program Files\internet explorer\iexplore.exe"

New-RdsRemoteApp -TenantName $myTenantName -HostPoolName $hostpoolname -AppGroupName $rdsremoteappgroupname -Name "Registry Editor" -AppAlias "registryeditor"

Add users to your new app group

Adding users is also very simple, just run this command.

1
Add-RdsAppGroupUser -TenantName $myTenantName -HostPoolName $hostpoolname -AppGroupName $rdsremoteappgroupname -UserPrincipalName <upn>

If you want to publish more app groups, follow the steps above again. Remember, a user can only be a member of the App Group, or the Desktop Group. If you want to assign the user to the app group while being a member of the desktop group, remove it first with this command:

1
Remove-RdsAppGroupUser -TenantName $myTenantName -HostPoolName $hostpoolname -AppGroupName $rdsremoteappgroupname -UserPrincipalName <upn>

The post How to manage Windows Virtual Desktop appeared first on Erjen Rijnders.

Index

1. Add RDS Tenant
2. Add Service Principal
3. Assign permissions
4. Deploy WVD through marketplace
5. Open HTML5 webclient
6. Add users to your desktop

I see a lot of people struggle deploying Windows Virtual desktop. Most people face this error message:

VM has reported a failure when processing extension 'dscextension'. Error message: \\\"DSC Configuration 'FirstSessionHost' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service

This is because you need to create a service principal with the correct permissions. A normal user will work as well, but it’s failing too many times for people.
Following these steps should get you through the deployment.

Keep in mind that the user deploying your WVD VMs to your domain, also needs the Owner role on your Azure Subscription! Because it needs to be able to run some Powershell DSC commands.

NOTE: User ‘Cloudcrusader’ suggests in the comments that it should work with the ‘Virtual Machine Contributor’ role only as well.

Start fresh. Delete all WVD tenants created before. Check if a tenant still exists with Get-RdsTenant.

This post is not going to help you, configuring WVD with AAD DS. It should be possible though, someone was able to configure it succesfully using this post.

Remember, don’t use an MFA enabled account. It doesn’t work.

Also try: Get-RdsDiagnosticActivities. Others succeeded finding the root cause with that command

I have deployed WVD multiple times already, so that’s how I know this works. If it doesn’t work for you, let me know, maybe I can help you.

Run through step one of the Microsoft documentation:
https://docs.microsoft.com/en-us/azure/virtual-desktop/tenant-setup-azure-active-directory

Add RDS tenant

Run these commands to add the RDS tenant.

1
2
3
4
# Don't change the deploymenturl

Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"

# Use any name for your tenant, get your ID from Azure portal > Azure Active Directory > Properties > Directory ID. To get your SubscriptionID, go to Azure Portal > All services > subscriptions > click the subscription where the VM's will reside and copy the subscription ID:

New-RdsTenant -Name YourTenantName -AadTenantId YourAzureADTenantID -AzureSubscriptionId YourSubscriptionID

Add Service Principal

Next, follow these steps. Never change the Default Tenant Group, as per the Microsoft docs.

1
2
3
4
5
6
7
8
9
10
11
12
13
$myTenantGroupName = "Default Tenant Group"

$myTenantName = "tenantname" #As you used in the previous step

$hostpoolname = "Hostpoolname"



# create the service principal:

$aadContext = Connect-AzureAD

$svcPrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName "Windows Virtual Desktop Svc Principal"

$svcPrincipalCreds = New-AzureADApplicationPasswordCredential -ObjectId $svcPrincipal.ObjectId



# Don't change the URL below.

Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" 

Set-RdsContext -TenantGroupName $myTenantGroupName

New-RdsHostPool -TenantName $myTenantName -name $hostpoolname

Assign permissions

Now below is the most important step, that’s where you assign the service principal permissions to the RDS environment. If you do this correctly, you can deploy the WVD template from the Azure Marketplace, without errors.

1
New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantGroupName $myTenantGroupName -TenantName $myTenantName -HostPoolName $hostpoolname

Go to the Azure Portal and open the app just created and create your own key:
Azure Portal > app registrations > Windows Virtual Desktop Svc Principal > Settings > Keys.
Create your own key and save the value During the next step, deploying Windows Virtual Desktop from the marketplace, in step 3 of that template you need this password.

