Windows-10 on Ru Campbell MVP

Updated March 2022: Ultimate Comparison of Defender for Endpoint Features by Operating System

Tue, 29 Mar 2022 07:27:18 +0000

It’s been about 5 months since I last updated my comparison of Defender for Endpoint features by OS. This is a “matrix” of the tons of features, services, and important components that make up Microsoft Defender for Endpoint.

Three months later, it’s overdue an update. So here it is :) I’ve also decided to rename it to The Ultimate Comparison of MDE Features by OS… because renaming’s what we do, right?

Updated October 2021: Availability of Defender for Endpoint Features by Operating System

Tue, 19 Oct 2021 20:36:54 +0000

In July, I released v1 of The Big Comparison of Defender for Endpoint Features by Operating System (or, what I think is much catchier, TBCMDEFOS). This was a “matrix” of the tons of features, services, and important components that make up Microsoft Defender for Endpoint.

Three months later, it’s overdue an update. So here it is :)

The headline news is that, in preview anyway, there’s a bunch of additions to Windows Server 2012 R2 and 2016 thanks to a new agent-based deployment (“unified solution”) that replaces the need for the Microsoft Monitoring Agent and System Centre Endpoint Protection. You now get almost feature parity with Windows Server 2019’s security features: ASR rules, next-generation protection, block at first sight, etc. For a guide on how to get up and running with it, check out my writeup on Petri.

The Big Comparison of Defender for Endpoint Features by Operating System

Sun, 11 Jul 2021 09:59:10 +0000

Microsoft Defender for Endpoint (MDE) is a massive platform. It’s not a single product, and it’s more than just a service. It’s a platform of tons of security features, portals, services, and controls. The more you dig in, the more elements of general Microsoft security have been included in the MDE “branding”. It’s not only endpoint detection and response (EDR), but also Windows 10 security settings. It’s not just the security software on the device, it’s also ongoing threat and vulnerability management.

Troubleshooting Hybrid Azure AD Intune Automatic Enrollment

Mon, 19 Apr 2021 20:02:44 +0000

As I have blogged about a lot, there are a bunch of hoops to be jumped through and prerequisites to be met for a successful hybrid Azure AD join and automatic, GPO-invoked Intune enrollment. But sometimes, you have to go back to the basics when you’re banging your head off the table, and laugh off the embarrassment of not checking the fundamentals.

I was recently setting up hybrid Azure AD join and Intune enrollment, as I’ve done hundreds of times before, but this time I was hitting a strange problem. Hybrid Azure AD join went fine, but for the Intune MDM enrollment, I was getting nowhere. Devices showed in the Azure AD admin centre, but never showed an MDM, and therefore never showed in Endpoint Manager.

Update BitLocker Unique Identifiers with Intune

Mon, 22 Mar 2021 18:01:18 +0000

BitLocker unique identifiers are values used to identify the ownership of an encrypted volume. The device that performs the encryption holds the unique identifier and as encryption begins, it also records this against the metadata of that encrypted volume.

The identifiers are typically used in tandem with the BitLocker removable data-drive setting write access to devices configured in another organisation which, if set to block, will prevent write operations on devices where the unique identifier of the removable drive doesn’t match a list of unique identifiers managed on the device. The idea here is you want to enforce BitLocker on removable drives to improve data loss (encrypted drives, if found, are unreadable without the means to decrypt them), but you only want them to be encrypted within your organisation: someone can’t encrypt their device elsewhere and then copy data to it. You may want to do this because it means you, as an administrator, would not be able to decrypt it if required.

Microsoft Defender Network Protection - Not Enabling via Intune - Troubleshooting & Fix

Sun, 07 Mar 2021 13:27:29 +0000

When configuring Defender for Endpoint (MDE) customer recently, I ran into a problem when trying to enable network protection. Network protection is a feature of MDE and Microsoft Defender Antivirus (MDAV) that takes the filtering capabilities of SmartScreen and applies them to all network traffic. It is a prerequisite for things such as MDE’s web content filtering and URL/domain indicators of compromise.

This blog details the specific problem I had enabling it with Intune (Microsoft Endpoint Manager), and general troubleshooting steps to follow that will help for that problem and hopefully others you may experience.

Microsoft Defender for Endpoint - Offline Onboarding for Windows 10 via a Proxy

Thu, 18 Feb 2021 07:30:40 +0000

Getting your devices into Defender for Endpoint is referred to as onboarding and can be done in lots of different ways, depending on the scenario. The tools you use for Windows Server 2008 R2, for example, are different from the tools you use for Windows Server 2019, which are different from the tools you use for Windows 10, and so on.

The common denominator behind most onboarding methods is internet connectivity. Your device connects directly to the cloud service and provides all that telemetry goodness via a direct line of sight.

Turn Existing Azure AD Devices into Windows Autopilot Devices

Sat, 06 Feb 2021 09:19:13 +0000

To provision Windows 10 PCs using Autopilot and Intune, they must first be registered as Windows Autopilot devices in the Device Directory Service, which is really the cloud Autopilot service. When a device is registered to the Autopilot service, its hardware hash is used to generate a Zero Touch Device ID(ZTDID) - a globally unique identifier for that device based on hardware information such as (but not only) MAC address, disk serial number, and system serial number.

Protecting Sensitive Information in Windows 10 with Microsoft Endpoint Data Loss Prevention (DLP)

Sun, 23 Aug 2020 17:30:21 +0000

After being released to Public Preview last month (July 2020), I have finally had a chance to test out Microsoft Endpoint DLP. The management of endpoint DLP - that is, preventing sensitive information from leaving the host computer - comes up frequently in my discussions with companies I help with security and compliance. Often, they have third-party tools doing it and are looking to centralise under Microsoft’s stack.

In this blog, I’ll give an overview of: