Tag Archives: Windows

Enhancing Apple Device Management With Microsoft Intune

Posted on by
1

The technology that we have available to us today intends to make the user experience as smooth as possible. With increasing cybercrime causing headaches for plenty of businesses, the need to constantly improve continues. Security protocols and device management are very high priorities for every organization.

One area that plays a significant role in improving any organization’s security posture is identity management. The best solutions on the market offer a seamless user experience that can improve how users interact with their devices.

It’s always interesting to look at how products and services from different organizations can combine. Ideally, separate brands fuse the best of what they each have for the benefit of their customers. It’s with this in mind that we want to look at how Microsoft Intune and Apple Identity Services do something similar. Both are bringing great solutions to their clients to improve security, as well as secure the user experience.

Microsoft Intune has a lot to offer

As we all know, Intune is a fantastic endpoint management solution. It simplifies app and device management across your various devices. This can include mobile devices, desktop computers, and virtual workstations.

So, it’s perfectly understandable why Intune is such a popular solution for many organizations. It’s a platform that is not only for Windows devices, but it also works brilliantly to improve Apple device management.

Your security will immediately improve because Intune ensures your macOS software is up to date. It then minimizes vulnerabilities by reducing manual tasks. Customers can expect a native macOS software update client experience, as well. This is because of how system update policies for macOS in Intune are built on Apple’s MDM commands. By implementing measures such as these, Intune helps you to reduce the overall attack surface of your business.

SIMPLIFIED APP MANAGEMENT

Another thing you can look forward to is doing away with the trouble of app conversion. This is because Intune is introducing a new application deployment service. Additionally, this new service leverages the Intune MDM agent to install, monitor, and report DMG-type applications. This ability will enable you to deploy in-place DMG app upgrades. It’s also capable of reducing some of the burden on IT staff while also making tasks easier.

In addition to this, Microsoft has been working on a solution that will simplify the deployment of apps. It will do so with custom scripts and apps that are unsigned. This new option, which leverages the Intune MDM agent to deploy PKG-type installers, is going to improve flexibility and customization. But, even with these changes being made, Microsoft has assured its customers that support for the native PKG-type app management experiences for macOS will continue.

ENHANCED USER EXPERIENCE

The provision of a consistent onboarding experience for all Apple devices is a top priority to enhance the experience for all users. Intune will be leaning on the Just-In-Time (JIT) macOS/iPadOS enrollment experience. This simplifies the Mac device onboarding process for users with corporate-owned devices.

Once enrollment finalizes, users can log in on the Enterprise Single Sign-On extension. From there, you can establish SSO across Azure AD-enabled apps and use their Azure AD password to log on to their Mac.

Coupled with the consistent onboarding experience, Intune is also determined to speed up the iOS enrollment process. Because of what the JIT functionality can offer, the iOS Company Portal app will no longer be necessary for AAD registration.

We’ll see a move towards web-based device enrollment, which is going to offer a swifter end-to-end enrollment process. This is a result of the reduced need to switch back and forth between the apps in addition to fewer authentication steps.

EFFICIENT DEVICE MANAGEMENT

Microsoft has also been working on a solution that supports local administrator account and local primary account creation during macOS ADE. This will allow customization of local administrator settings within new and existing macOS enrollment profiles for devices enrolling with user-device affinity.

A couple of years back, Microsoft Intune announced support for Declarative Device Management (DDM). Intune also extended DDM to the macOS settings catalog.

Arguably, one of the best things about DDM is how it can easily co-exist with the standard MDM protocol. It does so without negatively affecting the end-user experience. Customers can send the policies they have created in the settings catalog as well as DDM-based policies to DDM-enabled devices. They can also send the standard MDM-based policy to those devices using the older protocol.

Apple Identity Services

One of the things that have helped Apple distinguish itself over the years is excellent data and device security. In a world where nefarious actors are constantly attempting to exploit device vulnerabilities, businesses need solutions to safeguard their data. With Apple Identity services, your organization will get a product that can securely manage usernames and passwords.

The first measure we’ll talk about is authentication. This action refers to the process of verifying the identity of a user. Apple uses several authentication methods, such as single sign-on. Apple also provides for services, like personal Apple ID, Managed Apple ID, iCloud, iMessage, and FaceTime.

