Tech news for the week of November 18th, 2024
Topics in this week’s Tech Newsletter
Training
Copilot and AI
Microsoft 365
Windows 365 and Azure Virtual Desktop
Microsoft Defender
Azure
Server
Identity Protection and Management
Information Protection and Management?????????????
Intune
Device Management
Scripting and Automation
Security Tools and Guides
Security News
?
Training
Building PowerShell 5 Security Tools in a Windows Environment (3rd party) [PAID]
IT security is everyone's responsibility. System administrators and IT professionals aren't information security gurus but they still need the tools to be an organization's first line of defense. In this course, Building PowerShell 5 Security Tools in a Windows Environment, you will gain the ability to build PowerShell scripts and modules to discover potential and real security threats in your organization through reporting and change management. First, you will learn how to parse the Windows event log and query for and apply Windows patches. Next, you will discover to detect various changes in your environment. Finally, you will explore how to how to encrypt and decrypt sensitive information with PowerShell. When you are finished with this course, you will have the skills and knowledge of building PowerShell tools to query for and remediate common security threats needed to secure your IT organization.
?
Copilot and AI
It’s no secret that AI technology is transforming organizations around the world. We’re seeing industries like retail, healthcare, financial services, and manufacturing increasingly use AI to drive innovation and efficiency. Yet many businesses are still in the process of developing their AI strategy. If you’ve read The AI Strategy Roadmap: Navigating the stages of value creation, you’re already familiar with the five drivers of AI value. This research paper and blog series explore what organizations need to succeed with AI, including establishing a clear strategy and securing senior leadership support. Our research found that AI success isn’t solely about technology—strategic, organizational, and cultural factors are equally critical.
Are you ready to supercharge Microsoft 365 Copilot? Following the recent Wave 2 announcements and the general availability of Copilot agents, we are excited to introduce a curated set of new Copilot agents developed by Microsoft. These agents are designed to help you and your team optimize and reinvent your business processes. Copilot agents can help you transform complex and dynamic processes. By integrating Copilot agents into your workflow, you can harness their power, right within the flow of your work. Powered by Microsoft 365 Copilot, these agents utilize the same scalable, secure infrastructure and platform, tailored to your business needs, providing an intuitive and advanced experience without the need for coding.
I’m Raiyan Bin Sarwar, Microsoft Student Ambassador (Beta) and third-year Computer Science and Engineering student at Bangladesh University of Professionals. As someone passionate about exploring the tech world, today I’ll be guiding you how to build your very own customized Copilot using Microsoft’s Copilot Studio. Whether you're an AI enthusiast or just curious about how to create an intelligent assistant, this step-by-step guide will help you get started. Artificial Intelligence (AI) has been making waves across industries, and one of the exciting areas is the creation of personal AI copilots to automate tasks, source data, and improve workflows. With the powerful tools in Copilot Studio, building your own customized AI assistant has never been easier.
Finastra’s Copilot revolution: How AI is reshaping B2B software marketing for the financial services sector (1st party)
Finastra has revolutionized its marketing with Microsoft 365 Copilot, slashing campaign creation time. Copilot automates tasks, enhances content creation, improves analytics, and personalizes customer interactions, streamlining workflows and increasing productivity. This transformation has saved time and money, facilitated rapid campaign launches, and boosted brand awareness. By embedding AI across operations, Finastra fosters innovation and positions itself as a leader in the financial services industry.
Control Safety, Privacy & Security in AI apps (1st party) [VIDEO]
What are prompt injection attacks and how do you stop them? How do you avoid deceptive responses? Can AI traffic be end-to-end encrypted? We'll answer these questions and more with technical demonstrations to make it real. Mark Russinovich will show you how to develop and deploy AI applications that prioritize safety, privacy, and integrity. Leverage real-time safety guardrails to filter harmful content and proactively prevent misuse, ensuring AI outputs are trustworthy. The integration of confidential inferencing enables users to maintain data privacy by encrypting information during processing, safeguarding sensitive data from exposure. Enhance AI solutions with advanced features like Groundedness detection, which provides real-time corrections to inaccurate outputs, and the Confidential Computing initiative that extends verifiable privacy across all services. Mark Russinovich, Azure CTO, joins Jeremy Chapman to share how to build secure AI applications, monitor and manage potential risks, and ensure compliance with privacy regulations.
Copilot Pages in Microsoft 365: A First Look (3rd party) [VIDEO]
Introducing Copilot Pages – where your work transforms from solo word processing to an AI-powered team environment. No more fussing about where to store documents or how to keep your team aligned – just pure focus on creating, editing, and managing all your proposals, plans, specs, and docs seamlessly with your team. In this video you'll first learn how to access Copilot Pages through Copilot for Microsoft 365. You'll get the basic familiarity with the edit canvas, based on Microsoft Loop. You'll then see how to share your new Copilot Page with others and make real-time edits. Then you'll learn how to add more Copilot responses to your page. Next, you'll see how to share your page in a read-only view. Finally, you'll learn how this overlaps with Microsoft Loop - and how you can get back to the pages you create.
