Tech news for the week of April 8th, 2024

Topics in this week’s Tech Newsletter

What’s New Updates

Training

Copilot and AI

Microsoft 365

Windows 365 and Azure Virtual Desktop

Microsoft Defender and Sentinel

Azure

Server

Identity Protection and Management

Information Protection and Management

Intune

Device Management

Scripting and Automation

Security Tools and Guides

Microsoft News

Security News

Industry Specific News

?

What’s New Updates

What's New for SharePoint Server - March 2024 (1st party)

Today we're delighted to share the latest steps in our evergreen journey for SharePoint Server with the release of the Version 24H1 feature update for SharePoint Server Subscription Edition. This feature update brings greater customization capabilities to our modern UX, simplifies Open ID Connect configuration, and opens up a new channel for on-premises customers to share their feedback directly with the SharePoint Server product team.

In development for Microsoft Intune (1st party)

To help in your readiness and planning, this article lists Intune UI updates and features that are in development but not yet released. If we anticipate that you'll need to take action before a change, we'll publish a complementary post in the Office message center. When a feature enters production, whether it's in preview or generally available, the feature description will move from this article to What's new. Some of the large new features in development for Intune include “Auto update available with Win32 app supersedence”, “Company Portal automatically installed on Android Enterprise dedicated devices”, and “Account-driven Apple User Enrollment to be generally available for iOS/iPadOS 15+ devices”.

Power BI March 2024 Feature Summary (1st party)

Welcome to the March 2024 update! Here are a few, select highlights of the many updates we have for Power BI. There are new updates for Visual calculations, edit your data model in the Power BI Service, and deliver report subscriptions to OneDrive SharePoint.

What's new in Windows 365 Enterprise (1st party)

The end of March saw a large number of new security, management, and end-user experience features reach Windows 365.

What's new in Microsoft Defender for Office 365 (1st party)

New in April is enhanced clarity in submissions results. Admins and security operators now see enhanced results within submissions across email, Microsoft Teams messages, email attachments, URLs, and user-reported messages. These updates aim to eliminate any ambiguity associated with the current submission results. The results are refined to ensure clarity, consistency, and conciseness, making the submission results more actionable for you.

?

Training

How Power Platform Global AI #HackTogether inspired AI-powered solutions for real-world use cases (1st party) [FREE]

Seeking inspiration for the year in building AI-powered solutions? We’ve summarized a collection of solutions by use cases from last September’s Power Platform Global AI #HackTogether. Over the course of 2 weeks, there were several live sessions (now available on-demand) for participants to learn about the Copilot and AI features of Power Platform. Participants followed a Learn Collection for help in getting started and over 100 project submissions were received with 4 winners chosen across the different categories. The 6 winners of AI powered solutions are highlighted here, with demos of how the solutions were built and how they work.

Mini Course - Intune Automation Using Microsoft Graph (3rd party) [FREE]

In this FREE 90-minute LIVE Online Training, you will learn how to use Microsoft Graph API with PowerShell effectively. Microsoft MVP Johan Arwidmark and fellow expert Andrew Johnson will teach you how to connect to Intune using Graph API with PowerShell. You will create Intune configuration profiles and applications. In the session, you will also learn to configure device management and use reporting and auditing via Microsoft Graph, along with many other tips and tricks.

?

Copilot and AI

Leverage the ChatGPT feature in your process automation: Automate Candidate screening using AI (1st party)

Microsoft has unveiled its latest innovation within the AI Builder ecosystem: the ChatGPT model. This cutting-edge addition opens up a world of possibilities for businesses seeking to enhance customer interactions, streamline internal communication, and revolutionize their service offerings. Many businesses are adopting ChatGPT to fulfill their business requirements. Just imagine the convenience of automating ChatGPT tasks so you don't have to manually open it to compose emails. With Power Automate, all this can be automated. Whether it's responding to customer emails, selecting candidates, or identifying errors in your work, you can automate everything and utilize ChatGPT to enhance the quality of your work processes. With the ChatGPT model, organizations now have the ability to create custom responses tailored to their unique business needs, leveraging the power of conversational AI to deliver personalized and engaging experiences like never before.

Get the most out of Microsoft Copilot for Security with good prompt engineering (1st party)

The process of writing, refining, and optimizing inputs—or “prompts”—to encourage generative AI systems to create specific, high-quality outputs is called prompt engineering. It helps generative AI models organize better responses to a wide range of queries—from the simple to the highly technical. The basic rule is that good prompts equal good results. Prompt engineering is a way to “program” generative AI models in natural language, without requiring coding experience or deep knowledge of datasets, statistics, and modeling techniques. Prompt engineers play a pivotal role in crafting queries that help generative AI models learn not just the language, but also the nuance and intent behind the query. A high-quality, thorough, and knowledgeable prompt in turn influences the quality of AI-generated content, whether it’s images, code, data summaries, or text. Prompt engineering is important because it allows AI models to produce more accurate and relevant outputs. By creating precise and comprehensive prompts, an AI model is better able to synthesize the task it is performing and generate responses that are more useful to humans.

Copilot for Security: Customize your Copilot (1st party) [VIDEO]

Explore some of the latest ways to customize Microsoft Copilot for Security for your team. Now generally available, Copilot is the generative AI-powered assistant for daily security operations, and it is more effective when integrated with your workflows. We'll start with a deep dive and walk you through creating custom promptbooks, adding your organization's knowledge bases, and using logic apps to write back updates to your tools.

Azure OpenAI On Your Data (1st party)

Use this article to learn about Azure OpenAI On Your Data, which makes it easier for developers to connect, ingest and ground their enterprise data to create personalized copilots (preview) rapidly. It enhances user comprehension, expedites task completion, improves operational efficiency, and aids decision-making. Azure OpenAI On Your Data enables you to run advanced AI models such as GPT-35-Turbo and GPT-4 on your own enterprise data without needing to train or fine-tune models. You can chat on top of and analyze your data with greater accuracy.