Once authentication measures verify the identity of a user, you then have authorization. This determines precisely what users are allowed to do. For this process, you need to provide a username and a password to an identity provider (IdP).

Essentially, what you have is an identity provider that functions as the authority. The username and password are also the assertion. Together with authentication and authorization, we can also talk about identity federation.

This process will establish trust between two parties and authenticate users. The result enables the linking of a user’s identity across multiple separate identity management systems. The identity federation process can only work effectively if admins set up domains that trust each other. And there also needs to be a single method to identify users.

Enhancing Authentication with Platform Single Sign-On

Users constantly need the services they use to improve so that they can better interact with technology and work more efficiently. In light of this, Apple saw it fit to introduce Platform Single Sign-On, which represents the evolution of authentication protocols.

This solution is replacing Active Directory, binding and simplifying life for users by requiring them to sign in only once. This is possible because, upon a successful user login, the local account credentials synchronize with the IdP. And it allows the user access to various other resources without needing to enter their password again. Platform SSO supports several authentication methods with an identity provider (IdP):

  • Password and encrypted password
  • Password with WS-Trust
  • User secure enclave key
  • SmartCard

New local user accounts are set up on demand by Platform SSO (PSSO) at the login window using IdP credentials. The service can also integrate IdP group membership with macOS. And in addition to this, network accounts can be used for authorization, and groups may also authorize network accounts.

Authentication

As new users go through the authentication process using credentials from their organization’s IdP, they can now have new local user accounts automatically created by macOS. The benefits of this to your organization are several, including:

  • Better user experience – time is of the essence. And with a setup like this, new users won’t require pre-configured accounts, therefore allowing them a much swifter start. As one can imagine, this makes it an excellent solution in environments where device sharing is required.
  • More robust security – the use of user-unique credentials helps to significantly strengthen your organization’s security when users access their devices. Not only that, but the uniqueness of these credentials makes it easier to keep track of all users’ access and activities.
  • Lighten the burden on IT – most of us are aware of how taxing the manual tasks that IT staff have to undertake can be. So, this solution brings automation to the user creation process will undoubtedly be gladly welcomed by IT staff. No longer will IT pros have to go through the tedious process of manually setting up accounts for each new user.

REQUIREMENTS FOR LOCAL ACCOUNT CREATION

But, before moving ahead, you should know that there are a few requirements. Your organization needs to meet the following for you to take advantage of local account creation.

  • UseSharedDeviceKeys – to enable this, you’ll need to use a shared device key that enables the device to have a trusted connection to the Entra ID, regardless of the user.
  • Connectivity with the Identity Provider – your device should be able to connect to your Entra ID. Without this connection being established, authentication of user credentials won’t be possible neither will the user be able to be authorized to access the device.
  • Device State – Login Window with FileVault Unlocked – the device in question should be at the login window, and you also need to ensure that the FileVault is unlocked. The importance of this state is that it establishes that the device is secure while simultaneously verifying its readiness to set up a new user account when authentication has been successfully completed.
  • MDM Support for Bootstrap Tokens – ensure that Bootstrap Tokens are supported by the MDM system. These tokens are integral to the delivery of a seamless user experience within a highly secure environment. This becomes even more evident in situations that require the creation of new user accounts on macOS devices.
  • User Authentication – as soon as you have met all the requirements, users can then begin the authentication process using their Entra ID username and password or a SmartCard.
  • Assignment of User Permissions – the Identity Provider groups will determine the assignment of post-authentication, user permissions.
  • Defining Access Levels through MDM Profiles – to ensure organizational security of the highest standard, all newly created accounts should have their access levels carefully defined. Intune profiles will play a central role during this process and are responsible for determining which users have standard user permissions, administrator privileges, or permissions based on their group membership in Entra ID.

Creating extensions that support platform SSO

Performing single sign-on with an identity provider requires the creation of an SSO extension to support PSSO and implement the required functionality. Additionally, you need to specify the grant types that the extension and IdP support. In macOS 14.0 and later, implement supportedGrantTypes() and return:

Password: password

Secure enclave key, SmartCard, and encrypted password: jwtBearer

WS-Trust: saml1_1 or saml2_0

For PSSO 2.0, there will be a new key service for SSO extensions and IdPs. This is going to allow for an alternative registration flow and additional login configuration. Before you can use it, however, there is a need to implement protocolVersion() in the extension and return ASAuthorizationProviderExtensionPlatformSSOProtocolVersion.version2_0 to indicate that the extension and the IdP server support PSSO 2.0. To complete this section, you need to enable a ticket-granting ticket with Kerberos SSO extension, as well as use diagnostics to iterate on the configuration during development.

