Tag: Microsoft

Microsoft Defender ATP for Mac now available in Public Preview

Yesterday Microsoft released Microsoft Defender ATP for Mac in public preview and are now available for download and installation though the Microsoft Defender Security Center.

In the onboarding section in Microsoft Defender Security Center, if you have preview features selected, you will see how to onboard macOS machines.

You will have the option to download a standalone package or package for Mobile Device Management / Microsoft Intune.

System Requirements

Before you try to install Microsoft Defender ATP on macOS you need to make sure you meet the following system requirements [1]:

  • macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra)
  • Disk space: 1GB
  • No other third-party endpoint protection software installed

Manual deployment

If you want to manually deploy Microsoft Defender ATP to your macOS devices, Microsoft has created the following guide:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually

Microsoft Intune

If you use Microsoft Intune as a Mobile Device Management solution for your macOS devices, you could configure it to automatically onboard and deploy Microsoft Defender ATP. A guide from Microsoft on how this could be done is found here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune

JAMF

If you use JAMF as a Mobile Device Management solution for your macOS devices, you could configure it to automatically onboard and deploy Microsoft Defender ATP. A guide from Microsoft on how this could be done is found here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf

Other MDM

If you are not using Microsoft Intune or JAMF but a other third party Mobile Device Management solution for your macOS devices, Microsoft has created a guide for this process on how you could use it to automatically onboard and deploy Microsoft Defender ATP for Mac, which could be found here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm

 

Keep in mind, Microsoft Defender ATP for Mac is in Public Preview, so you want to make sure you verify and test this before rolling out in full scale production!

[1] https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac#system-requirements



New baseline policies available in Conditional Access

Last week Microsoft starting to rollout three new baseline policies in Conditional Access.

  • Baseline policy: Block legacy authentication (Preview)
  • Baseline policy: Require MFA for Service Management (Preview)
  • Baseline policy: End user protection (Preview)

Baseline Policy in Conditional Access are part of Baseline Protection in Azure Active Directory (Azure AD) and the goal of these policies is to ensure that you have at least the baseline level of security enabled in Azure AD.

Conditional Access are normally part for a Premium SKU (P1 or P2) for Azure AD but Baseline Protection are available for all editions of Azure AD, including Free.

Here is a walk-through of all the available baseline policies that Microsoft offers and how they protect your organization.

Require MFA for admins

This policy requires Multi-Factor Authentication (MFA) for accounts that are part for directory roles that elevate an account with more privileged than a normal account. This policy also blocks legacy authentication, like POP, IMAP and older Office desktop client.

The directory roles that are covered by this policy are:

  • Global administrator
  • SharePoint administrator
  • Exchange administrator
  • Conditional access administrator
  • Security administrator
  • Helpdesk administrator / Password administrator
  • Billing administrator
  • User administrator

Block legacy authentication

This policy blocks all sign-ins using legacy authentication protocols that doesn’t support Multi-Factor Authentication, such as

  • IMAP, POP, SMTP
  • Office 2013 (without registry keys for Modern Authentication)
  • Office 2010
  • Thunderbird client
  • Legacy Skype for Business
  • Native Android mail client

However, this policy does not block Exchange ActiveSync.

Require MFA for Service Management

This policy requires users logging into services that rely on the Azure Resource Manager API to perform multi-factor authentication (MFA). Services requiring MFA include:

  • Azure Portal
  • Azure Command Line Interface (CLI)
  • Azure PowerShell Module

End user protection

This policy protects users by requiring multi-factor authentication (MFA) during risky sign-in attempts to all applications. Users with leaked credentials are blocked from signing in until a password reset.

Once the policy is enabled, users are required to register for MFA within 14 days of their first login attempt. The default method of MFA registration is the Microsoft Authenticator App.

Recommendations

Here are a few recommendations before you enable these polices:

  • If you have privileged accounts that are used in scripts or Azure Automations, you should replace them with Managed Identities for Azure resources or service principals with certificates. You could also exclude specific user accounts from the baseline policy but should be a temporary workaround.
  • Make sure you exclude the emergency-access / break glass account(s) from these polices

Read more about baseline protection and baseline policies on docs.microsoft.com



5 Things I check after I’ve installed Microsoft Edge Dev (Chromium)

Many of you probably already know that Microsoft have released their new Microsoft Edge built on Chromium as a Development-build for the public so we can try it out.

As usual when it comes to new things we want to personalize it, so I would like to share my first 5 things that I customize in this new version of Edge.
Before we begin, remember that this is a Dev-build (Version 76.0.152.0) so the things that I mention below might change when it is fully released.

Also worth mentioning is that this release is not built in to Windows 10, and that means that you have to install the browser like any other application out there.
You can find the download link at the bottom of this page.

 



FSLogix and Microsoft – When and How!