?

Microsoft 365

Enhance productivity using Teams' developer-oriented collaboration tools and Copilot (1st party)

As technology evolves, so does our way of working. We are committed to empowering developers, giving them the tools to work smarter with Copilot in Teams and collaborate easily and efficiently with peers. We’ve listened to developers’ feedback, and over the past months announced new features that help them achieve more. In this blog, we identify some common scenarios that are part of a developers’ daily routine and outline how Teams’ new features can enhance your workflow. Let’s dive in.

?

Windows 365 and Azure Virtual Desktop

MVP Summit special: Exploring Windows in the Cloud from Redmond (1st party) [VIDEO]

Dive into the world of cloud computing with ‘Windows in the Cloud’, a special episode live from the MVP Summit in Redmond. Join host Christiaan Brinkhoff as he interviews Microsoft MVPs about their experiences with Windows 365, exploring its impact on remote work and IT solutions. From the bustling campus of Microsoft, gain insights into the evolving workplace, the role of identity management, and the seamless integration of Windows 365 across various devices. Whether you’re an IT professional or a tech enthusiast, this episode offers a unique glimpse into the future of Windows in the cloud.

?

Microsoft Defender and Sentinel

Exposure Management: The Evolution of Vulnerability Management (1st party)

For many defenders, security is a game of Whac-a-Mole; as soon as one issue is fixed, three more are identified. Despite common attacks exploiting known vulnerabilities and often following well defined tactics, techniques, and procedures (TTPs), we still find it challenging to identify and prevent them within our organizations. Misconfigurations and vulnerabilities, even those that are well-known and have patches and fixes available, continue to be a common cause of successful breaches. Today, all these risks fall under the Vulnerability Management charter, and each introduces a new tool or set of tools designed to identify and remediate the risk. While it’s helpful to have specialized tools for each unique use case, the tools continue to operate in silos. The data itself is not integrated and the tools operate within separate portals. As a result, they continue to provide a fragmented view of our environment. This lack of integration means that despite having additional coverage, we do not have contextual security, making it hard to prioritize the most critical threats and our corresponding remediation efforts.

Transform your defense: Microsoft Security Exposure Management (1st party) [VIDEO]

Learn how Exposure Management consolidates risk-based views of the attack surface and provides advanced attack path modeling. Learn how to use these capabilities to reduce your organization’s attack surface and limit an adversary’s opportunity for attack. With an expanding attack surface and adversaries constantly evolving it is critical that defenders have a comprehensive view that supports them to effectively reduce risk across the digital estate.

Microsoft Sentinel delivered 234% ROI, according to new Forrester study (1st party)

To evaluate the benefits of Microsoft Sentinel, Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact (TEI) study. Using the methodology of the TEI framework, Forrester consultants evaluated the cost, benefits, and flexibility of Microsoft Sentinel and developed a framework that organizations can use to evaluate the potential financial impact on their organizations. In this study, Forrester found that interviewees achieved some notable advantages from their investment in Microsoft Sentinel, including increasing the productivity of their security teams, simplifying operations, decreasing their total cost of ownership, and realizing a return on investment (ROI) of 234%. Here are some other major findings for a composite organization based on what interviewed organizations reported.

Secure AI applications using Microsoft Defender for Cloud Apps (1st party) [VIDEO]

David Malle, a PM for Defender for Cloud Apps, delves into securing AI applications using Microsoft Defender for Cloud Apps. It addresses top security concerns such as insufficient visibility and control, ethical challenges, data privacy, and content ownership. The video outlines a three-phase approach—discover, protect, govern—to manage AI applications effectively. It highlights the importance of identifying AI applications in use, implementing protection measures like blocking or allowing specific apps, and establishing governance for sanctioned applications like Copilot. The session also demonstrates how Microsoft Defender for Cloud Apps can help detect and categorize generative AI applications, protect against threats, and ensure data confidentiality across various SaaS platforms.

Frost & Sullivan names Microsoft a Leader in the Frost Radar: Managed Detection and Response, 2024 (1st party)

We are excited to share that Microsoft has been named a Leader by Frost & Sullivan in the Frost Radar: Managed Detection and Response, 2024, leading in innovation and among the top two in growth. Frost & Sullivan highlighted Microsoft Defender Experts for XDR as a key component of Microsoft’s managed detection and response (MDR) offering, which delivers a managed extended detection and response service that triages, investigates, and responds to incidents to help organizations stop cyberattackers and prevent future compromise. Designated as one of the companies to be considered first for investment, partnerships, or benchmarking by Frost & Sullivan, Microsoft is a recent entrant in the MDR space, but with its focus on AI and machine learning, “especially the development of Microsoft Copilot for Security, coupled with its top-tier threat detection and response capabilities, allows it to maintain an innovation edge over other world-class competitors.”

Microsoft Defender for Cloud integration with Defender XDR and Copilot for Security (1st party) [VIDEO]

Dive into the future of cybersecurity with Microsoft Defender for Cloud’s latest YouTube feature, showcasing a revolutionary approach to thwarting sophisticated cyber threats. Witness how Microsoft Defender XDR, in collaboration with Copilot for Security, provides unmatched visibility and alert correlation across domains, empowering SoC teams to swiftly identify and neutralize attacks. This video highlights a real-world ransomware incident, detailing the attacker’s infiltration via phishing and subsequent malicious operations across Azure resources. Learn how Defender XDR and Copilot seamlessly integrate to enhance your security posture, offering guided responses and actionable insights for effective incident management. Don’t miss out on this cutting-edge demonstration of securing digital landscapes against the backdrop of escalating cyber risks.