REGISTRATION OF USERS AND DEVICES

After creating an SSO extension, there are a few steps to follow to register devices and users with an identity provider, and it’s the PSSO that calls the extension to perform these steps. The extension will first register a device before registering users on that same device. Your SSO extension needs to implement the ASAuthorizationProviderExtensionRegistrationHandler protocol to support registration.

  • Device registration

The SSO extension will use the following to register a device:

beginDeviceRegistration(loginManager:options:completion:)

Furthermore, the extension will need to:

  • Register the device with its associated IdP.
  • Provide the login configuration to Platform SSO.
  • Execute the completion handler.
  • User registration

Successful device registration completes with the following result:

ASAuthorizationProviderExtensionRegistrationResult.success

Once complete, the SSO extension should then proceed with user registration through:

beginUserRegistration(loginManager:userName:method:options:completion:)

The system is designed such that all users on a device will need to use the login configuration, and this also includes when the system creates new users during login. In situations where shared keys are being used, user registration will only begin for each subsequent user on the device. Therefore, when new users are created during login, they will be prompted to start registration when they reach the desktop.

After completion of the registration process, the SSO extension is required to call the completion handler. Following this, the users need to authenticate using the new configuration, which can use platform SSO immediately.

Finally, if the extension supports the PSSO 2.0 protocol methods and the system uses password authentication, a new key will be provisioned by the key service and linked to the user account.

Microsoft introduces Platform SSO for macOS

In 2023, Microsoft announced Platform SSO for macOS. This feature is meant to be an enhancement that will give users of macOS devices a more seamless experience with even better security. What users can expect from this is a solution that enables them to use Touch ID to unlock their device and thereby eliminate the need to enter a password.

Users will then be signed into Entra ID under the hood with a device-bound cryptographic key. Because of the use of phishing-resistant credentials, your business can save money by removing the need for security keys or other hardware.

Adding to user convenience will be the fact that after signing in, the existing Microsoft Enterprise SSO plug-in ensures that you remain signed into the apps you use for work.

However, there is an alternative for those who may not yet be ready to completely remove passwords from Entra ID sign-ins. In this scenario, Platform SSO for macOS allows you to synchronize local account passwords with Entra ID passwords so that users can use one credential across their macOS devices. Furthermore, Platform SSO for macOS will enable administrators to configure the end-user authentication method.

The admins can then set up a phishing-resistant credential or a traditional password as the authentication method. You can easily prepare your business for Platform SSO for macOS by taking the steps given below:

  • Deploy the Microsoft Enterprise SSO plug-in.
  • Ensure that users are registered for Microsoft Entra ID multifactor authentication, and for the best experience, Microsoft Authenticator is recommended for this process.
  • Update macOS devices to macOS 13 (Ventura) or later.

Microsoft Enterprise SSO plug-in for Apple devices

Using the Microsoft Enterprise SSO plug-in for Apple devices, clients will get single sign-on for Microsoft Entra accounts on macOS, iOS, and iPadOS. And they can do so across all applications that support Apple’s enterprise single sign-on feature. Probably the biggest advantage of this plug-in is that it enables SSO for older applications that are integral to your business operations but don’t have support for the latest identity protocols.

To ensure that users would get the best possible experience, the final product that we get resulted from the efforts of both Microsoft and Apple working together. At the moment, you can get the Enterprise SSO plug-in as a built-in feature of Microsoft Authenticator (iPadOS, iOS) and Microsoft Intune Company Portal (macOS).

WHAT FEATURES DO YOU GET?

The Microsoft Enterprise SSO plug-in for Apple devices comes with several attractive features, including:

  • Single sign-on for Microsoft Entra accounts for all apps that support the Apple Enterprise SSO feature
  • Supported in both device and user enrollment, and you can use any mobile device management service of your choice to enable it.
  • Available for applications that don’t yet use the Microsoft Authentication Library (MSAL).
  • Also offers SSO to apps that use OAuth 2, OpenID Connect, and SAML.
  • End-users can be assured of a smooth experience when the Microsoft Enterprise SSO plug-in is enabled because of how it is integrated with the MSAL.

REQUIREMENTS

Device RequirementsiOS RequirementsmacOS Requirements
The device must support and have an installed app that has the Microsoft Enterprise SSO plug-in for Apple devices:   iOS 13.0 and later: Microsoft Authenticator appiPadOS 13.0 and later: Microsoft Authenticator appmacOS 10.15 and later: Intune Company Portal app   Devices should be enrolled in MDM.   Because Apple requires this security measure, configuration needs to be pushed to the device to enable the Enterprise SSO plug-inDevices need to have iOS 13.0 or higher.   Devices will also require a  Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple. The app in question is the Microsoft Authenticator app.Devices need to have macOS 10.15 or higher.   Devices will also require a  Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple. The app in question is the Intune Company Portal app.

HOW DOES THE SSO PLUG-IN WORK?

As mentioned before, this plug-in came about because of the efforts of both Microsoft and Apple. So, it’s not too surprising that the plug-in is reliant on the Apple Enterprise SSO framework. Once an identity provider has joined this framework, it can intercept network traffic for its domain as well as modify how those requests are managed. Native applications will also be able to implement custom operations and communicate directly with the SSO plug-in.

Wrap up

The integration of products and services from different tech companies can provide countless benefits for customers. End-user experiences will improve, businesses will get better value for their investment, and tech companies can ensure that their customers get the best possible solutions.

This is why Microsoft Intune has been working with Apple to improve the user experience for Apple device users. Intune wants to be able to offer organizations excellent device management solutions across all devices regardless of preferences.

So, whether you want to use Windows devices or Apple devices, you should be getting great device management options. We all know about Apple Identity Services and how those protocols have given Apple devices the high-level security they have.

Therefore, the fact that Intune measures can co-exist with Apple Identity Services can only be a good thing for customers because this will ultimately strengthen overall security even further, as well as provide a better user experience.

Microsoft Dev Box – Optimizing Developer Productivity

Posted on by
1

We have all witnessed the impressive speed at which software has been developing during the last few decades. Businesses and individuals alike now have multiple solutions available to them enabling them to enhance productivity in ways that were previously not possible.

As one would expect, this can only mean great things for the future. Developers, however, have dealt with tremendous hardware challenges and onboarding issues creating stumbling blocks for the work they are trying to do. These problems are precisely what Microsoft is trying to address with the introduction of the Microsoft Dev Box.

By providing high-powered workstations in the cloud, developers can up their game and produce better work. In this article, we’ll go over what this product is and why it’s a potential game-changer.

Introducing Microsoft Dev Box

The Microsoft Dev Box is a new Microsoft product that utilizes the existing Windows 365 infrastructure to stream secure and ready-to-code developer workstations on demand. By now, most will be familiar with the Windows 365 Cloud PC. Additionally, most appreciate how it enables businesses to optimize their operations using highly secure virtual PCs.

So, it makes perfect sense that Microsoft Dev Box would leverage the infrastructure that has already proven successful. The cloud workstations that developers will get are what are known as dev boxes.

You can easily use tools, source coding, and prebuilt binaries specific to a project to configure these dev boxes. And it is because of this type of functionality that users can begin work as quickly as possible.

As far as images go, you’ll have the option of creating a customized one or using a preconfigured one from Azure Marketplace, complete with Visual Studio already installed. Depending on the unique needs of developers, they can use multiple dev boxes for their day-to-day workflows. Accessing these dev boxes is easy and similar to other virtual desktops such as the Cloud PC. So, all you need is a remote desktop client or a web browser.

Requirements

As with any other product or service, those interested in using Microsoft Dev Box will need to meet a few requirements. Each user needs to have a license for Windows 11 Enterprise or Windows 10 Enterprise, Microsoft Endpoint Manager, and Azure Active Directory P1.

Although clients can obtain these independently, you will also find these licenses included in Microsoft 365 F3, Microsoft 365 E3, Microsoft 365 E5, Microsoft 365 A3, Microsoft 365 A5, Microsoft 365 Business Premium, and Microsoft 365 Education Student Use Benefit subscriptions.