Deploy WVD through marketplace

Next step is to follow this Microsoft doc:
https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-azure-marketplace
You should be able to get passed the error as mentioned above, also with help from these screenshots below.

If you keep No selected below Specifiy domain or OU, it’s going to try joining the domain behind the @, used below AD domain join UPN. So in the example below it will use yourdomain.com. If your domain is ad.yourdomain.com, set Yes below the Specifiy domain or OU.

Finally, your deployment is succesful as you can see in the screenshot below. It took about 9 minutes for the DSCextension completed, per VM:

Open HTML5 webclient

Now go to the HTML5 client to open your desktop: https://rdweb.wvd.microsoft.com/webclient/index.html

Add users to your desktop

As a final step, add users to your desktop:

1
Add-RdsAppGroupUser -TenantName $myTenantName -HostPoolName $hostpoolname -AppGroupName $appgroupname -UserPrincipalName upn

The post How-to deploy Windows Virtual Desktop in Azure appeared first on Erjen Rijnders.

Why Azure Sentinel

Azure Sentinel is the latest, security related, innovation from Microsoft. Microsoft calls it a “reinvented SIEM” solution. Well, it’s not really innovation, it’s more of a combination of all security products of Microsoft. We have Cloud App Security, Azure Advanced Threat Protection, Security Events, Windows Firewall, Windows Azure Firewall etc. etc.

Azure Sentinel has not only built-in AI (which we expect from nowadays products from Microsoft), but it transcends the AI, already available in the product itself (like the AI in Identity Protection), but it creates an extra AI layer, on top of the already existing AI infrastructure which makes it really cool. So the AI of Sentinel doesn’t have to know the underlaying AI technology, it just needs to combine the output of every separate AI and create valuable input. Microsoft already uses this technique for years and because of their experience, it’s now broadly available.

Azure Sentinel has not only built-in AI (which we expect from nowadays products from Microsoft), but it transcends the AI, already available in the product itself (like the AI in Identity Protection), but it creates an extra AI layer, on top of the already existing AI infrastructure which makes it really cool. So the AI of Sentinel doesn’t have to know the underlaying AI technology, it just needs to combine the output of every separate AI and create valuable input. Microsoft already uses this technique for years and because of their experience, it’s now broadly available.

Let’s have a look at Azure Sentinel. Go to the Azure Portal and search for “Azure Sentinel”. As you can see it’s still in preview.

You need to create a Log Analytics Workspace for Sentinel to work. As long as Sentinel is in preview, you won’t pay anything, except costs like storage which you will make creating a workspace.

Azure Sentinel – Data connectors

The first page you see is the “Getting started” page. Click on “Collect data” to start collecting data.

You will see an overview of all the data you connect. It’s already a nice list of services you can connect. If you are already full onboarded in Azure/Office 365, you will have many relevant products to connect!

Of course, we are going to connect “Azure Information Protection” first. You need to go to the “Azure Information Protection” tab Click “Azure Information Protection” and click “connect to your Azure Sentinel workspace”.

Click on the Azure Sentinel workspace, you need to reconfigure the AIP log so that it stores the AIP information in the Azure Sentinel workspace (if you don’t see any, you should go to Azure Information Protection” and enable logging there) and also check the deeper analytics checkbox to see sensitive information types as well.

Now connect everything you want to connect, like Azure AD. Cool thing is that if you connect Office 365, you can connect multiple tenants! So I expect that more data connectors are going to be multi-tenant which mean we really have the reinvented SIEM.

Azure Sentinel – Analytics

If you click in the Azure Sentinal tab on “Analytics”, you can create rules when you want to be alerted. For example you can create an alert when a virtual machine is created or updated. For more information, check the code example from Microsoft Docs as well.

1
2
3
4
5
AzureActivity

 | where OperationName == "Create or Update Virtual Machine" or OperationName == "Create Deployment"

 | where ActivityStatus == "Succeeded"

| extend AccountCustomEntity = ResourceGroup

| extend IPCustomEntity = TenantId

You can create a lot of rules, but in my opinion it’s not that simple to configure the alerts you need. Especially if you need many specific rules. But this is still a preview version, I expect more options and simplifications in the general available version.