Security Exposure Management (3rd party)

Transform your security posture to stop attacks before they happen using Microsoft’s Security Exposure Management in Microsoft Defender. Identify and mitigate potential threats with a comprehensive view of your organization’s attack surface, critical assets, and security events. Prioritize security efforts effectively with curated initiatives, automated alerts, and actionable insights, so you can close down vulnerabilities before they’re exploited. Brjann Brekkan, Microsoft’s Exposure Management Director, shows how to gain control over your security landscape and stay ahead of emerging threats.

?

Identity Protection and Management

Convert external users to internal users (Preview) (1st party)

Enterprises going through reorganizations, mergers, and acquisitions may be forced to change the way they work with some or all of their existing users. In some cases, administrators need to change existing external users into internal ones. External user conversion handles the conversion of external users into internal members without the need to delete existing user objects and create new ones. The preservation of the user objects allows users to keep their original account and their access isn’t disrupted. A converted user's account maintains its history of activities intact as their relationship with the host organization changes. External user conversion can be performed using Microsoft Graph API or the Microsoft Entra ID Portal.

Insider Risk in Conditional Access | Microsoft Entra + Microsoft Purview Adaptive Protection (1st party) [VIDEO]

Protect your organization from insider threats with Microsoft Entra's Conditional Access and Adaptive Protection in Microsoft Purview. Automatically block access to critical assets when insider risk levels elevate, ensuring data security and compliance seamlessly. Set up custom policies based on risk levels and enforce strong authentication measures, safeguarding against data breaches. Gain control and visibility over insider activities without manual intervention, empowering proactive security measures. Erin Miyake, Microsoft Purview’s Principal Product Manager shares how to enhance your data protection strategy.

Getting started with Logic Apps: Part 5 - Secure MS Graph queries with a user-assigned managed identity (3rd party)

In this post we will see how to secure your Graph API calls by using a user-assigned managed identity. Welcome to part 5 of my blog series about Logic Apps. In the previous post we have seen how to configure a system-assigned managed identity on a Logic App. Now let's do the same but using a user-assigned managed identity. To automate things with Intune, Azure or also on-prem AD you need to authenticate. As we don't want to set password in plain text in a script or solution we need another way to authenticate. This is where the managed identity is essential.

How to simulate risk in Microsoft Entra ID Protection (3rd party)

Entra ID protection is an excellent feature amongst the other services in the Entra Premium P2 license SKU. Microsoft Entra ID Protection detects identity-based risks so that admins can mitigate those risks. Users can also self-mitigate risk. To evaluate and asses this feature, you could, of course, simulate a bunch of risky events, as described here. Using a TOR browser and the developer tools in the browser, you can quickly bump up your sign-in risk to trigger the policies in Entra ID Protection. To test your user risk policies, you can also use Graph API to confirm your (test)users as compromised.

How to Convert External user to Internal user in Microsoft Entra ID (3rd party)

A guest is an external user in an organization that can share data from Microsoft Teams, Groups, and SharePoint. Sometimes you want to migrate the external user to a member of your organization and keep all their permissions and licenses. In this article, you will learn how to convert an external user to an internal user in the Microsoft Entra admin center and with PowerShell.

?

Information Protection and Management

Discover, protect, and govern AI usage with Microsoft Security (1st party)

Generative AI (GenAI) is being adopted at an unprecedented rate as organizations actively engage with or experiment with GenAI in various capacities. Excitement and anxiety coexist as businesses embrace this transformative technology—as the technological advancements enabling innovations and business opportunities also introduce additional security and governance risks. Recent research indicates that 93 percent of businesses are either implementing or developing an AI strategy. Meanwhile, leaders are feeling the generative AI-nxiety with GenAI adoptions. Moreover, a recent survey highlights the primary concerns among leaders over adopting AI, including: potential leakage of sensitive data, generation of harmful or biased outputs, and lack of understanding regarding upcoming regulations and strategies to address them. Consequently, 48 percent of security leaders surveyed anticipate continuing to prohibit AI use in the workplace3. However, such restrictions hamper innovation and employee productivity and could result in missed opportunities to leverage the benefits of AI.

Upgrade your tenant restrictions to v2 (1st party)

In a previous blog in the Data Exfiltration series, we discussed different types of tenant restrictions policy. In this blog, we’ll discuss migrating from tenant restrictions v1 to authentication plane tenant restrictions v2. In future blogs, we’ll discuss migrating to Universal tenant restrictions v2. Tenant restrictions are a vital tool to help prevent data exfiltration from unauthorized access to external Microsoft Entra ID tenants and consumer Microsoft accounts. Tenant restrictions v1 lets you create an allow list of tenant IDs and Microsoft sign-in endpoints to ensure that users access external tenants that your organization authorizes. While tenant restrictions v1 served well for many years, tenant restrictions v2 offers more granularity and easier policy management with no additional licensing requirements. Tenant restrictions v2 has several benefits over tenant restrictions v1.

Securing the Digital Frontier: Global Regulatory Readiness with Microsoft (1st party) [AUDIO]

Beau Faull, Technology Specialist at Microsoft and Asia Security Strategy Leader, Dmitry Butko, join guest host Manny Sahota on this week's episode of Uncovering Hidden Risks. Today's episode sets the stage for a detailed exploration of regulatory challenges, cybersecurity trends, and Microsoft's approach to ensuring regulatory readiness in the digital landscape. Beau discusses Australian and global regulations, emphasizing the need to meet industry standards like GDPR and the Essential 8, while Dmitry expresses excitement about the increasing focus on regulatory compliance. The discussion highlights the complexities of balancing technology solutions with regulatory compliance, the importance of responsible data management practices, and the evolving culture of cybersecurity within organizations.

Extend your data security to Microsoft Fabric (1st party)

A unified solution for comprehensive data protection with Microsoft Fabric and Microsoft Purview. Extend the security measures of Microsoft 365 to your schematized data, ensuring consistent protection across your entire data estate. From detecting insider risks to mitigating data loss and unauthorized sharing, leverage advanced visibility and control to safeguard sensitive information effectively. Daniel Hidalgo, Microsoft Purview Product Manager, shares how to simplify your security strategy and gain deeper insights into data risks.

