The Big Comparison of Defender for Endpoint Features by Operating System
Posted inMicrosoft 365 Microsoft Defender for Endpoint Microsoft Defender XDR Windows

The Big Comparison of Defender for Endpoint Features by Operating System

Microsoft Defender for Endpoint (MDE) is a massive platform.  It's not a single product, and it's more than just a service.  It's a platform of tons of security features, portals, services, and controls.  The more you dig in, the more elements of general Microsoft security have been included in the MDE "branding".  It's not only endpoint detection and response (EDR), but also Windows 10 security settings.  It's not just the security software on the…
Three Cool Things To Do With Azure Information Protection
Posted inMicrosoft 365 Sensitivity labels (Azure Information Protection)

Three Cool Things To Do With Azure Information Protection

In my last blog, I wrote about three considerations for your Azure Information Protection deployments and commented on often overlooked potential downsides, or at least areas with which to be cautious. In hindsight, it all feels a bit negative.  I am, for the record, an advocate of Microsoft 365 customers using AIP (sensitivity labels) in basically any circumstance it's appropriate to do so.  So in this blog, I'll counter the earlier post with three…
Conditional Access: Skip MFA for Company Devices on the Company Network
Posted inConditional Access Entra ID (Azure Active Directory) Microsoft 365

Conditional Access: Skip MFA for Company Devices on the Company Network

A common Conditional Access policy is to add trusted locations as an exception to multi-factor authorisation requirements.  The logic goes, if you accessing resources such as Office 365 from a location such as the corporate office, that's an element of verification in itself that your login should be trusted, so we should improve your user experience by removing MFA.  Personally, I support the use of MFA regardless of where you are authenticating (at the…
Microsoft Defender Antivirus – Schedule & Install Updates via Network Shares
Posted inMicrosoft 365 Microsoft Defender Microsoft Defender for Endpoint Microsoft Defender XDR PowerShell

Microsoft Defender Antivirus – Schedule & Install Updates via Network Shares

Although not common, there are scenarios out where you will have LAN-only devices onboarded in Microsoft Defender for Endpoint (MDE), or at least using Microsoft Defender Antivirus (MDAV).  With no line of sight to the internet, you can use options such as WSUS, but in this blog, I'll explore using a network share, as WSUS isn't always an option. Set up the network share for updates 1. Create a directory on your file server…
Microsoft Defender Network Protection – Not Enabling via Intune – Troubleshooting & Fix
Posted inIntune Microsoft 365 Microsoft Defender for Endpoint Microsoft Intune SmartScreen/Network Protection

Microsoft Defender Network Protection – Not Enabling via Intune – Troubleshooting & Fix

When configuring Defender for Endpoint (MDE) customer recently, I ran into a problem when trying to enable network protection.  Network protection is a feature of MDE and Microsoft Defender Antivirus (MDAV) that takes the filtering capabilities of SmartScreen and applies them to all network traffic.  It is a prerequisite for things such as MDE's web content filtering and URL/domain indicators of compromise. This blog details the specific problem I had enabling it with Intune…
Microsoft Defender for Endpoint – Offline Onboarding for Windows 10 via a Proxy
Posted inGroup Policy Microsoft 365 Microsoft Defender Microsoft Defender for Endpoint Windows Windows Server

Microsoft Defender for Endpoint – Offline Onboarding for Windows 10 via a Proxy

Getting your devices into Defender for Endpoint is referred to as onboarding and can be done in lots of different ways, depending on the scenario.  The tools you use for Windows Server 2008 R2, for example, are different from the tools you use for Windows Server 2019, which are different from the tools you use for Windows 10, and so on. The common denominator behind most onboarding methods is internet connectivity.  Your device connects…
Use Intune to Manage Microsoft Defender for Endpoint Tags and Device Groups
Posted inIntune Microsoft 365 Microsoft Defender for Endpoint

Use Intune to Manage Microsoft Defender for Endpoint Tags and Device Groups

In Microsoft Defender for Endpoint (MDE), tags can be attached to a device for reporting, filtering, and as a dynamic attribute for membership of a device group.  Device groups (previously machine groups), are used to assign devices different rules and administrative ownership.  A device can only belong to one group and controls settings such as auto-remediation level and which Role-Based Access Control (RBAC) roles have administrative permissions over it. While you can assign tags,…
Turn Existing Azure AD Devices into Windows Autopilot Devices
Posted inAutopilot Entra ID (Azure Active Directory) Intune Microsoft 365 Microsoft Intune Windows

Turn Existing Azure AD Devices into Windows Autopilot Devices

To provision Windows 10 PCs using Autopilot and Intune, they must first be registered as Windows Autopilot devices in the Device Directory Service, which is really the cloud Autopilot service.  When a device is registered to the Autopilot service, its hardware hash is used to generate a Zero Touch Device ID (ZTDID) - a globally unique identifier for that device based on hardware information such as (but not only) MAC address, disk serial number,…
Understanding Modern vs. Legacy Authentication in Microsoft 365
Posted inEntra ID (Azure Active Directory) Microsoft 365

Understanding Modern vs. Legacy Authentication in Microsoft 365

Since October 2019, Microsoft has enabled Security Defaults by default in new Microsoft 365 tenants.  Security Defaults are a group of best-practice security settings, and one of note is the disablement of all legacy authentication, which itself has been off in Exchange Online and SharePoint Online, by default, since August 2017. The term legacy authentication doesn't refer to one particular protocol, but rather any that do not support Multi-Factor Authentication (MFA).  Protocols that support…
Store BitLocker Recovery Keys in Azure AD for Devices Already Encrypted
Posted inBitLocker Entra ID (Azure Active Directory) Intune Microsoft 365 Microsoft Intune PowerShell Windows

Store BitLocker Recovery Keys in Azure AD for Devices Already Encrypted

As you move from on-premises or third-party infrastructure to Microsoft 365 and Azure AD, you will want to keep those BitLocker recovery keys safe.  You can store those keys either in on-premises Active Directory or in the cloud with Azure AD. The behavior of the BitLocker / Azure AD relationship is that the recovery keys will only be stored against the device object in Azure AD if the encryption happens when the device is…