Key Components of Dev Box

In this section, we’ll be going over the key components of Microsoft Dev Box that you should know. These will help you to set up Dev Box correctly, allowing you to get the best out of it.

DEV CENTER

When we talk of a dev center, we are referring to a set of projects that will all need the same settings. Dev centers enable platform engineers to use dev box definitions for the effective management of the images and the SKUs available to the projects.

Furthermore, these engineers will be able to use network connections to configure the networks that the development teams consume. Dev centers are also used by Azure Deployment Environments to organize resources. Your business can use the same dev center for both services.

PROJECT

When it comes to the Dev Box service, a project is a team function within the organization. And each project is a collection of pools. Moreover, each pool represents a region or workload.

Once a dev center and a project link, all the settings at the dev center level apply to the project automatically. It’s important to note, however, that a project can only be linked to a single dev center.

Dev managers can configure the dev boxes available for any project by specifying the dev box definitions that are appropriate for their workloads. For developers to create their own dev boxes, they need access to projects for developers.

And you can do this by assigning the Dev Box User role. The projects for Deployment Environments, as well as those for Dev Box resources, can be configurable in the same dev center.

DEV BOX DEFINITION

A dev box definition suggests a source image and size, including both compute size and storage size. It’s here you’ll have the freedom to select a source image from Azure Marketplace. Or choose a custom image from your own Azure Compute Gallery instance. Additionally, you’ll be able to use dev box definitions from across multiple projects in a dev center.

NETWORK CONNECTION

IT admins and platform engineers will need to configure the preferred network they use for dev box creation with their organization’s various policies as a guideline. Network connections store configuration information, such as Active Directory join type and virtual network. The dev boxes use the network to connect to network resources. You will also need to choose an Active Directory join type when creating a network connection and the options are as follows:

  • Use native Microsoft Entra ID for scenarios, where your dev boxes only need to connect to cloud-based resources.
  • Alternatively, use hybrid Microsoft Entra ID, when your dev boxes seek to connect to on-premises resources and cloud-based resources.

AZURE REGIONS FOR DEV BOX

Every business needs to start by selecting the most ideal region before proceeding with setting up Dev Box. In cases when your region of choice may not be available for Dev Box, it would be a good idea to select a region within 500 miles. You must specify a region for your dev center and projects. You’ll mostly realize that these resources are in the same region as your primary office or IT management center.

The region for a dev box will be determined by the region of the virtual network specified in a network connection. The service allows you to create multiple network connections, based on the areas where you support developers.

After doing that, you can leverage those connections when you’re creating dev box pools so that dev box users create dev boxes in a region close to them. According to Microsoft, opting for a region close to the dev box user is what will allow you to get the best experience.

DEV BOX POOL

A dev box pool simply refers to a group of dev boxes that are going to be managed together and to which similar settings will be applied. To enhance productivity, as well as working conditions, your business can create multiple dev box pools. These support the needs of hybrid teams that work in different regions or on different workloads.

DEV BOX

Dev boxes are preconfigured workstations that have been designed to be created through the self-service developer portal. Getting set up and starting work can happen immediately. This is because new dev boxes come with all the tools, binaries, and configurations that developers need.

And for those looking to work on multiple workstreams, you can easily create and manage multiple dev boxes. Users will have control over their own dev boxes. And if the need arises they can create more. But, once you’re done using them, you can then delete them.

Pricing table

  SKUPricing per Dev Box instance Max Monthly Price  Hourly Compute  Monthly storage
8 vCPU, 32 GB RAM, 256 GB Storage        $138.20$1.49$19
8 vCPU, 32 GB RAM, 512 GB Storage$157.20          $1.49$38
8 vCPU, 32 GB RAM, 1024 GB Storage$195.20$1.49$76
8 vCPU, 32 GB RAM, 2048 GB Storage$271.20$1.49$152
16 vCPU, 64 GB RAM, 256 GB Storage$257.40$2.98$19
16 vCPU, 64 GB RAM, 512 GB Storage        $276.40$2.98$38
16 vCPU, 64 GB RAM, 1024 GB Storage$314.40$2.98$76
16 vCPU, 64 GB RAM, 2048 GB Storage$390.40$2.98$152
32 vCPU, 128 GB RAM, 512 GB Storage$514.80$5.96$38
32 vCPU, 128 GB RAM, 1024 GB Storage$552.80$5.96$76
32 vCPU, 128 GB RAM, 2048 GB Storage$628.80$5.96$152

Why should you consider Dev Box?