Migrating from Windows Information Protection to Microsoft Purview (1st party)

In July 2022 we announced the sunset of Windows Information Protection (WIP). The last version of Windows to ship with WIP will be Win11 24H2. Windows Information Protection, previously known as Enterprise Data Protection (EDP), was originally released to help organizations protect enterprise apps and data against accidental data leaks without interfering with the employee experience on Windows. Over time, many of you have expressed a need for a data protection solution that works across heterogenous platforms, and that allows you to extend the same sensitive data protection controls on endpoints that you have for the various SaaS apps and services you rely upon every day. To address these needs, Microsoft has built Microsoft Purview Data Loss Prevention (DLP), which is deeply integrated with Microsoft Purview Information Protection to help your organization discover, classify, and protect sensitive information as it is used or shared.

Intro to MS Purview Information Protection – Part 2 (3rd party)

As we know from the previous document, Azure Information Protection (AIP) is a comprehensive solution offered by Microsoft for classifying, labeling, and protecting sensitive information. As organizations increasingly rely on AIP to safeguard their data, it becomes imperative to ensure a positive user experience. This post explores the user experience within AIP & DLP, identifying key areas for improvement and strategies to enhance usability and satisfaction. AIP should seamlessly integrate with popular productivity tools such as Microsoft Office Suite, SharePoint, and Outlook. Integration allows users to apply classification and protection policies directly within familiar applications, minimizing disruption to their workflow. Ensuring compatibility and consistency across platforms enhances usability and encourages widespread adoption.

Building Modern Enterprise Solutions: Microsoft Dataverse and Microsoft Copilot (1st party) [VIDEO]

Unlock the full potential of your enterprise solutions with Microsoft Dataverse and Power Platform, where cutting-edge artificial intelligence meets uncompromising data security. Dive into a suite of robust security features that empower you to innovate fearlessly, knowing your data is protected at every layer. From Privilege Identity Management to Data Loss Prevention policies, and from Microsoft Purview integration to Sentinel’s Intelligent Security Analytics, this video guides you through the tools and strategies to secure your AI-integrated solutions. Whether you’re an admin, a maker, or part of a security team, learn how to manage risks, ensure compliance, and maintain control over your data with confidence. Click to explore how to safeguard your Power Platform environment and harness the power of AI with peace of mind.

?

Azure

Tutorial: Extend Windows file servers with Azure File Sync (1st party)

The article demonstrates the basic steps for extending the storage capacity of a Windows server by using Azure File Sync. Although this tutorial features Windows Server as an Azure virtual machine (VM), you would typically do this process for your on-premises servers. You can find instructions for deploying Azure File Sync in your own environment in the Deploy Azure File Sync article.

Tutorial: Create an environment from a blueprint sample (1st party)

Sample blueprints provide examples of what can be done using Azure Blueprints. Each is a sample with a specific intent or purpose, but doesn't create a complete environment by themselves. Each is intended as a starting place to explore using Azure Blueprints with various combinations of included artifacts, designs, and parameters. The following tutorial uses the Resource Groups with RBAC blueprint sample to showcase different aspects of the Azure Blueprints service.

Fundamentals of Deploying Large Language Model Inference (1st party)

Hosting a large language model (LLM) can be a complex and challenging task. One of the main challenges is the large model size, which requires significant computational resources and storage capacity. Another challenge is model sharding, which involves splitting the model across multiple servers to distribute the computational load. Model serving and inference workflows also need to be carefully designed and optimized to handle the high volume of requests and data. Technical expertise is also required to set up and maintain the infrastructure, including knowledge of distributed computing, data management, and machine learning. Additionally, the infrastructure setup itself can be complex and requires significant investment in hardware and software.

?

Server

We need to discuss the Microsoft Certification Authority Web Enrollment (CAWE) Role (1st party)

Hello everyone, this is Rob Greene. I recently had a case where a customer was having trouble with the CAWE pages. I realized that we do not have much useful information on how outdated these web pages are. Customers have been using different default browsers, and while security has been evolving in the Windows environment, these CAWE pages have not adapted to those changes. Certification Authority Web Enrollment is a Windows Server role that can be installed on a Certification Authority (although not recommended) or on a member server hosting IIS separate from the Certification Authority role. CAWE role will install IIS and all subcomponents needed to run the CA Web Enrollment pages. From these web pages users can do any of the following: request User Certificates (If you use Internet Explorer), submit Certificate Service Requests (CSRs) typically against certificate templates configured for “Supply in the Request” on the templates Subject tab, and download the CA’s certificate chain, and latest CRL.? You cannot request computer certificates.

Demo bytes: Failover clustering | Installing packages with WinGet (1st party) [VIDEO]

It's demo time! First, we'll look at the newest capabilities for failover clustering in Windows Server 2025. Find out how your organization can achieve high availability for manufacturing, retail, and AI scenarios. Then we'll switch gears to WinGet, the command-line utility that enables you to install applications and other packages in Windows Server 2025 from the command line.

Recent Windows updates break Microsoft Connected Cache delivery (3rd party)

Microsoft says Windows 10 updates released since the start of the year are breaking Microsoft Connected Cache (MCC) node discovery on enterprise networks. MCC servers are software-only caching solutions that can be deployed on Windows servers, bare-metal servers, or VMs to cache and deliver content downloaded from Microsoft's content delivery network (CDN). For instance, once a client downloads a Windows update, the rest of the users on the enterprise network are pointed to one of the MCC nodes for faster delivery over the local network.

