Windows 10

Getting started with Windows Defender Credential Guard

by

This week is again back to Windows. This week is all about Windows Defender Credential Guard (Credential Guard). Credential Guard is definitely not something new, it’s actually available since the beginning of Windows 10, but it’s still a little unknown and still not always used. A little awareness is on its place. Credential Guard uses virtualization-based security to isolate secrets and to make sure that only privileged access is allowed. That helps with preventing unauthorized access that can lead to known credential theft attacks, like Pass-the-Hash and Pass-the-Ticket. Besides awareness, there is also another new configuration location within Microsoft Intune that might be interesting. This post will start with a quick introduction about Credential Guard, followed with the steps to configure Credential Guard by using …

Read more

Getting started with Microsoft Defender Application Guard

by

This week is back to Windows. This week is all about Microsoft Defender Application Guard (Application Guard). Recently Application Guard functionality was added to Microsoft 365 apps for enterprise and those configuration options recently became available in Microsoft Intune. A good trigger for a new post. Application Guard uses hardware isolation to isolate untrusted sites and untrusted Office files, by running the application in an isolated Hyper-V container. That isolation makes sure that anything that happens within the isolated Hyper-V container is isolated from the host operating system. That provides an additional security layer. This post will start with a quick introduction about Application Guard, followed with the steps to configure Application Guard by using Microsoft Intune. Introduction to Microsoft Defender Application Guard Application Guard …

Read more

Easily enforcing specific Windows Sandbox configurations

by

This week is all about Windows Sandbox. About two years ago I wrote a post about simply enabling Windows Sandbox, by using a simple PowerShell script and distributing that script by using Microsoft Intune. Windows Sandbox is a really nice feature for running applications in an isolated environment. That isolated environment supports simple configuration files, which provide a minimal set of customization parameters. With the latest version of Windows 10, the administrator receives some controls for enforcing specific customization parameters. That won’t prevent the user from creating a configuration file, but that does prevent specific customization parameters from applying to the Windows Sandbox. In this post I’ll briefly go through the currently available policies, followed with the steps of configuring those policies. I’ll end this …

Read more

Easier managing local administrators via Windows 10 MDM on Windows 10 20H2 and later

by

This week back to the Windows platform. This week is again about managing local administrators on Windows 10 devices. Even in a modern world, there can still be a need for managing the local administrators on a Windows 10 devices and often that still requires more flexibility than provided with the default Azure AD functionality. I’ve also discussed managing local administrators already multiple times – either by using a Windows 10 MDM policy setting or by using proactive remediations – and this time it’s about a new method that became available in Windows 10, version 20H2 and later. That method is a new Windows 10 MDM policy setting. In this post, I’ll provide an introduction to that new policy setting and I’ll show how to …

Read more

Opting out of safeguard holds

by

This week is all about safeguard holds. More specifically, the ability of opting out of safeguard holds. Safeguard holds prevents devices with a known compatibility issue from being offered a new Windows 10 feature update by using Windows Update. That protects the device and user from a failed or poor experience with the Windows 10 feature update. Starting with the October 2020 security update, devices running Windows 10, version 1809 and above, receive a new setting that can be used for opting out of safeguard holds. In this post I’ll start with an introduction to safeguard holds, followed with the steps of creating a device configuration profile for opting out of safeguard holds. Important: Opting out of a safeguard hold can put devices at risk …

Read more

Remediating local administrators with proactive remediations

by

Like last week, this week is all about proactive remediations, a feature of Endpoint Analytics. As mentioned last week, proactive remediations are script packages that can detect common issues and remediate those issues if needed. All of that before the user even realizes that there is an issue. Those remediations can help with reducing support calls. The strength is that the remediations can be anything to address potential issues, as long as it can be addressed by using PowerShell. Each script package contains a detection script and a remediation script and that script package is deployed through Microsoft Intune. For deploying script packages, Microsoft Intune relies on the Intune Management Extension (IME). To show the real power of proactive remediations, I’ll further develop the local …

Read more

Detecting local administrators with proactive remediations

by

This week is all about proactive remediations, which is a feature of Endpoint Analytics. Proactive remediations are script packages that can detect common issues and remediate those issues if needed. All of that before the user even realizes that there is an issue. Those remediations can help with reducing support calls. The strength is that the remediations can be anything to address potential issues, as long as it can be addressed by using PowerShell. Each script package contains a detection script and a remediation script and that script package is deployed through Microsoft Intune. For deploying script packages, Microsoft Intune relies on the Intune Management Extension (IME). To show the power of proactive remediations, I’ll use local administrators as an example. I’ve did something similar …

Read more

Deploy Microsoft Defender Application Control policies without forcing a reboot

by

This week is all about Microsoft Defender Application Control (MDAC). More specifically, about configuring MDAC policies on Windows 10 devices by using Microsoft Intune without forcing a reboot. MDAC, often still referred to as Windows Defender Application Control (WDAC), restricts application usage by using a feature that was previously already known as configurable Code Integrity (CI) policies. To make the history lesson complete, configurable CI policies was one of the two main components of Windows Defender Device Guard (WDDG). History aside, CI policies help with protecting Windows 10 devices by checking apps based on the attributes of the code signing certificates and the app binaries, the reputation of the app, the identity of the process that initiated the installation (managed installer) and the path from …

Read more

Windows 10 MDM Bridge WMI Provider: Settings template

by

This week my post is a few days later, as my post is an extension of my session at the Workplace Ninja Virtual Summit 2020. At the virtual summit I did a session about Getting to know the Windows 10 MDM WMI Bridge provider and during my session I shared how to easily work with the Windows 10 MDM Bridge WMI provider. Similar to using Microsoft Intune to address the different CSPs, we can also use PowerShell via the WMI bridge. The main thing that I’ve showed at the end of that session was a setting template, basically a PowerShell-function, that can be used to set, adjust and remove nearly all settings via the MDM WMI Bridge provider. That PowerShell-script is available below and I’ve …

Read more

Getting started with Endpoint Data Loss Prevention

by

Completely fresh after my vacation I thought it would be awesome to have a look at Endpoint Data Loss Prevention (DLP), which was announced during Microsoft Inspire. Endpoint DLP extends the activity monitoring and protection capabilities of DLP to sensitive content on Windows 10 devices. The best part of it is that the actual functionality is built-in to Windows 10 (and the Edge Chromium browser). No additional agent is required, just the onboarding of the device. In this post I want to start with a short introduction about Endpoint DLP, followed by the actions to onboard devices and to configure DLP policies and settings. I want to end this post by having a quick look at the end-user experience. Introduction to Endpoint DLP Let’s start …

Read more