Since Microsoft acquired FSLogix in November there has been some uncertainty regarding licenses and most importantly when it will be available through Microsoft.

Ever since Microsoft acquired FSLogix there has not been much information about whats happening. We know Microsoft had their eyes on Office 365 container solution and potentially Profile containers as well, but what will happened with the rest of the suite, such as App Masking and Java Redirection? Will they disappear or will they continue the support and development of the entire suite?

When Microsoft released their new Windows Virtual Desktop to Public Preview and at the same time their intention with the FSLogix Suite!

As you now probably are aware about, FSLogix will be a part of the Windows Virtual Desktop, but it does not stop there, see below on when you are entitled to use FSLogix suite.

Licensing

FSLogix will be available with no additional cost if you have one of the following Microsoft licenses:

  • F1, E3, är E5 Microsoft 365 licensing
  • A3 and above for educational and non-profit
  • Windows 10 Enterprise E3 or E5
  • or even If you have RDS CALs

 

Where and when can I use it?

The really good news here is that its not only available to Azure, you can use  wherever you want, even On-Prem! You cannot acquire the license for this just yet, it will be available in June, but you can however request a trial witch will give you all the functionality an features in the meantime. Don’t hesitate to contact me if you would like to get a trial to start benefit from this amazing product today!

Wich FSLogix apps is included?

  • Office 365 Containers
  • Profile Containers
  • Java Redirection
  • App Masking

 

This is really good news since this is a solid product solving head-aching problems, i’m looking forward for this implementation and so should you! If you are looking to implement this solution for your environment, don’t hesitate to contact me at Jonas.Agblad@Xenit.se or leave a comment.

 

Don’t miss my earlier posts about FSlogix for more information:

What is FSLogix Cloud Cache?

Keep your FSLogix VHD-files Optimized!

Convert Citrix UPM to FSLogix Profile Containers

Teams in your mulit-user environment done right!

Outlook Search index with FSLogix – Swedish

FSLogix Profile Container – Easy and fast Profile management – Swedish

Office 365 with FSLogix in a Multi-user environment – Swedish

 

 



What is FSLogix Cloud Cache?

Background

Last year FSLogix released its award winning (at Citrix Synergy) technology Cloud Cache, and I for one was very curious about what this meant and what I could use it for. The fact that is was included in the license for Office 365 Container and Profile Container was a really nice surprise, but I was somewhat confused about what it actually does, I mean, have FSLogix developed their own cloud service? It sure sounds like it, that was however not the case. First off, this is a technology that will make your profiles or Outlook cache easily available cross-platform and a kind of built in High Availability so you don’t have load or create a fail-over file-cluster. But there are some things you should take in consideration before implementing this to your environment, but first let me explain what Cloud Cache really is and what the target benefits are!

What is Cloud Cache, really?

As I mentioned you might think that is has something to do with the cloud, or the cloud services, that’s wrong, or at least regarding the technology. Cloud Cache contains primarily 3 features:

  1. Automatic Replication
  2. Cache of “hot” data from your container
  3. Use of Azure blob storage as VHD location

Automatic Replication

Before Cloud Cache you could in FSLogix set multiple paths for the VHD-files and it would automatically check the second path specified if the first was unavailable, the problem was that you needed to set up the replication between the two file locations yourself, and that was complicated since the VHD-disks will be locked during use, and it was hard to do an incremental copy since the changes in data resides within the VHD file, the replication would potentially take a lot of time and load the network considerably.

With Cloud Cache they solved that issue, it is now built in to the product. It will automatically copy the data between the two locations. The pretty neat part of their solution is that the replication begins when the user logs on to their environment and copies the incremental part of the container since its now open and happens automatically. As you can figure out, this is also a great way of migrating your containers to a new location. Just add a new location, wait a couple of days and then remove the old path, really smooth, no hassle, no downtime, no late night service-windows.

Cache of hot data from your container

It’s known that FSLogix will solve the high CPU (on the file-server) issue you normally would see if you would redirect the ost-file to a file share, but it will still demand quite fast disks and some network-load. With FSLogix Cloud Cache you will now be able to place your containers in Microsoft Azure, which is cool but there are two fundamental issues with this approach 1. Azure bills in consumption and 2. high latency to access the data. FSLogix has solved this by caching the hottest data from the containers to the actual Server/Client you reside on, this will minimize the cost in Azure and the load of the network, this is ideal if you use your FSLogix container on different platforms (On your client and a VDI-solution) or on a VDI-environment where the cache will be saved and not downloaded again.

Client profile management

Before Cloud Cache, if you want to manage the profiles of a clients with FSlogix you would have some issues, since it will require you to have the client online all the time. Fortunately with Cloud Cache, you will now not be affected by offline sessions, it will continue with the cached data and as soon its online again it will update the original VHD with the new changes that happen offline.