Save and share Copilot prompts. Streamlined Teams chat and channels (3rd party) [VIDEO]
Save your favorite prompts, whether they are suggested, or you created them, into Copilot Labs library. Share them with your teammates using M365 Copilot at work. Daniel and Darrell also mention the new Teams chats and channels combined experience and decide the topic needs its own special episode.
?
Microsoft 365
By default, the first time that a user browses to their OneDrive it's automatically created (provisioned) for them. In some cases, such as the following, you might want your users' OneDrive locations to be ready beforehand, or pre-provisioned. Your organization has a custom process for adding new employees, and you want to create a OneDrive when you add a new employee. Your organization plans to migrate from SharePoint Server on-premises to Microsoft 365. Your organization plans to migrate from another online storage service.
MC922620 - Microsoft Places app ON by default (3rd party)
The Microsoft Places app will be ON by default, facilitating in-office coordination via OWA or Outlook Calendar. Teams Premium users get extra features. Rollout begins early December 2024. Admins should set up policies to pin the app for users and configure access as needed. The Microsoft Places app helps users coordinate their in-office days with colleagues. When work location is shared from OWA or the new Outlook Calendar, users will see others' work locations and can decide the best days to be in the office for in-person collaboration. With this change, the Places app will be accessible by default for all users by navigating to this URL, but you need to take action to make it easier to discover inside Teams,? Outlook and the Microsoft 365 app. To improve the user experience, admins can set up policies to pin the Places app for your users.
On October 28, 2024, Microsoft announced the biggest change to the Teams user interface with a major makeover for chats and channels. Microsoft says that the “new experience is designed to help you collaborate more efficiently and effectively. It’s simple by default, enabling everyone to stay on top of what matters, and it’s powerful on demand, allowing you to organize information and communicate your way.” Microsoft’s waffle about the new experience is pure marketing spin. My view is that the reason why the change is so big is that it acknowledges that chats are the dominant method of communication within Teams. I’ve heard some folks within Microsoft whom I respect say that the change underlines the importance of channels. I disagree because all I see is chat, chat, and more chat.
?
Windows 365 and Azure Virtual Desktop
Regeneron elevates global user experience of lab employees, lowers patch management costs with Windows 365 (1st party)
Biotechnology firm Regeneron uses the power of science to bring new medicines to patients in need. It faced the industry-wide challenge of securely managing increasing volumes of scientific data, while keeping compliant with FDA data handling and storage requirements. The company needed to meet this challenge, while maintaining good data governance practices, improving the user experience of lab technicians—and elevating the overall usability of the company systems they use every day. Regeneron moved to Windows 365, running Cloud PCs to provide an enhanced Windows 11 desktop experience on laptops in kiosk mode. Laboratory employees enjoy improved usability, while the company benefits from simplified IT administration, security, and increased data compliance with Windows 365.
?
Microsoft Defender
In my role working with Defender for Identity (MDI) customers, I'm often asked if MDI can help them answer questions about activities taking place within the environment. MDI does have a lot of information around the activities taking place in Active Directory and now combined with the power of Advanced Hunting in Microsoft 365 Defender, we can help customers answer some these questions with ease and efficiency. MDI tracks the changes made to Active Directory group memberships. These changes are recorded by MDI as an activity and are available in the Microsoft 365 Defender Advanced Hunting, IdentityDirectoryEvents.
Cloud Detection and Response with Microsoft Defender for Cloud and Microsoft Defender XDR (1st party) [VIDEO]
In this demo-focused video, explore the Cloud Detection and Response (CDR) capabilities with Microsoft Defender for Cloud and Microsoft Defender XDR. As a Security Operations Center Analyst, your primary responsibility is to safeguard your organization’s applications and data by investigating and responding to threats. However, increasingly complex cloud native applications have expanded attack surfaces, especially when cloud workloads span across multicloud and hybrid environments. You need a Cloud Native Application Protection Platform that integrates with a unified security operations platform to help you detect and respond to threats, and this is where Microsoft Defender for Cloud and Microsoft Defender XDR come in.
Microsoft Defender XDR Monthly news (1st party)
This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from October 2024. This post contains dozens of great new features and links to learn more about each of them.
Defender XDR Automated Configuration (3rd party)
This is a collection of commands that will help automate the configuration of the Defender XDR portal settings. To use this, you must obtain the sccauth value and xsrf-token value from the browser and use it to create cookies and headers for our API calls. This is because we are using an internal API to configure settings, and there isn't a public way to get the right tokens. These scripts are from Nathan McNulty, a Senior Security Solutions Architect with Patriot Consulting.
?
