TagMicrosoft

What is Microsoft Endpoint Manager?

Many people wonder what Microsoft Endpoint Manager is and how to quickly gain value to their company by using it.

In this post i will give you some quick information on what it is and later on create a how to get started quckly with Microsoft Endpoint Manager!

So what is Microsoft Endpoint Manager?

Some people are saying “It`s the new name of Intune” and that`s not what it is at all! or Intune is in there, but it`s so much more.

MS Endpoint Manager is a tool set witch are combining several solutions and gives you “One place to manage” several infrastructure services. To name them:

  • Microsoft Intune (ofcourse :))
  • Microsoft Endpoint Configuration Manager (SCCM)
  • Windows Autopilot
  • Desktop Analytics
  • Microsoft Defender ATP
  • Azure Active Directory

By doing this Microsoft achieves a ground breaking new management solution for us that gives us ability to manage all major platforms like Windows devices, Apple devices, Linux distros and Android devices.

So to be clear, Microsoft Intune or Microsoft Endpoint Configuration Manager (SCCM) will not be discontinued! They both will live their life but be combined with Microsoft Endpoint Manager.

So what do you need to start using Microsoft Endpoint Manager?

You need to have either Intune licenses or SCCM licenses and you also need to have Azure Active Directory Premium P1 to utilize Azure AD Conditional Access.

I will in the next blogpost come up with a brief guide om how to get started using Microsoft Endpoint Manager and quickly gain usage of yours EMS package!

Stay tuned for more secure devices!

S for Security in EMS – Microsoft Intune

So this is the third post in my blog post series “S for Security in EMS” and I will try to cover some Microsoft Intune benefits and quick-wins meaning how to quickly get started with Intune and to gain some benefits right the way. 

First, what is Microsoft Intune?  

Microsoft Intune is an cloud based mobile device manager, this does not mean that MS Intune only can be used for 

Celular phones and tablets. All devices can be enrolled into Intune and by requireing this of your users we can start protecting business data with other tool-sets like Conditional Access, Information Protection and so on. 

When users enroll their devices into intune (that can be Windows, macOS, Android or iOS) the device goes through an “Compliance policy” that you have configured to “measure” the device and stamp it as compliant or non-compliant based on evaluations against the the compliance policy.  

Image result for microsoft intune compliance

So why is Intune so important for the Security part within the EMS Suite? Well! When your device is added to Intune and gone through the Compliance policy marking the device as an Compliant device we can use that status with for example Conditional access to deside on what services a user can access based on compliant device or not.  

Furter on we can with the MDM deploy software like Antivirus/Antimalware (if you don`t use Microsoft Defender ATP :)), deploy Windows 10 security baselines where you can controll several services within Window 10 (https://docs.microsoft.com/en-us/intune/protect/security-baseline-settings-mdm-all?pivots=mdm-may-2019).  

And the last but not least, you have an inventory of devices that can access your enterprise data and applications! Thats a big value to have in your pocket! 🙂 

S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

S for Security in EMS – Azure Information Protection

Even tho Azure Information Protection is included within the EMS package i would recomend using the Office 365 Unified Labeling insted.

Those labels which can be eather Sensitivity or Retention labels and capabilities comes with in the Office 365 E3 or Office 365 E5 license.

Why should you use Unified labels you say?

Well, in my opinion you should keep it as simple as posible for your users therefore by embracing the Unified labels within Office 365 users don`t have to think about using a labeling client to manage their labels. Unified labels are built into Office applications both web and installed ones and also embeded into the mobile applications. That meaning users can label on any device with application.

When using Azure Information Protection internal IT department of your company need to roll out the AIP Client to all machines and drawbacks here is that web applications and mobile applications are not eligable for this client.

So!

Start with creating some labels from Security & Compliance center and play arround crating watermarks, encryption and deploy to test users at first to be able to test your policies.