 

What to consider before using Cloud Cache

Now when you know what Cloud Cache is and what’s makes it good you should also know what to consider in some scenarios. First thing to consider is the cached data, how much will it cache? That is a good question, a question I have not yet received an answer to, from what I gathered this cannot be specified, meaning you cannot control the amount of data it cached, therefor you cannot control the size of the cached data on the potential Citrix server, this can in some environment be a really risky approach. I have some examples below when you really need to assess the value against the risk regarding Cloud Cache:

Citrix Provisioning Services with Citrix Virtual Apps and Desktop

When using Cloud Cache in this setup you will have issues, the cache is suppose to be persistent on the location where you are, which it will not be when using PVS and Citrix Virtual Apps and Desktop. Within this setup your cache will download every time you logon to Citrix, if you also are using “Cache on RAM with overflow on disk” you will also potentially fill your page file-disk.

Citrix Virtual Apps and Desktop

You need to be sure how to set it up, the C-drive must be large, to handle the amount of cached data every user will download, and you must set “Delete Cache on logoff” otherwise one user can potentially download his/hers cache to multiple Citrix server during logoff and logon, and that also means your user will download the cached data every time they logon. Wtich might not be the best experience you had in mind when implementing the solution. There is however a solution to this, you can redirect the cached data to another server, but if you do that, it is highly recommended to place it on fast disks and in a High availability-mode.

 

Summary

All in all this is a really nice feature and will add a lot to the product. But you need to assess it before activating Cloud Cache to see if it’s suitable to you and your environment. In the right scenario this could really improve the experience of your users and your IT-department. If you are curious about the product please don’t hesitate to contact me at jonas.agblad@xenit.se, or leave a comment below!

 

You can also find more information about FSLogix with my previous posts here:

Convert Citrix UPM to FSLogix Profile Containers

Teams in your mulit-user environment done right!

Outlook Search index with FSLogix – Swedish

FSLogix Profile Container – Easy and fast Profile management – Swedish

Office 365 with FSLogix in a Multi-user environment – Swedish

 

 



Easily analyse your memory dumps

Recently I stumbled over a great application for debugging your system while trying to examine a memory dump. The application is named WinDbg Preview and is distributed by Microsoft themselves and serves several purposes for debugging Windows operating systems.

WinDbg Preview is a modernized version of WinDbg and extremely easy to use! With WinDbg Preview you can for example do the following:

  • Debug executables
  • Debug dump and trace files
  • Debug app packages
  • Debug scripts

WinDbg Preview

In my use case I wanted to quickly analyse a memory dump file which had been generated. A minute and about five clicks later I had received an analysis which gave me all the information I needed. I was also told which commands to use on the go without thinking.

Attaching memory dump file

Analysis result

WinDbg Preview is available from the Windows Store and can be read more about it here.

If you have any questions, feel free to email me at robert.skyllberg@xenit.se or comment down below.



Querying Microsoft Graph with Powershell, the easy way

Microsoft Graph is a very powerful tool to query organization data, and it’s also really easy to do using Graph explorer but it’s not built for automation.
While the concept I’m presenting in this blogpost isn’t something entirely new, I believe my take on it is more elegant and efficient than what I’ve seen other people use.

So, what am I bringing to the table?

  • Zero dependancies to Azure modules, .net Core & Linux compatibility!
  • Recursive/paging processing of Graph data (without the need for FollowRelLink, currently only available in powershell 6.0)
  • Authenticates using an Azure AD Application/service principal
  • REST compatible (Get/Put/Post/Patch/Delete)
  • Supports json-batch jobs
  • Supports automatic token refresh. Used for extremely long paging jobs
  • Accepts Application ID & Secret as a pscredential object, which allows the use of Credential stores in Azure automation or use of Get-Credential instead of writing credentials in plaintext

Sounds great, but what do I need to do in order to query the Graph API?

First things first, create a Azure AD application, register a service principal and delegate Microsoft Graph/Graph API permissions.
Plenty of people has done this, so I won’t provide an in-depth guide. Instead we’re going to walk through how to use the functions line-by-line.

When we have an Azure AD Application we need to build a credential object using the service principal appid and secret.

Then we aquire a token, here we require a tenantID in order to let Azure know the context of the authorization token request.

Once a token is aquired, we are ready to call the Graph API. So let’s list all users in the organization.

In the response, we see a value property which contains the first 100 users in the organization.
At this point some of you might ask, why only 100? Well that’s the default limit on graph queries, but this can be expanded by using a $top filter on the uri which allows you to query up to 999 users at the same time.

The cool thing with my function is that it detects if your query doesn’t return all the data (has a follow link) and gives a warning in the console.

So, we just add $top=999 and use the recursive parameter to get them all!

What if I want to get $top=1 (wat?) users, but recursive? Surely my token will expire after 15 minutes of querying?