Azure Sentinel Cases

A case in Sentinel is automatically created, once an event is triggered. Soon I will update this with more data.

Azure Sentinel Overview page

In the “Overview” section, you have a nice dashboard of everything that is going on. See an example here below. It’s not much data yet, but this is from just a few hours. I will update this dashboard once I have more detailed information.

The post Azure Sentinel – The reinvented SIEM appeared first on Erjen Rijnders.

Index:

1. Security and Compliance center
2. Service Encryption
3. Advanced E-Discovery
4. Windows Virtual Desktop, RDMI & Windows 10 Multi-User

Security and Compliance center

Microsoft covers a big part protecting us from malicious tools and attackers, but there is still a part that we must do. And I can tell you that it is the most important part, like activating MFA, encrypting sensitive data etc. This slides covers what Microsoft does and what you have to do.

So about the part that we are responsible of, Microsoft provides us multiple tools. How do AIP and OME help with compliance? Check this slide.

There are certain scenario’s that you don’t want that Microsoft manages your key. Some regulatory reasons might require you to manage your key so the security is end-to-end. BYOK might be sufficient since you can store your own key in Azure Key Vault. If that isn’t even good enough you have the HYOK where you store it on-premises. Keep in mind that this option is much less flexible. You only have access to your secured documents as long as you can reach the on-premises key for decryption. Here is an overview of licensing.

Here is a great overview of BYOK. It makes clear that it is as flexible as the Microsoft-managed keys, but it does give you more overhead since you need to manage the key now.

Some good insights when using BYOK.

Service Encryption

Some good news, if we use the Microsoft-managed keys or BYOK, we will have service encryption in Exchange Online, starting to rollout in January 2019 (already available in SharePoint). Once we create a Data Encryption Policy (DEP), It will encrypt our data at storage level. This is required if you want to meet compliance.

Advanced E-Discovery

With the advanced E-Discovery set in Office 365 by using the analytics, we can further minimize the data. It will deduplicate data for example and only present us with relevant data. We are also presented now with a much better E-Discovery dashboard. We see what kind of data the hold holds, but we are also able to communicate with the persons in a specific hold, make searches in it etc. Great improvement!

Now creating a Legal Hold is doable, but not that easy. But it will be! Here is a great overview of how it is now and how it will be very soon.

So these are some great new features! For sure you will see a more in-depth bog when it’s available.

Windows Virtual Desktop, RDMI & Windows 10 Multi-User

Now also a little bit of info about Windows Virtual Desktop, as I can imagine you want to see some updates about this as well. One of the bigger announcements is Windows 10 Multi-User within Windows Virtual Desktop, so you will connect to shared hardware. If you spin up a Windows Virtual Desktop, you can decide how many users you want to connect to that VM which makes it a lot cheaper. There will be a Windows Desktop Calculator soon which gives some recommendations of this, based on the chosen size.

Automatic scaling will be available as well. You can auto scale based on two methods: Breath Mode and Depth Mode. The Breath Mode needs reserved instances so turning off a Virtual Desktop doesn’t help you. However, this can still be cheaper, that’s something you need to calculate. The Depth Mode is based on activity. If no users are logged in anymore in a Virtual Desktop, it will automatically turn off the VM and it will save you money. On the other hand if it’s too busy, it will spin up some new VM’s.

Windows Virtual Desktop will be available through the Azure Marketplace.

The post Microsoft Ignite day 5 appeared first on Erjen Rijnders.

Index:

1. Azure Blueprints
2. Intune Data Warehouse
3. Intune and Android Enterprise Management
4. Android Management API
5. Integrated Information Protection in external sharing SharePoint and OneDrive
6. Experiences with going password-less

Azure Blueprints

With Azure Blueprints, announced very recently, you will get a blueprint that if you spin up a new subscription, you deploy the same policies, templates, security etc. In larger organizations, this is very helpful, you have your exact company policies spinned up in minutes! To activate this, go to the Azure Portal > Policy > Blueprints – Blueprint Definitions.