Azure
Trusted Signing addresses the signing issues faced by individual developers by providing a comprehensive and affordable solution. It ensures the authenticity and integrity of code through a modern identity validation process, which is crucial for securing code signing certificates. One of the key advantages of Trusted Signing is its cost-effectiveness. Trusted Signing offers two pricing tiers, starting at $9.99/month: Basic and Premium. Both tiers are designed to provide optimal cost efficiency and cater to various signing needs. The costs for identity validation, certificate lifecycle management, and signing are all included in a single offering, ensuring accessibility and predictable expenses. This eliminates the need for individual developers to invest in additional infrastructure and operations required to manage and store private keys securely.
The Azure Bot resource (bot resource) allows you to register your bot with Azure AI Bot Service and to connect your bot to channels. You can build, connect, and manage bots to interact with your users wherever they are, from your app or website to Teams, Messenger and many other channels. This article describes how to create a bot resource through the Azure portal.
The wait is over, we are thrilled to introduce the Public Preview of the Azure Arc gateway for Arc-enabled Servers, and Arc-enabled Kubernetes! They reduce the number of required endpoints for customers to configure their Enterprise proxy when setting up for using Azure Arc services. For the Arc gateway public preview, we have focused on covering primarily Service Endpoints for Azure control plane traffic. Most of the data plane endpoints are not yet covered by Arc gateway. I’d like to use the Azure monitoring on Arc-enabled Servers scenario to illustrate the Endpoints covered by the Public Preview release.
AI has reset our expectations of what technology can achieve. From transforming how we explore the cosmos to enabling doctors to provide personalized care and making business functions operate more intelligently, it all comes down to you—the developer—to turn this potential into reality. As developers, you’re experiencing a dramatic shift in what you build and how you build it. And the tools you use should seamlessly fit into your workflow, solve real problems quickly, and keep you in the flow of development. As a company of developers who builds for other developers, we’re excited to be part of this change and many of us will be at GitHub Universe to share our experience and learn from others about how AI is reshaping how we work. We’re not coming empty handed. I’m excited to announce new capabilities and tools that further integrate Microsoft Azure AI services directly in your favorite dev tools.
In this video, we dive into Azure Private Link Service, exploring how it enables secure, private connectivity for IaaS-based services in Azure. You’ll learn how Private Link Service differs from private endpoints and private links, providing a way to host and securely access applications over the Microsoft backbone network—without the need for VPNs or VNet peering. Join me as we walk through a full deployment of Private Link Service. From setting up a load balancer to creating private endpoints across tenants, this video demonstrates how this powerful service allows for secure connections and limits exposure to the public internet. This video is a must-watch for anyone looking to enhance their Azure network security and connectivity strategies.
?
Server
OPS104: Securing SMB from within and without (1st party) [VIDEO]
In this session, Ned Pyle discusses how widely the SMB protocol is used on Windows, Windows Server and in Microsoft Azure. Learn specific strategies to secure it from lateral movement and interception attacks. Learn specific strategies to secure SMB from lateral movement and external interception attacks! Watch interesting demos of the steps you can take to protect your organization! See the often unpredictable Ned Pyle struggle to be professional on camera!
Configure SMB Signing with Confidence (1st party)
Heya folks, Ned here again. Many years ago, we made configuring SMB signing in Windows pretty complicated. Then, years later, we made it even more complicated in an attempt to be less complicated. Today I'm here to explain the SMB signing rules once and for all. Probably. SMB signing means that every SMB 3.1.1 message contains a signature generated using session key and AES. The client puts a hash of the entire message into the signature field of the SMB2 header. If anyone changes the message itself later on the wire, the hash won't match and SMB knows that someone tampered with the data. It also confirms to sender and receiver that they are who they say they are, breaking relay attacks. Ideally, you are using Kerberos instead of NTLMv2 so that your session key starts strong; don't connect to shares with IP addresses and don't use CNAME records - Kerberos is here to help!
Find information on known issues and the servicing status for Windows Server 2025. Windows Server 2025 is now generally available. It delivers security advancements and new hybrid cloud capabilities in a high performing, AI-capable platform. Windows Server 2025 is Microsoft’s latest Long-Term Servicing Channel (LTSC) release for Windows Server. To download a free 180-day evaluation, visit the Microsoft Evaluation Center.? Windows Server 2025 is offered as an Optional update for Windows Server 2022 and Window Server 2019 devices, if organizations want to do an in-place upgrade. See open issues, content updated in the last 30 days, and information on safeguard holds.
Microsoft has announced the general availability (G.A.) of Windows Server 2025 today starting with build 26100.1742. It is the latest version of Server OS and is also a long-term servicing channel (LTSC) release. As such, extended support for Windows Server 2025 will be for nearly 10 years till 10th October 2034. Mainstream support, meanwhile, will last till 9th October 2029. In terms of features and improvements, Microsoft claims enormous improvements to I/O throughput performance on Windows Server 2025. The company added more details about such storage improvements later in a separate post. Other improvements include those related to GPU virtualization in the form of GPU Partitioning or Multi-Instance GPU, VBS enclaves, and more.