SIMPLIFIED INTEGRATION

One concern that organizations may rightly have involves integration. Companies want to know how they will integrate Dev Box into their already existing infrastructure. However, there should be no cause for concern. Microsoft’s design allows the Dev Box to fit seamlessly with whatever development infrastructure your business may be using.

Your development teams can deploy dev boxes perfectly tailored to the precise and unique needs of your business. If you’re already familiar with the Microsoft ecosystem, and are using tools such as Microsoft Intune or Azure, then Dev Box will be an excellent addition. It will fit well into your workflow.

EASY TO SET UP

Again, on-boarding issues and hardware limitations often pose a problem for developers. This is why the convenience that Dev Box offers can make such a profound impact. Microsoft gives you pre-configured workstations that are available on-demand to meet your needs for various projects.

Dev boxes are configurable with all the key tools that developers need. This enables them to immediately begin work on assigned projects while foregoing the often time-consuming task of setting up a development environment.

ACCESSIBILITY

Cloud-based solutions enable businesses with staff all across the globe to maintain high levels of productivity. Dev Box can offer region-specific workstations that give developers a high-level experience wherever they may be.

Any new developers you want to bring on can onboard in minutes, rather than days because of project-based configurations. And this can be done on any device, running on just about any operating system. This level of accessibility can raise the ceiling for what your organization may have previously considered possible.

COMPATIBILITY

The ease of setting up dev boxes will also make it a cost-effective solution. Similar to using Windows 365 Cloud PCs, users don’t need to purchase new devices or worry about the operating systems they use. Therefore, whether you are on a PC or tablet, you’ll still get to use your favorite productivity software and custom line-of-business tools.

HIBERNATION

Every business wants to ensure that it can get the most from the available products and services while minimizing costs. Therefore, one of the most common things you’ll see businesses do to keep costs down is to shut down idle VMs to avoid paying for unused compute.

While this may help to reduce operating expenses, it has the disadvantage of shutting down developers’ workstation VMs overnight meaning that when they begin work in the morning they need to start by reopening all their tools. Fortunately, this is one of the issues that Dev Box is addressing

The availability of a hibernation feature will enable you to hibernate 8 and 16 core dev boxes so that when you resume a dev box, your apps, and work are exactly as you left them. This feature is designed to enable admins to schedule hibernations for the end of the work day in a specific region as well as be able to configure dev boxes to hibernate after a user disconnects. To provide greater control, a dev box can always skip an upcoming hibernation from the notifications that appear.

Using Microsoft Dev Boxes

There are various scenarios that Microsoft has provided for which businesses can use their dev boxes. These scenarios are as follows:

PLATFORM ENGINEERING SCENARIOS

With Dev Box, platform engineering teams can allocate the appropriate dev boxes according to the various users’ workloads. The platform engineers can:

  • Create dev box pools, add appropriate dev box definitions, and ensure that access is offered only to dev box users who are working on those specific projects.
  • Leverage auto-stop schedules to control costs.
  • Define the network configuration, which is responsible for determining the region where the dev box is created.
  • Assign the built-in Dev Box User role to grant access to development teams and enable them to self-serve dev boxes.

IT ADMIN SCENARIOS

Here IT admins will be able to manage dev boxes similar to other devices on your network:

  • There is automatic enrollment of Dev boxes in Intune. Management of dev boxes can be done through the Microsoft Intune admin center.
  • Keep all Windows devices up-to-date by using expedited quality updates within Intune to deploy zero-day patches across your organization.
  • Users can minimize downtime because they can be helped to get back up and running on new dev boxes if their dev boxes get compromised and need isolation.

With cloud solutions, security is always of great concern and so Dev Box offers access in a secure environment. Access controls in Microsoft Entra ID organize access by project or user type:

  • Join dev boxes natively to a Microsoft Entra ID or Active Directory domain.
  • Ensure that users are required to connect via compliant devices by setting conditional access policies.
  • Requires multifactor authentication at sign-in.
  • Configures risk-based sign-in policies for dev boxes that access sensitive source code and customer data.