Well, yes. That’s why we can pass a tokenrefresh and credentials right into the function and never worry about tokens expiring!

What if I want to delete a user?

That works as well. Simply change the method (Default = GET) to DELETE and go!

Deleting users is fun and all, but how do we create a user?

Define the user details in the body and use the POST method.

What about json-batching, and why is that important?

Json-batching is basically up to 20 unique queries in a single call. Many organizations have thousands of users, if not hundreds of thousands of users, and that adds up since much of the queries need to be run against individual users. And that takes time. Executing jobs with json-batching that used to take 1 hour now takes about 3 minutes to run. 8 hours long jobs now takes about 24 minutes. If you’re not already sold on json-batching then I have no idea why you’re still reading this post.

This can be used statically by creating a body with embedded queries, or as in the example below, dynamically. We have all users flat in a $users variable. Then we determine how many times we need to run the loop and build a $body json object with 20 requests in a single query, then we run the query using the $batch operation and POST method and put them into a $responses array and tada! We’ve made the querying of Graph 20x more efficient.

Sounds cool, what more can I do?

Almost anything related to the Office 365 suite. Check out the technical resources and documentation for more information. Microsoft is constantly updating and expanding the api functionality. Scroll down for the functions, should work on Powershell 4 and up!

Technical resources:

Creating an Azure AD application
https://www.google.com/search?q=create+azure+ad+application

Graph API
https://docs.microsoft.com/en-gb/graph/use-the-api

About batch requests
https://docs.microsoft.com/en-gb/graph/json-batching

Known issues with Graph API
https://docs.microsoft.com/en-gb/graph/known-issues

Thanks to:
https://blogs.technet.microsoft.com/cloudlojik/2018/06/29/connecting-to-microsoft-graph-with-a-native-app-using-powershell/
https://medium.com/@mauridb/calling-azure-rest-api-via-curl-eb10a06127

Functions



“Outlook cannot perform your search” on Windows Server 2016 running Remote Desktop Services

INTRODUCTION

Speaking on behalf of all IT technicians, it is with no doubt that we all have had our hand in cases related to Outlook. Oftentimes I experience them to be quite understandable in order to be resolved. However, that was until I encountered a particularly obscure issue with Outlook’s search engine, nonetheless its very same obscure resolution.



Mapped network printers unavailable due to SMB1 being obsolete

INTRODUCTION

As we all might be familiar with, printers are one of those little peculiar matters within IT. Implementing these in an IT-environment is self-explanatory oftentimes, but when they do not cooperate the issue itself can stem from one single obscure root cause, if not a string of these having to be checked upon.

Recently, I encountered a particular printer issue which I found interesting enough to share. The root cause here, in summary, was due to the network protocol SMB1 (Server Message Block) being obsolete in recent Windows releases.



Run Windows Defender inside a sandbox

Last week Microsoft released the news that they have added a new feature to Windows Defender Antivirus. The new feature allows Windows Defender Antivirus to run within a sandbox.

Other antivirus providers have been offering the possibility to open files in a sandbox-environment before but what Windows Defender now offers is the feature that all virus scans are done inside a virtual sandbox. The biggest benefit of running the virus scans in a virtual sandbox is when the antivirus engine is scanning a malicious file. The malicious code that usually would be executed to exploit a vulnerability will now only affect the virtual sandbox and not the actual computer resources.

This new feature proves that Microsoft are really making an effort to increase the reputation of Defender. There is a debate whether this is the best way to go but it is good sign that Microsoft is really making an effort to develop Defender Antivirus with features like this.

Microsoft describes the feature in the following way on their blog:

Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm. This is part of Microsoft’s continued investment to stay ahead of attackers through security innovations. Windows Defender Antivirus and the rest of the Windows Defender ATP stack now integrate with other security components of Microsoft 365 to form Microsoft Threat Protection. It’s more important than ever to elevate security across the board, so this new enhancement in Windows Defender Antivirus couldn’t come at a better time.

It sure sounds interesting, so why don’t we try it out?

Requirements:

  • Windows 10, version 1703 and above.

How to activate the sandbox feature:

  • Open an elevated ‘Command Prompt’
  • Type: ‘setx /M MP_FORCE_USE_SANDBOX 1’ and then press enter
  • Then restart your computer and that should be it. Just make sure that you actually restart it since it won’t be activated if you just do a regular shutdown/start.

How to inactivate the sandbox feature:

  • Open the ‘Control Panel’
  • Navigate to ‘System’ and click on ‘Advanced System Settings’
  • Click on ‘Environment Variables’, navigate to ‘System Variables’ and remove ‘MP_FORCE_USE_SANDBOX 1’.
  • Restart the computer.

The feature is not enabled by default yet so it might not be a good idea to use it in a production environment, but it might be a good time to give Windows Defender a new chance? Have you had time to try it out yet? What do you think about it?