Windows Server 2025 Changes (3rd party)
Microsoft Windows Server 2025 has just reached general availability. I decided to install it and see what’s changed compared to Windows Server 2022. With Windows Server 2025, there are two setups the new setup UI, which is the default, and the previous setup UI, which I will call the old setup UI, as it is very much like the Windows setup UI we are all used to. In this post, I will compare the install screens from Windows Server 2022 with the Windows Server 2025 new setup UI and the Windows Server 2025 old setup UI to see what’s different, along with the initial changes I noticed once Windows Server 2025 was installed.
A Truly Horrible Name for What’s a Pretty Good Way to Stop User Mailboxes Being Removed in Error (3rd party)
On November 5, the Exchange development group announced the new delicensing resiliency feature. Unfortunately, the blog post for the announcement went out at the same time that the Microsoft Technical Community was in the middle of a major upgrade (it was offline for most of the day), so you might not have seen the news. Delicensing resiliency is a horrible name for a feature. What it means is that large Exchange Online tenants (with more than 10,000 paid seats) can enable an extra layer of protection for unlicensed mailboxes. Most users are licensed for Exchange Online through a service plan included in a product SKU like Office 365 E3 or Microsoft 365 Business Premium. An Exchange Online license can be bought separately, but that’s usually only done to enable features like an archive for shared mailboxes.
Active Directory Based Activation (3rd party)
There are many ways to activate Windows, and a really cool way to activate Windows is with Active Directory-Based Activation. Active Directory-Based Activation (ADBA) was first introduced in Windows Server 2012 and is only usable if your Microsoft Volume licensing has a KMS host key. If you don’t have a KMS key, you may need to request one from Microsoft. ADBA works very similarly to KMS (Key Management Services), except it doesn’t have the dependency of 25 activations before it becomes active and doesn’t need DNS or SRV records to work. The systems just need to talk to your domain, and because your domain is highly available, so is ADBA.
Windows Server 2025 Removed and Deprecated Features (3rd party) [VIDEO]
Learn about features removed, deprecated, and no longer under development with the release of Windows Server 2025. As is the case with every new version of Windows Server, there are more changes than can easily be encapsulated in a single post. In this video, Orin walks through a broad range of topics to make sure you are up to speed.
Windows Server Protected Users Group (3rd party) [VIDEO]
Learn about the Protected Users security group in Windows Server and how you can use it to protect sensitive privileged accounts. Protected Users is a global security group for Active Directory (AD) designed to protect against credential theft attacks. The group triggers non-configurable protection on devices and host computers to prevent credentials from being cached when group members sign-in.
?
Identity Protection and Management
Microsoft is on the front lines helping secure customers worldwide—analyzing and responding to cybersecurity threats, building security technologies,? and partnering with organizations to effectively deploy these technologies for increased security. Many of you have been following as we’ve described our Secure Future Initiative, which is pushing the Zero Trust principles verify explicitly, least privilege and assume breach into the programmatic approach of Secure by Design, Secure by Default, and Secure Operations across Microsoft consistently, durably and at scale. In the Microsoft Security division, we are also focused on helping our customers deploy our suite of security products to protect themselves from cyber threats. We know that most of our customers are embarking on a Zero Trust journey, but many struggle with the enormity of the opportunity: where to start, what to do next, and how to measure progress.
Today, we’re thrilled to announce that customers using Rippling HCM can now automatically provision users to on-premises Active Directory and then synchronize them to Microsoft Entra ID as hybrid identities. Microsoft Entra ID and on-premises Active Directory are core components of every customer’s hybrid IT environment. To ensure the right people have access to the right resources at the right time, it’s crucial that consistent and accurate HR user profile, job profile and employment status is always available in Microsoft Entra ID. Earlier this year, we delivered API-driven user provisioning that enables HR ISVs, system integrators, and IT teams to connect any system of record with Entra ID. Rippling collaborated with Microsoft to build a native integration that enables secure and automated flow of HR user data to on-premises Active Directory. Customers can use Microsoft Entra Connect Sync or Cloud Sync to synchronize these users from on-premises Active Directory to Microsoft Entra ID.
As we’ve crossed the threshold of more than 40% of users employing multifactor authentication (MFA), we see two trends emerging. The first is that adversaries are successfully compromising a higher percentage of accounts not protected by MFA. With more lions pursuing fewer available gazelles, the gazelles face a lot more risk. In the past year, we blocked 7,000 password attacks per second, an increase of 75% YoY. The second trend is that more widespread use of MFA is forcing adversaries to find other ways to compromise MFA-protected accounts. Thus, advanced attacks like token theft (the subject of our previous blog) and Adversary-in-the-Middle (AiTM) phishing attacks (the subject of this blog) are on the rise—and are the focus of this blog series.