Intune Data Warehouse

At some point, if you are using Intune, you will face the problems generating reports in Intune. Fortunately, we have Intune Data Warehouse. I visited a session today at the Ignite Expo where I saw some great reports so let’s see how we actually start using Intune Data Warehouse. Go into the Azure Portal > Intune and on the right, Click “Set up Intune Data Warehouse” and click “Download Power BI file”.

If the data is processed, you can directly start creating custom reports in Power BI. It’s just that easy. I know this is not new, but really, we should start using this a lot more so that we can get in-depth reports about our devices in the organization.

Intune and Android Enterprise Management

In this session, some really great features are announced! Android Enterprise is evolving for sure. In Android Nougat (Android 7.0), we had the availability for Work Profiles in Android Enterprise, which we used a lot and worked great. Android Oreo (Android 8.0) took this even to a next level. Here you have a great overview of the new features each version.

Google discourages non-Work Profile as well because it requires Device Admin for the Intune App. that means that if we use the android App Managed mode, the user needs to give Device Admin rights to the Intune app and it needs to go through a lot of “Accept” screens as well. That scares of the user and we want the opposite. So you should use the “Work Profile” in Android Enterprise in my opinion if you use BYOD. You can separate apps from personal in this mode, you even create containerized apps which means that you could prohibit copying work information to personal owned apps.

Now if you have corporate owned devices, you have three options and later this year, you have four. The third is Dedicated mode (it’s basically a kiosk mode). With Kiosk Mode, the user has no flexibility at all. It can only open the apps provided by the company. This is, however, very functional in certain security related scenario’s. The last one, Fully Managed, will be available for preview this year. This gives you great user experience and manageability, integrated with the Androind Management API (see next chapter).

Android Management API

another great feature is that the Android Enterprise devices now communicate with the Android Management API. this means that Android and Intune can now provide updates and new functionalities at a speed that was never possible before.

I am getting a little bored if I read my blog again for readability if I keep saying: another great feature! But how do I say this else, here is another great feature, Managed Google Play! This provides mobile app management in Android Enterprise, including silent installs for required apps. We can also now control over what apps ends users can install in work context. In addition to this, we have the possibility to fully configure, for example the Outlook app, before it gets installed on the client device. The Managed Google Play will be available through the Intune Portal. No separate login necessary.

Google developed zero-touch with Intune. This is available with any Android Enterprise corp-owned deployment. This already works today with the dedicated device scenario and Android 8. This has some great feature updates however. If you go to https://partner.android.com, you can automatically assign a device to corporate policy and assigning a device to your company is going very smoothly. Check the screenshots below.

Integrated Information Protection in external sharing SharePoint and OneDrive

Wow, I never saw so many new features on such a relatively small part of a product. The session was 75 minutes but it didn’t bore me a minute! They received a big applause as well, so let’s start.

Smart People Picker and sharing

The first new feature we have this year is the Smart People Picker. If you share a link, you will be presented with suggestions of people that SharePoint thinks you want to share the document with. Machine learning is behind this so it will take some time to present you with the right results, but it will get there (if it’s not there already). This sharing experience will be exactly the same on mobile and the same experience is built in Microsoft Teams. Sharing capabilities supports branding now which is integrated with the Azure AD branding functionality. So if you already configured that, it will work right away, as soon as this feature is rolled-out globally.

Link Reminders

Another feature that we were actually missing (but didn’t realize I did miss it till now) is that if someone opens a link, we can get a confirmation email that the link is clicked. If you share a link, it’s possible that the receiver didn’t open the link yet. There is a 95% change that if the link isn’t opened in 7 days, it will never be opened. So now we can configure automatic reminders that tells you if the link is not opened yet. Another new feature is that you can set a custom message on the “request access” page if you are trying to access a specific site or document.

One-time passwords on link sharing

Link sharing has further improved security. You can configure a one-time password for opening a document. It’s great for reviewing and for making sure that the recipient can only watch it once. Also, we can set per site specific sharing setting. Currently, if you disable the “Anyone” sharing setting, it’s effective for your whole tenant. So now it’s possible to configure this per site.