Head into https://protection.office.com/ and navigate to “Classifications -> Sensitivity labels” and from her create a new label

CD 
Home 
Alerts 
Permissions 
— Classification 
Sensitivity labels 
Retention labels 
Sensitive info types 
https://protection.office.com/sensitivity?viewid=sensitivitylabels 
Office 365 Security & Compliance 
Home > sensitivity 
Labels Label policies 
Sensitivity labels are used to classify email messages, documents, sites, and more. 
encrypt files, add content marking, and control user access to specific sites. Learn 
+ Create a label Publish labels C) Refresh 
Name 
Classified - Web only from not compliant clients 
Highly classified - Block access from not compliant devices

Follow through with the wizard

New sensitivity label 
o 
o 
o 
o 
o 
Name & description 
Encryption 
Content marking 
Endpoint data loss prevention 
Site and group settings 
Auto-labeling for Office apps 
Review your settings 
Name your label 
The protection settings you choose for this label will be immediately enforced on the files, email messages or sites to which it's applied. Labeled files will be protected wherever 
they go, whether they're saved in the cloud or downloaded to a computer. 
Name 
Classified 
Tooltip 
Enter text that helps users understand this label's purpose 
Description 
Enter a description that's helpful for admins who will manage this label

And when going through the Wizard you need to take some descisions on what the policy should do.

  • Encryption
    • Yes or no and what permissions should be set automatically to your files.
    • Should the access to the file expire on a givven date or days after encryption
    • Allow offline access to files could be convenient for some.
  • Should the content be watermarked?
  • Add DLP policy from the Entpoint (Windows Information protection WIP).
  • Use this label to protect Office365 groups (Teams and SharePoint sites also)
    • Here you can choose if the created SharePoint site, Teams or Office 365 Group should be have restricted access from unmanaged devices and such.
  • Use Autolable based on conditions
    • This feature require E5
    • You can automatically lable documents with for example Norwegian passport number is written in a document.

Thats it! You have created your first label – quite easy.

But before going big-scale you need to evaluate how your company should label documents. General, Confidential, Higly confidential and so on.

My best tip there is to create a table on the labels you think you need and describe the “rules” of when to apply the labels. Like financial data should maybe be labels highly confidential while some company flyers should have “General”.

S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

Change to Opt-In in MyAnalytics

Since MyAnalytics is an “Opt-Out” feature in Office 365, some companies wants to change this behavour for their users, meaning that each users should enable this feature them self instead of the service being automatically enabled when users are created.

Changing settings in Office 365 to change this behavour:

Remove the three ticks on the MyAnalytics service window to change the default behavour for new users. removing these ticks will ensure that users need to “opt-in” their self by accessing “Myanalytics.microsoft.com” and change settings there.

And in each user can ustomize their own MyAnalytics settings by opt-in or opt-out in the dashboard “myanalytics.microsoft.com”

Remove the service from each user forcing the users to enable the service themself

#Connect to Exchange Online with MFA
Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter CreateExoPSSession.ps1 -Recurse ).FullName | Select-Object -Last 1) #download module from Exchange Online Admin Center under "hybrid" and using IE.
#Connect to Exchange Online
Connect-EXOPSSession -UserPrincipalName julian.rasmussen@xxxxxxxxxx.no
#This will make sure when you need to reauthenticate after 1 hour that it uses existing token and you don't have to write password and stuff
$global:UserPrincipalName="julian.rasmussen@xxxxxxxxxx.no"

#check what state the users is in today
Get-UserAnalyticsConfig –Identity julian.rasmussen@xxxxxxxxxx.no

#Opt-out from service - users can opt-in again at https://myanalytics.microsoft.com/ 
Set-UserAnalyticsConfig –Identity julian.rasmussen@xxxxxxxxxx.no -PrivacyMode Opt-out

#multiple opt-out
$privacyMode = "Opt-Out"

$users = Get-Mailbox *
ForEach ($user in $users)
{
$user.Userprincipalname
$upn=$user.UserPrincipalName

Set-UserAnalyticsConfig –Identity $upn -PrivacyMode $privacyMode
Get-UserAnalyticsConfig –Identity $upn
}

S for Security in EMS

Since Enterprise Mobility + Security (EMS) is a core component of Microsoft 365 services you need to understand what services is present within the EMS package. In the same way that Microsoft 365 services comes with a E3 or E5 service level does EMS also that. I will try to give a easy and understandable overview of all the core components of EMS within the next 5 blog posts.

We will dig into all the main topics that you se in the table below.

In the table below you will see the difference between the EMS E3 and EMS E5

Service EMS E3 EMS E5
Azure AD Premium P1 P2
Azure Information Protection P1 P2
Microsoft Advanced Threat Analytics Incl. Incl.
Microsoft Intune Incl. Incl.
Cload App Security   Incl.

By now you probably trying to figure out on some questions;

Do I need EMS in my organisation?

Witch EMS subsctiption do I need?

Should we move to Microsoft 365 subscriptions?

The short answered for this is; Yes, depends and maybe. Not much of an answer but if you stay put on the next few blog posts, I will walk through the services on what it does and what it can be used for to make it a little easier to choose the right licenses for your organisation.

Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

Azure AD Connect sync issues

Now and then we get errors in our Azure AD Connect syncronization, or that said – my customers get errors.

And every now and then there is a error wich are not easy to spot what can be wrong.

In this case the sollution was not that easy – but when you think of it, it makes kind of sense sort of.

So this is the Error i got.

Other Error 
onmicrosoft.com 
Description 
Error Details 
pro perty 
Error Type 
Last Attem pted At 
Related Articles: 
Attribute 
o 
x 
The object failed synchronization. For more information, please see the error details. If the problem continues and 
cannot be fixed, please contact Microsoft Support. 
Value 
WorkflowException 
12/17/2019, PM 
1. Azure AD Connect: Troubleshooting Synchronization Errors 
user Principal Name 
Object GUID 
Synchronization Status 
Details 
Attribute Value 
0625<71 
On premises AD only 
52fde7d7eab1

Looking into Azure AD Connect it throwed a error on syncronization.

After some investigation back and forth i with the GUID who did not match the Azure AD Sync error – i found out that a deleted group was configured as a licensing group within Azure AD. Therefor when it was deleted from On-prem AD it could not be deleted in Azure AD since it still was in use.

By removing it from the license sku it removed it self on next sync.

How do I know all my users are enabled for and using MFA?

More and more organizations is taking advantage of using MFA for their users and there is no reason for them not to since it`s free for all Office 365 users and also for all Azure AD users if you are not using the Office 365 services. But after you enable it for your users, are you sure everyone is enabled?

You may have seen at the Secure Score that not all users are registred for MFA, and if you do so you have users with no MFA! So these users may be victims for bruteforce attacks so it`s super important to remediate all users to see how everything is configured! Some of the users with no MFA maybe legit and should not have it.

So let`s dig into the materials for a second or two.

First thing is that there is a “Secure Score” check for MFA registered users that will show you how many of your users which are not registered (if any)

If you have any users in that list it would not show who the users are so we need to go deeper in the material to retreive this status.

So to get the list of users who don`t have setup MFA you need to run this PowerShell command with the AzureAD PowerShell module loaded.

Connect-MsolService

Get-MSOLUser -all | where {$_.StrongAuthenticationMethods.methodtype -eq $null} | Select Displayname,UserPrincipalName,BlockCredential,LastPasswordChangeTimestamp,UserType |Out-GridView

And now that we have found all users we can check them out why they don`t use MFA and make sure that they use it 🙂

Further on we can check what method users are using when authenticating with MFA. For this I use this script located in Technet PowerShell archives HERE

If you have deployed MFA the Conditional Access way (recommended) you will see that the MFA status on all user are set to “Disabled” but the method is set to what the user are using.

Have checking status on your users! 🙂

Ignite – some of the news I got first day

So! Day one at Ignite is over and what a day! A lot of new features, services and everything.

But Imust say, arriving from Norway – EVERYTHING IS SO BIG here in USA!