Rotate the Microsoft Entra Kerberos server key (1st party)
The Microsoft Entra Kerberos server encryption krbtgt keys should be rotated on a regular basis. We recommend that you follow the same schedule you use to rotate all other Active Directory DC krbtgt keys. There are other tools that could rotate the krbtgt keys. However, you must use the tools mentioned in this document to rotate the krbtgt keys of your Microsoft Entra Kerberos server. This ensures that the keys are updated in both on-premises Active Directory and Microsoft Entra ID.
In the past couple of weeks, I worked on a project where I needed to provide access to a securely private integrated Azure Storage Account via the Entra ID Private access profile. During this project I encountered a very interesting bug, that made me better understand the insights of how Global Secure Access works. The requirement for this setup is that access to the Storage Account was provided by using the Azure Storage Explorer application. Via this applications we needed to tunnel the data through Entra ID Private Access, and allowed it to access the private integrated Storage Account.
One of the best parts about writing, speaking, and teaching about security is when I get emails or messages from readers. I am thankful to the many people over the years who have made suggestions on how to get better at what I do, especially the ones who have pointed out mistakes or errors in thinking. In that vein, I recently got a reader email that inspired this particular column. The reader, who is the chief information officer for a large multinational insurance company, had a simple question: “… we’re starting to think more about our change and release management for conditional access policies.? Do you know of any guidance on the subject?? We need to flesh out an enterprise-grade approach for versioning, piloting, naming conventions, etc.” That’s a good question, but a broad one.
?
Information Protection and Management
The Microsoft Purview Message Encryption portal will undergo minor design updates to align with Purview branding.? Microsoft will be updating fonts, colors, controls, and more to align with Purview branding. These changes are designed to enhance the user experience without causing any disruptions.? Microsoft will begin rolling out changes mid-October 2024 and expects to complete by mid-December 2024. Users will see minor design changes within the user interface (UI) - fonts, colors, controls, and more are updated to align with Purview branding.
Use sensitivity labels with Microsoft Loop (1st party)
Use your sensitivity labels with Microsoft Loop to add an extra layer of protection to the Loop-related data that users create with this app. This protection extends to Microsoft 365 Copilot. Loop supports sensitivity labels at the file level, to help protect components and pages. Users can manually apply sensitivity labels that are published to them with the Files & other data assets label scope, including sensitivity labels that apply encryption configured to apply permissions now. Watermarks as a label setting are supported but not variables in the text string. Mandatory labeling and a default document label are supported as settings from a label publishing policy.
In a previous article, I explored how to use the Microsoft Graph PowerShell SDK to find mailbox items sent from specific addresses. The idea was to clean up mailboxes by removing notification emails sent by different Microsoft 365 services. This time, I explore finding messages addressed to specific recipients to discover insights about Copilot interactions. The context is very different because we’re looking through items stored in a non-IPM folder. The non-IPM folders are system folders that are not exposed to regular email clients like Outlook. However, the folders store a lot of interesting information, including compliance records generated for use by eDiscovery and other Purview compliance solutions.
?
Intune
Microsoft Connected Cache for Enterprise and Education (preview) is a software-only caching solution that delivers Microsoft content within enterprise and education networks. Connected Cache can be managed from the Azure portal or through Azure CLI. It can be deployed to as many Windows devices, Linux devices, or VMs as needed. Managed Windows devices can be configured to download cloud content from a Connected Cache server by applying the client policy using management tools such as Microsoft Intune.
Windows Hello for Business with Cloud Kerberos Trust: Access on-prem resources with Entra-Joined devices (3rd party)
If you’re here, you’ve probably tested the Entra-Joined model of Autopilot deployment and realized that you get asked for credentials every time you try to access on-prem ressoruces. In this post, we will walk you through the steps to configure Windows Hello for Business (WHfB) with Cloud Kerberos Trust. This setup allows Microsoft Entra-joined devices to access on-premises resources without the need to enter their credentials repeatedly.
Strong Certificate Mapping Error with PKCS (3rd party)
Microsoft recently announced support for strong certificate mapping for certificates Intune PKCS and SCEP certificates. Administrators are encouraged to update their Intune Certificate Connector servers and SCEP device configuration policies to support this capability as soon as possible. Organizations that use PKCS device configuration policies to deploy certificates to Intune-managed endpoints may now encounter an error message in the event log on the Intune Certificate Connector server.
If you are using Windows 10 or 11 (i.e. everyone), you are using Delivery Optimization (DO) to download all sorts of things — see Phil Wilcock’s post for a good overview of where DO is used. In an ideal world, everything would be downloaded once from the internet and then pulled from peers in the same location, but we’re not in an ideal world. There are plenty of things that can be done to improve peering. But in those cases where there are no peers, you might want another tool to help. That’s where the Microsoft Connected Cache (abbreviated to MCC) comes in. This has been included with SCCM for some time, so you could check a box to add it to a ConfigMgr distribution point, but if you weren’t using SCCM you were out of luck. Now, with the release of the preview version of a standalone version of MCC, you don’t need SCCM anymore. That said, it’s also no longer as simple as just a checkbox. The full details are in the preview documentation. Let’s start with the high-level requirements.