Abusing the DHCP Administrators Group to Escalate Privileges in Windows Domains (3rd party)

Shay Ber’s 2017 research demonstrated how members of the “DNS Admins” group could abuse one of the group’s privileges to execute code on DNS servers, which would almost always result in a privilege escalation to domain admins. Microsoft DHCP provides a similar security group called “DHCP administrators.” While working on our recent research into Microsoft DHCP, the question of finding a similar primitive using this group came to mind: Can a DHCP administrator become a domain administrator? Well, as it turns out, sometimes it sure can.

The New Way to Import Windows Updates into WSUS (3rd party)

In light of some recent OOB updates, I felt like this article may be important for some organizations. Do you use WSUS to update your devices? Then this is for you. Microsoft has announced that the process of importing updates into WSUS has changed. Synchronizing updates in WSUS is not changing. This new way is only for the manual import (if needed) of optional preview updates or “D” round updates that are not published to WSUS and only published in the Windows Update Catalog. The new way requires the use of PowerShell. It’s crucial to update your devices regularly and safely to ensure your organization’s devices are always protected. Find out more about these update changes, what it means for you, and get the best way to do it!

?

Intune

Microsoft Intune Cloud PKI (3rd party)

Recently, Microsoft introduced the general availability of its new PKI-as-a-service solution called Microsoft Intune Cloud PKI. Cloud PKI allows administrators to issue and manage user and device authentication certificates for Intune-managed endpoints without deploying Active Directory Certificate Services (AD CS) on-premises. Cloud PKI frees administrators from the burdens of deploying and managing AD CS, including the complicated Network Device Enrollment Service (NDES) server configuration required for Simple Certificate Enrollment Protocol (SCEP) certificate deployment with Intune.

My Dinner with KB5034441: Gracefully Expanding Recovery Partitions with Intune (3rd party)

A little over a month ago, Microsoft released KB5034441, a Windows update that requires ~250MB free on the Recovery partition in order to install successfully. If you don't have the free space available, the update will fail to install with exit code 0x80070643. After using an Intune Proactive Remediation Detection Script Reporting JSON Output Reporter? (still working on the name and blog post for that one) script I wrote that reports on the partition statistics in my environment, it looked like nearly 1700 devices wouldn't be able to successfully install the update. Not great. Since my environment is Entra ID-joined-only devices that are managed only by Intune (no co-management/SCCM here), I didn't have group policy or Task Sequences to fall back on. Anything that I'd need to do, I'd need to do with Intune.

Recommended Settings for Windows LAPS with Intune (3rd party)

Windows LAPS is an essential solution for any organization that uses Microsoft Intune to manage its local admin account password on their end-user devices. Over the last few months, I have written various posts on configuring Intune LAPS, automating the process with PowerShell, and detailing new features such as automatic account creation with LAPS. This article will show you the recommended settings for effectively and securely deploying Windows LAPS from Intune.

Automatically be notified by mail or Teams when local admin accounts have been created on Intune devices (3rd party)

In this post I will show you a way to be notified by Teams or mail as soon as local admin account(s) have been added on Intune devices. In order to accomplish this, you will need to run to create and run a remediation script and have access to send data to log analytics. If you are protecting your environment by not giving local users admin privileges, this is a great tool to detect and remediate devices that fall out of compliance.

Microsoft Intune Cloud PKI and Certificate Templates (3rd party)

Microsoft recently announced the general availability of its new PKI-as-a-Service platform called Microsoft Intune Cloud PKI. With Intune Cloud PKI, administrators create certification authorities (CAs) to issue and manage user and device authentication certificates for Intune-managed endpoints. Cloud PKI also provides hosted Authority Information Access (AIA) and Certificate Revocation List (CRL) Distribution Point (CDP) services, in addition to Simple Certificate Enrollment Protocol (SCEP) service, so administrators do not have to deploy on-premises infrastructure to take advantage of certificate-based authentication.

Using a BYOCA with Microsoft Cloud PKI (3rd party)

This week is a follow-up on the post of last week about getting started with Microsoft Cloud PKI (Cloud PKI). This time it’s all about using a bring your own certificate authority (BYOCA) with Cloud PKI. BYOCA is focused on providing organizations with the ability to rely on an existing private CA. That can for example be an existing on-premises PKI infrastructure based on Active Directory Certificate Services (ADCS). BYOCA enables the IT administrator to create an issuing CA in Cloud PKI that is anchored to that existing private CA. By doing that, the issuing CA becomes an extension of the already existing (on-premises) PKI infrastructure. That might take some of the previously mentioned benefits away, as this won’t takeaway all the need to maintain on-premises servers, or hardware. It does, however, make sure that organizations can still rely on the existing (on-premises) PKI infrastructure for distributing certificates to non-Intune managed devices and keep ownership of the (offline) root CA. Besides that, the rest of the concept is the same. Cloud PKI handles the certificate issuance, renewal, and revocation for Intune managed devices. This post will focus on the steps for configuring an issuing CA based on a BYOCA. The certificate profiles will be briefly mentioned.

macOS + Intune with Platform SSO (3rd party)

Last time I was asked to implement Platform SSO for macOS devices which will be working together with Microsoft Intune. It currently shows up on the Intune In Development page, but it is already working properly and in this post, I will show you – how to implement that feature! First requirement is to deploy proper version of Company Portal. You can do that via the package or via the… script. For me, option with scripts works perfectly and it is always the latest version with auto update enabled.

Autopilot & The Perceived Tenant Security Risk (3rd party)

Recently there have been concerns raised around Autopilot methods being used to sidestep security measures, and even leave organizations vulnerable to rogue onboarding of devices with no security sanity check measures in place, once a threat actor had access to stolen credentials. In this post we will look at how personal devices are typically blocked, where Autopilot comes into place for corporate device tagging, and ultimately ask the question... Is Autopilot a security risk?

?