Block file downloads

The next feature is in my opinion the best feature. We can block downloads on a file and make it read only. With this new “Information Protection” possibility, we can fully control our documents and still collaborate in that same document. If you enable this setting, the file cannot be downloaded, printed, copied etc. Before, this was only possible if we classify documents and apply encryption. There was no other way of keeping control of your files. Now it’s possible without Azure Information Protection.

Collaboration improvements

Collaboration is an important part of our job every day and I am happy to tell you that collaboration in SharePoint and OneDrive is extended big time. For example if you are working in a PowerPoint presentation and you like having someone else checking your slide, you just mention someone at the side of the slide like you are used to be now. Use the @name format and the person will be notified by email immediately. This works for Office apps on Windows soon and will come later this year for MacOS as well.

In Microsoft Teams, we also have a new functionality. If we are uploading new files, we have the possibility to notify team members that you uploaded files.

Admin control settings enhancements

For the admin, we have more settings now we can control.

Expiring links for external access

And last but not least, we can set expiring links for external access! I think this is a really good feature because I get the question a lot: how can I keep control of shared files externally. Of course there are ways like Cloud App Security, make a person responsible for checking shared links etc. But why not just let the link expire? For example after 6 months? Sounds totally reasonable to me. If there is access needed after that time, you can just re-share the link.

Experiences with going password-less

Well, this one gave some new insights about the password-less world. Microsoft wants to get rid of passwords with good reasons, but it’s not that easy. Microsoft presents you with 4 simple steps:

1. Implement Windows Hello For Business
2. Reduce user-visible password surface area
3. Transition into password-less deployment
4. Eliminate password from identity directory

And this is all assuming that you can even make it to step 4. The biggest problem is with your on-premises apps. It can be very hard to transform these apps to password-less sign in so keep that into account. The non-marketing way of achieving this is a lot harder.

The post Microsoft Ignite day 4 appeared first on Erjen Rijnders.

We have some great new features in Azure AD Conditional Access, they are really taking it to a next level. Conditional Access has now tight integration with Cloud App Security. It’s now possible to fully control and secure our data and information when you collaborate with a partner (B2B) or within your own tenant.

Index:

1. Azure AD Conditional Access
2. Cloud App Security integration with Windows Defender ATP
3. Microsoft Secure Score
4. Identity Protection
5. Intune Updates

As you might probably now, Cloud App Security has tight integration with SharePoint already but now we can control on file level if a download for example is allowed or not. Check this screenshot below from the Ignite presentation:

Another great update is that we can now enable Conditional Access App Control for Office applications. Before this was only possible with SAML-based apps. Based on the risk level of a user’s session, information can be accessed or blocked. Also risky OAuth applications can now be blocked with Cloud App Security. These updates make Cloud App Security even more powerful. If you aren’t using it right now, you should! It makes your organization a lot more secure.

Well, enough updates around Conditional Access right? It goes even further. We can not only control Exchange, but specific mailboxes within an account. The command runs as follows to enable this feature:

This command does not work yet and to be honest, I am not sure what it will actually do as I cannot test it yet. But I expect we will have some sub-commands in the near future to further control this.

Cloud App Security integration with Windows Defender ATP

Cloud App Security is now integrated with Windows Defender ATP! At first, we needed to install a Cloud App Security client which was too much because we had already so many clients installed. So they came up with the Cloud App Security broker which was an improvement on the client side, but then we needed to proxy all our traffic through it. We now we have the best solution, integration with Windows Defender ATP! I personally love this because configuring a separate gateway is no longer necessary. All traffic can be routed through Defender ATP (and the Defender client is installed by default with Windows 10). This is a great way of securing your information and it makes controlling your devices very easy. Here you can see information is being fed from Windows Defender ATP.

In Windows Defender ATP, you only have to enable this.

After enabling this setting, it will Cloud App Security feed traffic and device information from Windows Defender ATP.

Microsoft Secure Score

We have heard in almost every session that we should enable Microsoft Secure Score. I do agree that we should enable it on all our tenants (so I am telling you again now :)) and it is also enabled now through Azure Active Directory (you can go to https://securescore.microsoft.com/ as well). It looks like this:

It looks good and it will only show the score that you have access too. Like if you don’t have EM+S E5, you won’t see identity protection related security scores.