Anyhow – Here is a short summary from me of some (few) new features and services that where unvailed at the keynotes and some sessions

There are much more also that I did not cover in this post!

Azure Arc

Azure Synapse Analytics

Power Automate (Flow)

  • MS Flow is getting new name
  • Gives you ability to create autmations against applications which are missing API`s

Power Virtual Agents

  • Bot or “Chat” agent on websites
  • Together with Power Automate you can fill contacts schemes from a chat on a website directly into your on-prem crm system (which are missing API)

Microsoft 365

  • Project Cortex
    • Based on AI
    • Creates a Enterprise wiki automatically with the use of AI
    • Creates a “Knowledege” card on word shortnings and links you to the “Knowledge Center”
    • Greate for new employees or just as a company wiki
  • MS Stream uses AI to remove background noice on videos
  • MS Teams uses AI to remove backgrouds or bluring them
  • Fluid Framework
    • Collaboration between Outlook, MS Teams chat, PowerPoint ++
  • Office.com is more important for end-users than ever – a onestop for all services
  • Office.com gets ability to be customized with themes, company branding etc.
  • OneDrive gets filesize increased to 100GB pr. file
  • All files in OneDrive now has Delta-sync

SharePoint

  • In Search you now can edit resultspage and configure how the result is presented
  • SharePoint Homesites is in GA
  • Content Auditing
    • Highligt of changes in versions
    • Scheduled publishing of pages
    • Multi-lingual support
  • SharePoint Spaces goes Public preview arround q1 2020 (somehow togheter with Edge Chromium)
  • Modern term-store

Security & Compliance

  • Unified labes is even more unified
    • Labeled Teamsites, MS Teams and files are now the same
    • Auto labeling si based on content on a complete site
  • Information barrier
    • Based on classifications (labels) you can block out a whole department or group of people from certain areas
    • That said, Finance investors can get blocked out from the auditors filespaces for exapmle.

Edge Chromium

  • Browser in GA Q1 2020
  • Will get a Fast Track “track” to help companies embrace it

Managed Meeting Rooms

  • Monitoring of equipment in the rooms like monitors, cameras, microphones etc.
  • In Private preview right now!

On my way to Ignite!

Enroute! I`m on my way to Orlando as we speak (write). I`m so exited to meet the HUGE community which are present at Microsoft Ignite and can`t wait to meet friends and new people in the community. That said there are mucho to-do this week!

I`m arriving my hotel late Sunday and preparing to head into OCCC EARLY to try to get a space for Sataya`s keynote in The Hub at OCCC.

Game plan!

  • Get my luggage
  • Check in at MS Ignite at Orlando airport (rumors says there is almost no queue there)
  • Grab an Uber straight to the hotel
  • Go to sleep fast
  • Get up early and head directly over to OCCC
  • Enjoy Ignite! 🙂

That said – i have thought about how to store, use and structure all the information and knowledge i get this week.

My plan is to use One Note for taking notes on stuff from sessions and all over – Use Microsoft To-Do to add task that i need to follow up on and LinkedIn for connecting with all the great community people and ofcourse use Twitter to follow the great speakers and people i meet at the conference.

Ignite is 7 days away – it’s a problem!!

Well.. it’s not that big of a problem, or yes it is! There is to many sessions I want to be at at the same time. As a first timer at Ignite this will be alot of fun and i’m looking forward to meet alot of people and learn much new stuff!

So over to the problem, I have added all the sessions i want to experience and i now have up to 8 sessions at the same time at almost all hours theough out the week. So now the work of fixing my schedule for the week. Good thing is that we can watch almost all content on video on demand after the conference 🙂

Even tho its my frist time to ignite, i have some tips!

  1. Arrive early to your sessions
  2. Have some break time between your sessions.
  3. Wear good and comfy shoes
  4. Keep hydrated
  5. Meet people and have fun!

Hope to you at ignite this year!

© 2020 IdefixWiki

Theme by Anders NorénUp ↑