Device Management

Advancing the new era of work with Copilot – New from Copilot, Windows, and Surface (1st party) [VIDEO]

If you’d love to watch 45 minutes of press release news about Copilot, Windows, and Surface devices, then this video is for you. The big takeaways here are regarding the next versions of Windows and the new enterprise-ready features being built into every Surface device.

Unleashing Efficiency: Exploring the Benefits of Microsoft Endpoint Manager Co-Management and cloud attach (3rd party)

This innovative solution addresses the complex challenges faced by enterprises, bringing together Realtime script execution, application installation, CMPivot which offers realtime data collection, Autopilot integration with task sequences, custom inventory, flexible targeting of your deployments, Configuration Baselines, Software metering, customizable reporting, and the simple deployment of files without having to worry about securing the credentials needed for authentication. For managers that read this, I’ll briefly add what not having these means throughout the rest of the post, but in short, it means your people will have to spend time coding workarounds and/or introduce cost to workaround these limitations. This in turn means knowledge transfer becomes harder as you can’t just hire someone that knows the coded/introduced workarounds like you can with a popular off-the-shelf tool.

Enabling Microsoft “Cloud Enabled LAPS” (Local Admin Password Solution) (3rd party)

LAPS – Local Admin Password Solution, has for a long time been one of those great tools to have in the toolbox when it comes to securing your devices from lateral movement from a potential attacker. And Microsoft LAPS has been around for quite some time already. This tool was originally available for deployment to server/desktop devices connected to a traditional domain (on-prem) setup. It gave you a simple way to rotate the password for the built-in local administrator account on the device. This ensured that all devices had a unique password, and that this password was changed at set intervals. This is an important thing to do to limit the attack surface via your devices – far too many are using the same local admin password across a multitude/all devices in an organization; this is a big no-no. With LAPS, as an admin, you had a UI where you could look up the password for a device if you needed it. But times changed, and devices are moving to the cloud. With this change, the need for a similar solution to LAPS came creeping, as the original LAPS is not cloud enabled.

The new features coming in Windows 11 24H2, expected this fall (3rd party)

Windows 11 24H2 is set to arrive on existing devices this fall with several new features, mostly Copilot-related improvements. Additionally, it brings a big change to Microsoft Teams, letting you use a single app for both your work and personal accounts. However, that is not all that is coming, and we have listed all of the major changes coming in the next Windows 11 version below.

?

Scripting and Automation

Removing automatically Proactive Remediation scripts after execution on devices (3rd party)

In this post I will show you a quick way to remove a Proactive Remediation script after its execution on devices. This can be an important security step to take because there may be information in the script that you don’t want to remain on the device after the script has run.

PSAppDeployToolkit 101 Webinar (3rd party) [VIDEO]

This webinar recording provides a comprehensive introduction to the PowerShell App Deployment Toolkit (PSADT), its functionalities, and the benefits it offers for software deployment on Windows. The speakers, including co-founders Dan Cunningham and Sean Lillis, along with other team members, discuss the toolkit’s ability to enhance software installer capabilities, perform pre-installation tasks, and ensure smooth application updates. They highlight the new features in the latest release, such as managing Edge browser extensions and caching installation sources. The webinar also covers the toolkit’s integration with various deployment systems, its extensive community support, and the upcoming transition to version 4, which promises to bring significant improvements while maintaining ease of migration for existing scripts.

Lenovo Device Management Module (3rd party)

The Lenovo Device Management Module is a PowerShell Module containing numerous cmdlets which provide useful information or simplified actions that can be leveraged in day-to-day management of Lenovo commercial PCs (ThinkPad, ThinkCentre, ThinkStation). The Lenovo Device Management Module requires 64-bit PowerShell v5.1 or higher and runs on Windows 10 and Windows 11.

A New Take on The Classic Exchange Mailbox Statistics PowerShell Script (3rd party)

A recent question about an article covering reporting folder statistics for Exchange mailboxes asked how to find the folder with an item with the oldest received date for mailboxes over 50 GB. The PowerShell code written by the questioner is a good example of how complex a set of piped commands can become. Piped one-line commands can be a great way to get things done, but they are also difficult to read and hard to maintain, a point made by Michel de Rooij in his Practical PowerShell column. In any case, I tried to help with a version of the code that worked for me. At least, it works for Exchange Online. This experience got me thinking about the many scripts written to report Exchange mailbox statistics. This is one of the classic Exchange PowerShell scripts and most Exchange administrators probably have their own version. My last run at the topic used Graph mailbox usage data instead of Exchange cmdlets to gain some speed. Could the world do with yet another version? Well, maybe so.

?

Security Tools and Guides

Active Directory Advanced Threat Hunting - Compare GPOs with the Security Compliance Toolkit (1st party)

Even in the age of digital transformation, group policy settings (still) play a crucial role in maintaining network security and compliance. Advanced Hunting, an advanced technique for monitoring and analyzing these settings, is an indispensable tool for administrators. This method makes it possible to gain in-depth insights into the configuration and security situation of Windows networks. By using specific tools and scripts, professionals can detect security vulnerabilities, identify configuration errors and ensure that all group policies meet the highest security and compliance requirements. This article introduces the concept of Advanced Hunting for Group Policy settings and how it can transform management and security in IT infrastructures. Do we now need additional software and/or expensive tools? No, all we need is a little time, curiosity and the "Security Compliance Toolkit", which Microsoft is making available to us free of charge (thanks to Microsoft at this point). But first let's take a closer look at the MITRE techniques and the relevant Windows Event IDs before we start analyzing the group policy settings.

Same targets, new playbooks: East Asia threat actors employ unique methods (1st party) [PDF]

The latest Microsoft Threat Intelligence report has been released and focuses on East Asian threat actors. Microsoft has observed several notable cyber and influence trends from China and North Korea since June 2023 that demonstrate not only doubling down on familiar targets, but also attempts to use more sophisticated influence techniques to achieve their goals.