In this post, I’ll show you how to streamline the Out-of-Box Experience (OOBE) setup process even if you’re using Autopilot Device Preparation ( AVP2). While AVP2 is a fantastic tool for device provisioning, it doesn’t include all the customization options that Autopilot offers: Hide Privacy Settings, Software License Terms, or changing account options during OOBE. But don’t worry; I’ll walk you through how to work around this with a PowerShell script!
This week is sort of a follow-up on last week. Last week the focus was on configuring Mozilla Firefox for usage with device-based Conditional Access, while this week the focus is on configuring Google Chrome for usage with device-based Conditional Access. That is already a supported scenario for many years, but in the early days that would require the Windows Accounts extension. That, however, has changed, making it easier to configure without installing a specific extension in the browser. Nowadays, there is a setting available that can be configured to automatically sign-in user accounts backed by a Microsoft Cloud identity provider. So, that’s even easier to configure. Especially when knowing that Microsoft Intune has Google Chrome configuration options directly available via the Settings Catalog. Minor detail, however, that doesn’t contain all the available settings at this moment. That means that to facilitate the required configuration, it’s still required to work with the available Group Policy templates. This blog post will provide a brief overview of importing those settings, followed with the steps to configure the required configuration. This post will end with the user experience. For completeness this post has some overlap with last week.
How to Setup Windows Autopatch for Intune (3rd party) [VIDEO]
Have you been wondering if you should use Windows Autopatch in your organization? Today I'll show you how to set it up and what the differences are vs Windows Update for Business. Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.
Autopilot Device Preparation: Reflection with Dean and Steve (3rd party) [VIDEO]
Autopilot Device Preparation (sometimes known as Autopilot V2, even though it's not) has been out for a few months now.? For those using it, how has it been going? I was lucky enough to sit down again with Microsoft MVP (and all-around great guy) Dean Ellerby to chat about what our experience with Autopilot Device Preparation has been, share our thoughts, and have a straight-up good time.
With the October 2024 Intune update, Microsoft introduced support for strong certificate mapping for certificates issued by Intune via the Intune Certificate Connector. Enabling strong certificate mapping support in Intune is an important change for those organizations using Microsoft Intune to issue and manage certificates for their users and devices, as it resolves a critical implementation blocker. Today, DCs with KB5014754 installed will still allow authentication without strong certificate mapping. However, Microsoft has stated they will begin enforcing strong certificate mapping in February 2025, with an option to disable it via the registry. Starting in September 2025, full enforcement will be mandatory.
?
Device Management
Windows 11, version 24H2: What’s new for IT pros (1st party)
Windows 11, version 24H2, also known as the Windows 11 2024 Update, is now available through Windows Server Update Services (WSUS) and Windows Update for Business. You can also download it from the?Microsoft 365 admin center,?Software Download Service (via Installation Assistant, the media creation tool, or ISO), and?Visual Studio Subscriptions. Today marks the start of 36 months of support for Enterprise and Education editions of Windows 11, version 24H2. We recommend that you begin a targeted deployment in your organization now to validate that your apps, devices, and infrastructure work as expected with the new release. To help you plan, this post outlines some of the features and enhancements that help you power exceptional experiences while helping secure your corporate data, apps, and people on any device.
This article describes issues that are fixed in the update rollup for Microsoft Configuration Manager current branch, version 2403. This update applies both to customers who opted in through a PowerShell script to the early update ring deployment, and customers who installed the globally available release.
Workstations are often targeted by malicious actors using malicious websites, emails or removable media in an attempt to extract sensitive information. Hardening workstations is an important part of reducing this risk. This publication provides recommendations on hardening workstations using Enterprise and Education editions of Microsoft Windows 10 and Windows 11. Before implementing recommendations in this publication, thorough testing should be undertaken to ensure the potential for unintended negative impacts on business processes is reduced as much as possible. While this publication refers to workstations, most recommendations are equally applicable to servers (with the exception of Domain Controllers) using Microsoft Windows Server. Security features discussed in this publication, along with the names and locations of Group Policy settings, are taken from Microsoft Windows 10 version 22H2 and Windows 11 version 23H2 – some differences will exist for earlier versions.
?
Scripting and Automation
Some groups in Microsoft 365 have no members assigned, meaning they are empty. You can check which groups have no members, contacts, users, devices, or other objects assigned in the Microsoft admin center. However, this is time-consuming because you have to open every group and look at the members section. In this article, you will learn how to find empty groups in Microsoft 365 with PowerShell.