Identity Protection

Identity Protection does now have integration with Azure ATP. Azure ATP is a security service based on DNS checks. Risky sign-ins from these two products can now be viewed from a single panel. And of course, we can apply conditional access on this. If Azure ATP feeds Identity Protection with a risky sign-on, it can be blocked, based on your Conditional Access settings. Combining these two sources, you have a very powerful solution. You see all high risk devices and users and all items that needs attention are presented through one combined interface.

Intune updates

As you might know by now is that my main focus is within the “Information Protection” field which includes parts of Cloud App Security and Intune as well. So I wanted to post some updates around Intune, Windows Information Protection (which is part of Intune) and device management. That’s why I visited the session “What’s new in Windows 10 mobile device management (MDM)” . But right from the start I thought: Are we really going to do this for 75 minutes? I barely heard anything new and I love to share new stuff to the world. For example the presenter said that we should focus on co-management, 1 of 3 points she gave as a call-to-action. Isn’t this already possible for years now?

Also, we were presented slides like this:

Really? I want to see what’s NEW. Anyway, a little good news however, Kiosk mode control is now generally available and we will get better security baselines for Microsoft Intune. Maybe you have another opinion about this session, I would love to hear from you through comments below.

So this is basically it. We saw a lot of sessions but a lot of sessions presented content already covered in day 1 and 2. I don’t expect much more announcements in day 4 and 5. Maybe I will wrap them together in one blogpost, depending on the content of tomorrow.

But still, Ignite brought me definitely the sessions above expectations!

The post Microsoft Ignite day 3 appeared first on Erjen Rijnders.

Because this is such a great feature (within Microsoft Information Protection), I will dedicate a seperate blogpost about this, instead of processing this in the Ignite Day 2 blogpost (which you should still read by the way for an overview of selected updates).

All the labeling and encryption technologies throughout the Microsoft stack (currently Windows Information Protection, Office Information Protection and Azure Information Protection), will be manageable from one interface: https://admin.microsoft.com and will be called Microsoft Information Protection. At the end of this year, we should have it all. But not only that, we will also have native labeling and encryption with all Microsoft Office apps! So also on Mac, Android and iOS. That’s very cool right? Notice that if you want this native encryption without installing the AIP client, you should use Microsoft Information Protection. Those labels are cross-application compatible. Microsoft will bring out some sort of migration possibility from AIP to WIP by the way.

Index:

1. Unified labeling
2. Sensitivity Labels
3. Retention Labels
4. Conclusion

Sensitivity Labels

Microsoft is now using one unified way for labeling: Sensitivity label. This label is customizable as you are used to with Azure Information Protection. So let’s try it out how this new unified way of labeling works.

Go to https://protection.microsoft.com > Classification > Labels > Sensitivity > Create a label.

Name your label.

Here you have basically the same options as with Azure Information Protection in the Azure Portal.

Here starts a great unified feature, enable Windows Information Protection!

Again, a great unified feature, enable Office Information Protection.

Last but not least, enable auto labeling as you are used to configure with AIP in the Azure Portal.

After this, you should publish your label.

To me, this is really a step up. Now we still have some highly requested items, like add dynamic permissions in WIP but that will come for sure (since it’s already available in Office Message Encryption).

One caveat for now, this label is not synced yet to Exchange Online so you cannot use it with Exchange rules. Hopefully they will solve this very soon since they only made these new functionalities available yesterday.

Retention labels

But that is not all, we also have retention labels now which have some very cool features. Let’s check it out. Click on retention labels and click Create a label. You will be presented with some groundbreaking features: Trigger a disposition review!

If you select this option, you give the choice to an admin, he or she can decide if that specific document must be deleted or kept. Like if job interviews are still open, you might want to hold the CV’s a little longer. Really great feature. But wait, there is even a more great feature! We can delete content based on an event. That is exactly what we need.

You can customize your events by going to “Data Governance > Events”. For extensive documentation, I recommend you to should the Microsoft Docs which is a really good document.