Top Ten Security Features to Enable Within Microsoft 365 (3rd party) [VIDEO]

Microsoft 365 offers a suite of robust software and services that you can configure to suit your needs. The area of security is near the top of everyone’s priority list, but with so many features, you may find yourself unclear over which options to choose. In this course, Microsoft MVP Liam Cleary shares his top 10 security controls that you should enable in your Microsoft 365 tenant. He starts with the core security categories and controls of Microsoft 365 that are available out of the box. He then shows how to enable the standard features to help protect user passwords, control access to the tenant, block data leakage, control device access, and manage external sharing capabilities.

Practical Protection: Reducing Your Attack Surface With Microsoft Security Exposure Management (3rd party)

“Attack surface” is a common phrase used by security folks to refer to how much of a system is exposed to attackers. Bigger surfaces are worse. You can think of the attack surface of a network as a representation of vulnerability. If you take a single Windows Server, disconnect it from any network, and lock it in an underground bunker, it will have a fairly small attack surface. If you take an image of that server and host it in Azure as a VM, its attack surface will be significantly larger. The more routes an attacker can use to target a system, the bigger its surface is. The moment someone plugs that server into a network, the attacker has new possibilities. The same is true when the server is reconfigured: every additional Windows service you run, and every application you install, may introduce new vulnerabilities, which means the attack surface grows. The same pattern holds as you add new capabilities or services to your network. By the same token, you can reduce the attack surface by removing potential vulnerabilities.? For example, Microsoft went through a series of phases with Windows Server where much of the attack surface reduction they performed consisted of setting system services to start manually or on-demand instead of leaving them running. The new Microsoft Security Exposure Management (MSEM) tool, which is in preview and for which no pricing has been announced, is meant to be an aggregator of security data that you already have… as long as you’re using Microsoft security tools, that is.

3 million doors open to uninvited guests in keycard exploit (3rd party)

Around 3 million doors protected by popular keycard locks are thought to be vulnerable to security flaws that allow miscreants to quickly slip into locked rooms. Security researchers developed an exploit that applies to various Saflok keycard locks made by Swiss security company dormakaba, ones that are prevalent in hotels around the world, as well as properties of multiple occupancy. The researchers who worked on the exploit, dubbed "Unsaflok," said more than 3 million hotel locks across 131 countries are affected.

60% of small businesses are concerned about cybersecurity threats (3rd party)

According to a recent poll by the US Chamber of Commerce, 60% of small businesses are concerned about cybersecurity threats, and 58% are concerned about a supply chain breakdown. Not surprisingly, small businesses in the professional services sector feel significantly more concerned about cybersecurity threats than those in manufacturing or services, but the poll explains that they also feel more prepared to handle them.

Operationalizing MITRE ATT&CK with Microsoft Security (Part 2) (3rd party)

It has been some time since Part 1 of this blog has been posted. First part, focused mainly on the benefits and how to operationalize MITRE ATT&CK at Microsoft Defender XDR while this blog will focus on Microsoft Sentinel. The first, and probably most fundamental place to begin with MITRE ATT&CK in Microsoft Sentinel is the Analytics blade. Eventually, all incidents’ mapping will be based on the contextualization of the Tactics and Techniques configured per rule here. Having built your queries in Analytics and the Hunting blade, is the way to ingest your relevant framework capacity at the MITRE ATT&CK blade and the heatmap provided by Microsoft Sentinel.

?

Microsoft News

Advancing science: Microsoft and Quantinuum demonstrate the most reliable logical qubits on record with an error rate 800x better than physical qubits (1st party)

Today signifies a major achievement for the entire quantum ecosystem: Microsoft and Quantinuum demonstrated the most reliable logical qubits on record. By applying Microsoft’s breakthrough qubit-virtualization system, with error diagnostics and correction, to Quantinuum’s ion-trap hardware, we ran more than 14,000 individual experiments without a single error. Furthermore, we demonstrated more reliable quantum computation by performing error diagnostics and corrections on logical qubits without destroying them. This finally moves us out of the current noisy intermediate-scale quantum (NISQ) level to Level 2 Resilient quantum computing. This is a crucial milestone on our path to building a hybrid supercomputing system that can transform research and innovation across many industries. It is made possible by the collective advancement of quantum hardware, qubit virtualization and correction, and hybrid applications that take advantage of the best of AI, supercomputing, and quantum capabilities. With a hybrid supercomputer powered by 100 reliable logical qubits, organizations would start to see scientific advantage, while scaling closer to 1,000 reliable logical qubits would unlock commercial advantage.

Microsoft and NVIDIA announce major integrations to accelerate generative AI for enterprises everywhere (1st party)

Microsoft will be one of the first organizations to bring the power of NVIDIA Grace Blackwell GB200 and advanced NVIDIA Quantum-X800 InfiniBand networking to Azure, deliver cutting-edge trillion-parameter foundation models for natural language processing, computer vision, speech recognition and more. Microsoft is also announcing the general availability of its Azure NC H100 v5 VM virtual machine (VM) based on the NVIDIA H100 NVL platform. Designed for midrange training and inferencing, the NC series of virtual machines offers customers two classes of VMs from one to two NVIDIA H100 94GB PCIe Tensor Core GPUs and supports NVIDIA Multi-Instance GPU (MIG) technology, which allows customers to partition each GPU into up to seven instances, providing flexibility and scalability for diverse AI workloads.

Responsible AI at Microsoft (1st party) [VIDEO]

Sarah Bird, Global Lead for Responsible AI Engineering at Microsoft, discusses responsible AI principles and how Microsoft endeavors to embed these principles into our AI products to protect from potential new harms created by AI technology.

?