Email communication is vital for seamless connections with clients, customers, stakeholders, and others. However, with the constant flow of emails, many Microsoft 365 organizations risk missing critical messages due to typos or misdirected addresses. This is where a Catch-All email address comes in. Let’s see in detail what a Catch-All mailbox is and how to set it up in Microsoft 365.
As a Windows system administrator, managing Active Directory (AD) groups is probably something you do every day. While you could use the Active Directory Users and Computers (ADUC) MMC snap-in, what happens when you need to manage groups across multiple domains or automate group management tasks? That’s where PowerShell comes in handy. In this hands-on tutorial, you’re going to learn how to use PowerShell to manage AD groups like a pro. You’ll learn how to query groups, create new ones, and modify existing groups using practical real-world examples.
Recently, I was challenged to create a version of the script to monitor the assignment of sensitivity labels to Microsoft 365 groups (teams, groups, or sites, otherwise called “containers”) to use the Microsoft Graph instead of the Exchange Online management module. Groups that are assigned labels inherit a range of settings that control how the groups work, which is why this form of sensitivity labels are called container management labels. They are an excellent way of enforcing standard behavior for groups that store different kinds of information within an organization. Figure 1 shows details of a container management label as viewed through the Purview portal.
I may be late to the party, but I just found the cmlets I need to update the properties of modern Windows event logs. The Limit-EventLog cmdlet only works with classic event logs. I want to be able to manage the size of a modern event log, the kind that lives under Applications and Services logs. To read these logs, we need to use the Get-WinEvent cmdlet, but that doesn’t let us change the properties of a log. The other cmdlet with the WinEvent noun is New-WinEvent, also not helpful. It turns out that the cmdlets we need are in the PSDiagnostics module, Get-LogProperties and Set-LogProperties. Nice.
?
Security Tools and Guides
MSIdentityTools (1st party)
The Microsoft Identity Tools PowerShell module provides various tools for performing enhanced Identity administration activities. It is intended to address more complex business scenarios that can't be met solely with the use of MS Graph PowerShell SDK module. A collection of cmdlets that use the MS Graph SDK PowerShell module to simplify common tasks for administrators of Azure AD tenants.
Microsoft 365 Certification control spotlight: Business continuity and disaster recovery planning (1st party)
Business continuity and disaster recovery planning are two essential aspects of ensuring the resilience and reliability of any software application. Business continuity planning refers to the process of identifying and mitigating the potential threats and risks that could disrupt the normal operation of an app, such as power outages, cyberattacks, natural disasters, or human errors. Disaster recovery refers to the process of restoring the app’s functionality and data after a disruption, using predefined procedures and backup resources. App developers need to have a comprehensive business continuity and disaster recovery strategy in place to ensure that their apps can withstand and recover from any unforeseen event and minimize the impact on their customers and stakeholders.
Some time ago, I stumbled upon an excellent post by Red Canary that introduced a clever method to prevent users from accidentally executing malicious scripts. They suggested changing file associations so that when users double-click on scripts, they open in Notepad instead of running. While their approach is insightful, I noticed that applying their method domain-wide through Group Policy wasn’t as straightforward as it could be. After searching around and not finding a straightforward guide on implementing this across an entire Active Directory domain, I decided to put together this post. Changing default file associations to block script execution is one of the safest policies you can apply, and it can significantly reduce the risk of users unintentionally running malicious scripts.
Windows Baseline Logging (3rd party)
When people ask what their baseline configuration should be, in terms of logging, I feel like it often gets answered with general advice regarding knowing your environment, having different configurations for file servers vs domain controllers, etc. This is true advice, but not particularly helpful. You might not know your environment. Maybe you're in the first IT or security role the company has ever had. Everyone needs to start somewhere, this is my attempt at putting together something that can be deployed to any server and/or workstation and -then- tweaked as needed. Because this is so broad, it's not going to be perfect. I've tried to turn on things that would be important for intrusion monitoring or investigation without flooding event logs. If I've missed something important, please comment or send me a message. I can't promise to include it, but it would be good for people to know. I may do a future article with what events and logs you should centrally collect.
?
Security News
Apple wants to shorten SSL/TLS security certificates' lifespans, down from 398 days now to just 45 days by 2027, and sysadmins have some very strong feelings about this "nightmarish" plan. As one of the hundreds that took to Reddit to lament the proposal said: "This will suck. My least favorite vendor manages something like 10 websites for us, and we have to provide the certs manually every time. Between live and test this is gonna suck." The Apple proposal, a draft ballot measure that will likely go up for a vote among Certification Authority Browser Forum (CA/B Forum) members in the upcoming months, was unveiled by the iThings maker during the Forum's fall meeting.
