Mem on Ru Campbell MVP

Microsoft Improves and Simplifies Defender for Endpoint Management Capabilities

Mon, 10 Jul 2023 20:47:03 +0000

In one of the biggest changes to Microsoft Defender for Endpoint (MDE) in its product history, you no longer need a separate management engine to configure endpoint settings.

In this blog, we’ll look at what that change is, why it was necessary, initial impressions, and what you might want to do next.

Historic management architecture needed simplifying

MDE (and it’s Windows client, Microsoft Defender Antivirus (MDAV)) always stood out from the crowd of endpoint protection platforms as being, well, a bit weird in terms of management architecture. With most platforms, you get a central admin console which pushes out endpoint settings. Think scan schedules, quarantine rules, exclusions, CPU throttling, etc. MDE/MDAV, on the other hand, instead relied on an external management tool such as Intune (MDM), Configuration Manager, or Group Policy.

Update BitLocker Unique Identifiers with Intune

Mon, 22 Mar 2021 18:01:18 +0000

BitLocker unique identifiers are values used to identify the ownership of an encrypted volume. The device that performs the encryption holds the unique identifier and as encryption begins, it also records this against the metadata of that encrypted volume.

The identifiers are typically used in tandem with the BitLocker removable data-drive setting write access to devices configured in another organisation which, if set to block, will prevent write operations on devices where the unique identifier of the removable drive doesn’t match a list of unique identifiers managed on the device. The idea here is you want to enforce BitLocker on removable drives to improve data loss (encrypted drives, if found, are unreadable without the means to decrypt them), but you only want them to be encrypted within your organisation: someone can’t encrypt their device elsewhere and then copy data to it. You may want to do this because it means you, as an administrator, would not be able to decrypt it if required.

Microsoft Defender Network Protection - Not Enabling via Intune - Troubleshooting & Fix

Sun, 07 Mar 2021 13:27:29 +0000

When configuring Defender for Endpoint (MDE) customer recently, I ran into a problem when trying to enable network protection. Network protection is a feature of MDE and Microsoft Defender Antivirus (MDAV) that takes the filtering capabilities of SmartScreen and applies them to all network traffic. It is a prerequisite for things such as MDE’s web content filtering and URL/domain indicators of compromise.

This blog details the specific problem I had enabling it with Intune (Microsoft Endpoint Manager), and general troubleshooting steps to follow that will help for that problem and hopefully others you may experience.

Use Intune to Manage Microsoft Defender for Endpoint Tags and Device Groups

Thu, 11 Feb 2021 21:24:59 +0000

In Microsoft Defender for Endpoint (MDE), tags can be attached to a device for reporting, filtering, and as a dynamic attribute for membership of a device group. Device groups (previously machine groups), are used to assign devices different rules and administrative ownership. A device can only belong to one group and controls settings such as auto-remediation level and which Role-Based Access Control (RBAC) roles have administrative permissions over it.

While you can assign tags, and therefore determine group membership, manually from the Security Center, this doesn’t exactly scale well.

Turn Existing Azure AD Devices into Windows Autopilot Devices

Sat, 06 Feb 2021 09:19:13 +0000

To provision Windows 10 PCs using Autopilot and Intune, they must first be registered as Windows Autopilot devices in the Device Directory Service, which is really the cloud Autopilot service. When a device is registered to the Autopilot service, its hardware hash is used to generate a Zero Touch Device ID(ZTDID) - a globally unique identifier for that device based on hardware information such as (but not only) MAC address, disk serial number, and system serial number.

Store BitLocker Recovery Keys in Azure AD for Devices Already Encrypted

Fri, 15 Jan 2021 18:18:36 +0000

As you move from on-premises or third-party infrastructure to Microsoft 365 and Azure AD, you will want to keep those BitLocker recovery keys safe. You can store those keys either in on-premises Active Directory or in the cloud with Azure AD.

The behavior of the BitLocker / Azure AD relationship is that the recovery keys will only be stored against the device object in Azure AD if the encryption happens when the device is already Azure AD or Hybrid Azure AD Joined. You can then retrieve the recovery keys from the Azure AD portal or Microsoft Endpoint Manager (which really just takes you back to Azure AD’s properties for the device).

Hybrid Azure AD Join + Intune Enrollment - Prerequisites Checklist and Process Flow

Mon, 25 May 2020 17:22:04 +0000

I’m a simple person, and sometimes it just helps to have a checklist to refer to when you’re troubleshooting rather than navigating the sparse pages of docs.microsoft.com. In this blog, I explain the prerequisites for the Hybrid Azure AD Join (HAADJ) + automatic (GPO controlled) Intune MDM enrollment scenario and the process from start to end, as simply and concisely as I can (not easy!) There are no screenshots and it’s not a click-by-click: this is a quick reference for when you’re pulling your hair out wondering what could be stopping you.

Connect a Work or School Account - MDM vs. MAM in Self Enrolment

Sat, 16 May 2020 06:13:47 +0000

A Windows 10 user can self-enrol in MDM or MAM from Settings > Accounts > Access work or school > Connect.

What happens next depends on how Mobility (MDM and MAM) is configured in Azure Active Directory and device ownership. For a personal device, if user scope for both MDM and MAM overlaps for the enrolling user, MAM will win. The opposite is true of corporate devices. [wptb id=277]

Using Intune to Deploy the Azure Information Protection (AIP) Unified Labeling Client (Win32 MSI)

Sat, 18 Jan 2020 22:47:50 +0000

Unified labels refer to a movement whereby Azure Information Protection (AIP) labels are now being replaced by sensitivity labels. Sensitivity labels offer encryption, watermarks, etc as AIP labels did before them, but are now managed in the new Microsoft 365 Security Centre, with several other benefits beyond the scope of this post.

With this change comes a new AIP client, called the unified labeling client, that replaces the old one, now called the classic client. The AIP unified labeling client will refer to the M365 Security Centre to download labels, but note that (and ‘unified’ gives this away) labels created on either the old Azure AIP dashboard or new M365 Security Centre will sync to each other after you have enabled unified labeling. Current guidelines from Microsoft are that, unless you have a use case that isn’t a feature of the unified labeling client, this is what you should be installing. This post holds your hand through a deployment of the client using Intune.

Deploy Microsoft Store Apps using Intune with Configuration Manager (SCCM) Co-Management (Fix 'Not Applicable' Status)

Fri, 10 Jan 2020 21:00:30 +0000

Intune provides an interface to easily deploy apps from the Microsoft Store to your registered users and devices, but even if you have SCCM (Config Manager) Co-Mangement enabled with the default workloads shifted to Intune in Co-Management properties, there is more to be done. If you don’t follow these steps, you will receive the status of Not applicable in the Intune client apps user and device install status pages.

Prerequisite: This only works with SCCM 1806+.