Security News

McDonald's: Global outage was caused by "configuration change” (3rd party)

McDonald's has blamed a third-party service provider's configuration change, not a cyberattack, for the global outage that forced many of its fast-food restaurants to close. According to a statement shared by the company's Chief Information Officer Brian Rice, the global technology system outage began around midnight CDT on Friday. However, the outage still impacts some McDonald's restaurants even though the root issues were "quickly identified and corrected."

Cyberattack knocks out Pensacola city government phone lines (3rd party)

The city government of Pensacola, Florida, is dealing with widespread phone outages due to a cyberattack announced over the weekend. City spokesperson Jason Wheeler told Recorded Future News that officials are experiencing phone issues across city departments that are causing delays in receiving service through the 311 Citizen Support system. Emergency phone numbers like 911 are still operating, and Wheeler said non-emergency numbers can be used to contact the Pensacola Police Department and Fire Department. The city has also created alternate phone numbers for the energy department, sanitation, public works, engineering, housing and other departments.

Over 92,000 exposed D-Link NAS devices have a backdoor account (3rd party)

A threat researcher has disclosed a new arbitrary command injection and hardcoded backdoor flaw in multiple end-of-life D-Link Network Attached Storage (NAS) device models. The researcher who discovered the flaw, 'Netsecfish,' explains that the issue resides within the'/cgi-bin/nas_sharing.cgi' script, impacting its HTTP GET Request Handler component. The two main issues contributing to the flaw, tracked as CVE-2024-3273, are a backdoor facilitated through a hardcoded account (username: "messagebus" and empty password) and a command injection problem via the "system" parameter.

Unpatchable vulnerability in Apple chip leaks secret encryption keys (3rd party)

A newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday. The flaw—a side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols—can’t be patched directly because it stems from the microarchitectural design of the silicon itself. Instead, it can only be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations, particularly on the earlier M1 and M2 generations. The vulnerability can be exploited when the targeted cryptographic operation and the malicious application with normal user system privileges run on the same CPU cluster.

Over 100 US and EU orgs targeted in StrelaStealer malware attacks (3rd party)

A new large-scale StrelaStealer malware campaign has impacted over a hundred organizations across the United States and Europe, attempting to steal email account credentials. StrelaStealer was first documented in November 2022 as a new information-stealing malware that steals email account credentials from Outlook and Thunderbird. One notable characteristic of the malware was using a polyglot file infection method to evade detection from security software.

Microsoft to shut down 50 cloud services for Russian businesses (3rd party)

Microsoft plans to limit access to over fifty cloud products for Russian organizations by the end of March as part of the sanctions requirements against the country issued by EU regulators last December. The suspension was initially scheduled for March 20, 2024, but it was moved to the end of the month to give impacted entities more time to set up alternative solutions. The news of these impending suspensions was first reported by the Softline Group of Companies, one of Russia's largest remaining IT service providers.

New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts (3rd party)

Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named 'Tycoon 2FA' to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. Tycoon 2FA was discovered by Sekoia analysts in October 2023 during routine threat hunting, but it has been active since at least August 2023, when the Saad Tycoon group offered it through private Telegram channels. The PhaaS kit shares similarities with other adversary-in-the-middle (AitM) platforms, such as Dadsec OTT, suggesting possible code reuse or a collaboration between developers.

?

Industry Specific News

Government - China tests US voter fault lines and ramps AI content to boost its geopolitical interests (3rd party)

China is using fake social media accounts to poll voters on what divides them most to sow division and possibly influence the outcome of the U.S. presidential election in its favor. China has also increased its use of AI-generated content to further its goals around the world. North Korea has increased its cryptocurrency heists and supply chain attacks to fund and further its military goals and intelligence collection.? It has also begun to use AI to make its operations more effective and efficient.

Government - Illinois county government, local college affected by ransomware attacks (3rd party)

An Illinois county on the border with Iowa is the latest local government in the U.S. to fall victim to a ransomware attack. Henry County has been dealing with a wide-ranging cyberattack since March 18, Mat Schnepple, director of the Emergency Management (OEM) office in Henry County, confirmed to Recorded Future News. The county’s leadership was alerted to the attack on Monday and shut down access to multiple impacted systems. The county’s incident response team partnered with an outside company to begin an investigation into the attack.

Government - Attempted hack on NYC continues wave of cyberattacks against municipal governments (3rd party)

2024 has already seen dozens of local governments slammed by ransomware incidents and cyberattacks, limiting services for millions of people across the United States. The latest high-profile incident involves New York City, which was forced to take a city payroll website offline and remove it from public view after dealing with a phishing incident. The incident was first reported by Politico, which spoke to city workers who complained of the New York City Automated Personnel System, Employee Self Service (NYCAPS/ESS) being offline right as many tried to file their taxes.

Healthcare - Mr. Maeda's Cozy AI Kitchen - Personalized Patient Care With AI, with Dr. Kim Morita (1st party) [VIDEO]

In “Mr. Maeda’s Cozy AI Kitchen,” Dr. Kim Morita discusses the integration of AI in personalized patient care, emphasizing the importance of preventative oral health and the oral-systemic link. The episode showcases a creative cooking metaphor to explain AI concepts, such as embeddings and probabilistic models, and introduces the ‘Morita Huddle Manager,’ an AI agent designed to enhance patient care by providing personalized instructions to dental staff. The conversation also touches on the significance of saliva and oral health in overall well-being, highlighting the mouth as the gateway to the body’s health.

Healthcare - Get started with Azure Health Data Services (1st party)

This article outlines the basic steps to get started with Azure Health Data Services. Azure Health Data Services is a set of managed API services based on open standards and frameworks that enable workflows to improve healthcare and offer scalable and secure healthcare solutions. The workspace is a logical container for all your healthcare service instances such as Fast Healthcare Interoperability Resources (FHIR) service, Digital Imaging and Communications in Medicine (DICOM) service, and MedTech service. The workspace also creates a compliance boundary (HIPAA, HITRUST) within which protected health information can travel.