Researchers have observed a new campaign delivering malware through a fake CAPTCHA — a test used on websites to distinguish between humans and bots. The attackers essentially are exploiting web users’ instincts to quickly click through verification tools. This latest example, according to researchers at the Russian cyber firm Kaspersky, primarily victimizes people through online ads, as well as adult sites, file-sharing services, betting platforms, anime websites and web apps that monetize traffic. Previous reports identified an earlier version of the operation, though these efforts primarily targeted gamers by distributing information-stealing malware on websites hosting cracked games.
The cybersecurity giant published an advisory on November 8, urging customers to ensure that access to the PAN-OS management interface is secured, in light of claims about a remote code execution vulnerability. Palo Alto Networks initially said it had not seen any indication of a zero-day being exploited, but on Friday it updated its advisory to say that it “has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet”. It’s still unclear how the vulnerability came to light, who has exploited it, and who has been targeted in the attacks.
Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats (3rd party)
For more than five years, Sophos has been investigating multiple China-based groups targeting Sophos firewalls, with botnets, novel exploits, and bespoke malware. With assistance from other cybersecurity vendors, governments, and law enforcement agencies we have been able to, with varying levels of confidence, attribute specific clusters of observed activity to Volt Typhoon, APT31 and APT41/Winnti. Sophos X-Ops has identified, with high confidence, exploit research and development activity being conducted in the Sichuan region.? Consistent with China’s vulnerability disclosure legislation, X-Ops assesses with high confidence that the developed exploits were then shared with multiple distinct state-sponsored frontline groups with differing objectives, capabilities, and post-exploitation tooling.
A new phishing campaign dubbed 'CRON#TRAP' infects Windows with a Linux virtual machine that contains a built-in backdoor to give stealthy access to corporate networks. Using virtual machines to conduct attacks is nothing new, with ransomware gangs and cryptominers using them to stealthily perform malicious activity. However, threat actors commonly install these manually after they breach a network. A new campaign spotted by Securonix researchers is instead using phishing emails to perform unattended installs of Linux virtual machines to breach and gain persistence on corporate networks.
In November 2023, a security vendor discovered that North Korean threat actors were using the Contagious Interview and WageMole campaigns to procure remote employment opportunities in Western countries, thus evading financial sanctions against North Korea (DPRK). The Contagious Interview campaign focuses on stealing data, while WageMole uses that stolen data, along with other social engineering techniques, to help these threat actors land remote jobs. Zscaler ThreatLabz recently discovered how the threat actors have continued to update their Contagious Interview campaign tactics by improving the obfuscation of their scripts with advanced techniques and dynamic loading. The threat actors also expanded their arsenal by supporting both Windows and macOS application formats in their infection chains, while keeping their core capabilities intact. By monitoring the installed BeaverTail (JavaScript) and InvisibleFerret (Python) scripts, we confirmed that the attackers stole source code, cryptocurrency data, and personal information from victims. The threat actors managed to infect over 100 devices across multiple operating systems within a short time. In this blog, we’ll dive into the improvements made to Contagious Interview scripts, the new formats that are now supported, and share exclusive insights into the campaign’s victims.
The company recently came across claims regarding a previously unknown remote code execution vulnerability in its PAN-OS operating system. A security advisory published by the company on November 8 urged customers to ensure that access to the PAN-OS management interface is secured, but said there had been no indication of a zero-day being exploited in attacks. However, the advisory was updated on November 15 to inform customers that the cybersecurity giant had started seeing exploitation of a critical unauthenticated remote code execution vulnerability against a limited number of firewalls that had the PAN-OS interface exposed to the internet.
The U.S. Federal Bureau of Investigation (FBI) has sought assistance from the public in connection with an investigation involving the breach of edge devices and computer networks belonging to companies and government entities. "An Advanced Persistent Threat group allegedly created and deployed malware (CVE-2020-12271) as part of a widespread series of indiscriminate computer intrusions designed to exfiltrate sensitive data from firewalls worldwide," the agency said. "The FBI is seeking information regarding the identities of the individuals responsible for these cyber intrusions." The development comes in the aftermath of a series of reports published by cybersecurity vendor Sophos chronicling a set of campaigns between 2018 and 2023 that exploited its edge infrastructure appliances to deploy custom malware or repurpose them as proxies to fly under the radar.
Chinese threat actors use a custom post-exploitation toolkit named 'DeepData' to exploit a zero-day vulnerability in Fortinet's FortiClient Windows VPN client that steal credentials. The zero-day allows the threat actors to dump the credentials from memory after the user authenticated with the VPN device. Volexity researchers report that they discovered this flaw earlier this summer and reported it to Fortinet, but the issue remains unfixed, and no CVE has been assigned to it.
Copilot Power User and Security Specialist @ Microsoft | Coach, High Achiever, Leader, Mentor. Let's Create Lasting Connections! It's Not About What You Know, It's WHO You Know. Cohost Cloud Connect Podcast. GenAI ??
1 周Thanks for your time and dedication to this Ryan Parsons! 52 Weeks strong!