Conclusion

Microsoft’s products are getting better and better. The tight integration is getting phenomenal. In this document we have seen the possibilities of Sensitivity Labels and Retention Labels. Both serve different purposes which you should check out for sure, especially regarding sensitive content.

The post Microsoft Information Protection: Unified labeling! appeared first on Erjen Rijnders.

1. Azure Active Directory: New features and roadmap
2. New features security and compliance center
3. Windows Server 2019
4. Windows Information Protection

Azure Active Directory: New features and roadmap

During the session of Alex Simons “Azure Active Directory: New features and roadmap”, he showed the great functionality of iOS smartwatch authenticator, but the request didn’t came through. Really funny, but he actually forgot his phone on stage so it was obvious it didn’t came through.

However, we saw great new features in Azure AD. They are encouraging us to move from AD FS to Azure AD. Microsoft itself has already migrated 18.000 apps from AD FS to Azure AD (but still 3.000 to go Alex said).

Azure AD is really going to focus on passwordless sign on. Also, B2B and B2C will see great improvements. It’s going to be very simple to collaborate for example with a company that doesn’t even use Azure AD at all.

And we get hardware OAUTH tokens support in Azure AD! For those who really need this for security reasons, it’s going to be possible. Before, it was only possible with the on-premises MFA server but not anymore!

New features security and compliance center

As announced yesterday already, we no longer have Azure Information Protection, but Microsoft Information Protection. In this session we saw more in-depth new features of the security and compliance center which will be rolled out the coming months.  A great new look of the security and compliance portal.

I am really sorry about the picture below, I was too far away for getting a sharp picture, I will update them as soon as I have better material. But I think you can get an impression.

This compliance center will have tight integration with https://security.microsoft.com. It’s focusing more and more on “Assess, protect, respond, visibility and control”. With just a few simple clicks, you are able to remediate security after an attack. Sounds like a sales pitch, but I have seen it live and it just works.

Another great feature is that we will soon have “label analytics”! finally. We can see for example which labels are applied manually, which are pending, how many labels you have applied etc.

More info about “Assess, protect, respond, visibility and control” how Microsoft does it, here is an exact copy of text of the presentation:

Assess
Perform ongoing risk assessments with a compliance score across Microsoft cloud services.
Protect
Automatically classify and protect sensitive data across devices, apps and cloud services.
Respond
Efficiently respond to regulatory requests leveraging AI to find the right, most relevant data.
Visibility
Understand the security state and risks across resources.
Control
Define consistent security policies and enable controls.
Guidance
Elevate security through built-in intelligence and recommendations.

Windows Server 2019

Some great new features are announced! The best I heard so far is that we can now connect Windows Server 2019 to Azure Update Management. This way, we will have one unified, native updating way throughout our devices.

Also, Azure password protection is now hybrid available on Windows Server 2019. And of course, the Windows Admin Center (released before) is tightly integrated in Windows Server 2019. Within WAC, we can now manage Azure Network Adapter, Azure Site Recovery and Azure back-up.

Windows Information Protection

I have seen very great feature updates around Windows Information Protection! Instead of summing it up here, I dedicated a seperate blogpost about this. Read it here!

The post Microsoft Ignite day 2 appeared first on Erjen Rijnders.

1. Keynote
2. Transform your workplace with Microsoft 365
3. Microsoft 365 admin center
4. Windows 10 Virtual Desktop
5. What happened with RDMI?
6. Advanced Threat Protection for MySQL
7. Whats new in OME and AIP
8. Integrate Teams with a SharePoint library
9. Microsoft Threat Protection announced
10. Microsoft Information Protection
11. Microsoft Secure Score

Keynote

With about 30.000 people in one very big room, Satya kicked off with a welcome and received a big applause. Satya started sharing current customer success stories, mainly focused on AI. His question after the success stories: How are we evolving this and how do we keep innovating? The answer is, the Microsoft open data initiative! Together with Adobe and SAP, these three companies exchange data. Data becomes more and more important and in this way, Microsoft can create a great experience for us as customers. There will be one data model for all Azure applications so that our data will no longer be in silos. Well, I must say, that’s exciting news! Hopefully we will see this in action soon.

That said, Microsoft is also focusing more and more on selling an experience instead of a product (what we do as consultants for years already to our customers to be honest), but Microsoft will have more focus on this as well. Satya said that we need to transform our businesses industries, adopting the latest and greatest technologies, or
we will not survive. Also trust and collaboration is key aspect of success, Satya said.

It was an inspiring keynote, although not as inspiring as before and less announcements were given but still, great start of Microsoft Ignite!

Transform your workplace with Microsoft 365

The second session (more like a subkeynote) I attended was “Transform your workplace with Microsoft 365”. Ron Markezich came on stage thanking us for our partnership.

They key announcement in this session is a new Microsoft product: Microsoft Ideas. It brings a lot of AI into your daily work. Like in PowerPoint, it suggests the design of a slide. Like if you type Seattle, it gives you images of Seattle. But also, it checks for consistency throughout PowerPoint. In Excel, this same product gives you suggestions on a whole other level. Like you fill in some countries, it suggests you to add columns with the inhabitants etc.

In Word, it’s even cooler in my opinion. When you are working together in the same document, you can add tasks for another and even create tasks for yourself. For example, you type “@To Do”, you add a task for yourself. Giving a description, like “Keynote”, Microsoft Ideas gives you relevant documents which you can add in the document.

This is all possible, connecting with the Microsoft Graph API. Many applications are connected to this API which makes this possible. This product is going to be rolled out at PowerPoint first, later across more Office applications.

Microsoft 365 admin center

During this session, we saw Brad Anderson show the Microsoft 365 Admin Center! https://admin.microsoft.com gives you all the management within Microsoft 365, no longer go to protection.office.com, security.microsoft.com, compliance.microsoft.com etc. It looks promising.

Windows 10 Virtual Desktop

So many have waited for this (and we still have to wait a bit longer because the public preview will come end of this year), but it’s officially announced, the Windows 10 Virtual Desktop! No more planning, deploying, updating etc. It’s all managed by Microsoft. And the Virtual Desktops has built-in security and compliance.

As I mentioned, the public preview is available later this year, but it’s possible to join the public preview now by registering.

What happened with RDMI?

Well, not sure to be honest. No one mentioned it @Ignite, it looks like RDMI is now called Windows Virtual Desktops.

UPDATE: It is confirmed at Ignite 2018 that RDMI is now Windows Virtual Desktop.

Advanced Threat Protection for MySQL

Advanced Threat Protection for MySQL is out! Configure it using the Azure Portal, check here for detailed information:

https://azure.microsoft.com/en-us/blog/advanced-threat-protection-for-azure-database-for-mysql-in-preview/

Whats new in OME and AIP

100 million users are using OME since they announced it a year ago. We (@Sigmax) have used it a lot for our customers and a lack of functionality is the integration with Data Loss Prevention. But not anymore! It’s fully integrated. Also, we have OME reporting now. We can check the encrypted emails sent and also revoke an encrypted email finally! Another great feature is that we can now further customize the encrypted e-mail.

Integrate Teams with a SharePoint library

If you have implemented the SharePoint philosophy and you start using Teams, well, that philosophy is turned up-side-down inevitably because you have no control where Teams stores your data. Not anymore! You can now integrate a SharePoint library with Microsoft Teams.

Microsoft Threat Protection announced

Before, we had Windows ATP, Azure ATP and Office ATP. Now we have it all together in one product: Microsoft Threat Protection (looks like we need to go to https://security.microsoft.com, in contrast what was announced in the Microsoft 365 admin center but we will see).

Microsoft Information Protection

We no longer have Azure Information Protection, but Microsoft Information Protection. The great thing is that we now have a unified way of labeling. We can use the same labels for Office Message Encryption and Data Loss Prevention which is great.

Labeling is now also available in Office for mac!

Microsoft Secure Score

Now integrated with Office 365 and EMS! If you were using it before, you will now see a lot more scores. Go to https://securescore.microsoft.com/ to check your security score!

The post Microsoft Ignite day 1: keynote and sessions appeared first on Erjen Rijnders.