DEVELOPER TEAM LEAM SCENARIOS

Developer lead teams can begin to help with the management of the project once they have been assigned the DevCenter Project admin role. Project admins can create dev box pools as well as add appropriate dev box definitions. Additionally, they can also leverage auto-stop schedules to control costs.

DEVELOPER SCENARIOS

If your business has development teams spread across the globe then Dev Box can enable them to create their own dev boxes within their closest region. Developers don’t need to wait for admin teams meaning that they can create dev boxes at their convenience.

And once that’s done, users can access their workstations on any device regardless of operating system. Dev Box offers support to any developers who may be working on several projects. To efficiently handle multiple workloads, projects, or tasks, developers can create and utilize separate dev boxes.

From a predefined pool, developers can take advantage and create multiple dev boxes if the need arises and they can later delete them when the work is complete. Not only that, but the service allows your business to define dev boxes for different roles on a team. So for instance, you can enable full-time developers to have greater control by setting up dev boxes with admin rights while simultaneously restricting permissions for contractors.

The developer experience

One of the best things about the Dev Box experience is how developers can take advantage of the available tools to better streamline their work processes. Because of the ease with which you can create secure, ready-to-code workstations, users can easily move between their primary, secondary, and tertiary machines.

When starting on a new project, developers will often want to quickly get up to speed without wasting time waiting on configuration processes. Dev boxes can be preloaded with settings, tools, source binaries, as well as caches that you need.

Moreover, running in Azure also comes with its own benefits. Not only can you access the resources and services that are needed in the cloud, but you’ll also have the option to connect on-premises resources such as file shares and databases.

Handling various tasks and workloads doesn’t have to be so difficult when you can switch between dev boxes allowing you to work more efficiently. Most of us have strong preferences when it comes to the devices we use so developers will certainly like the fact that they can use any device.

You’ll find that there are native clients for Windows and macOS and to mobile platforms like Android and iOS. And when it comes to which browsers you can use for access, most people with modern browsers should have no issues. Your IT admins will also be happy that Dev Box enables them to easily manage their environments while keeping them secure and up-to-date.

What about security?

The information we’ve gone over tells us that Microsoft Dev Box has a lot to offer businesses. But, if you’re an IT admin, you’ll probably be wondering about security measures to protect your organization. Not surprisingly, this is well covered by Microsoft.

The management of dev boxes will be similar to that of any other cloud-to-PC that uses Windows 365 or any other device that uses Microsoft Endpoint Manager. Admins can maintain the standards that their organization requires by ensuring that all standard apps and management tools are installed like any other enrolled device.

All your company’s policy settings will get deployed, meaning that they constantly receive Windows updates that keep them up-to-date.

As you develop your network connections, you can join dev boxes natively, right to your Azure Active Directory, or even to a hybrid Azure Active Directory domain. You can leverage the tools that you’re already familiar with and set up conditional access policies such as MFA.

Admins can also set it up such that all users can only access the service when using devices that comply with the standards that have been put in place by the organization. Additionally, all traffic when connecting to your dev boxes will be encrypted similarly to what you experience with Windows 365.

Wrap up

Developers have had to contend with frustrating challenges that hinder their productivity for years. These challenges also create unnecessary delays for businesses especially when working with deadlines.

In some cases, you hear of instances where it takes well over a week to onboard a new developer. As we can all imagine, this is far from ideal. When looking at the feedback from various organizations, it’s clear to see why Microsoft sees the need for Dev Box.

With the service offering secure, preconfigured, and ready-to-code workstations, the time to productivity is drastically reduced. Developers can be ready to go almost as soon as an assignment is given without having to be burdened with laborious onboarding processes.

You also have the advantage of using devices you’re comfortable with regardless of what operating system is running. Furthermore, as the service continues to improve, we can expect Dev Box to help optimize the work of developers even more.

User is required to permit SSO

Posted on by
2

Getting January sign in issues ?

Recently i’ve been getting SSO sign in issues in Microsoft Teams, Outlook and Remote Desktop App.

Error code: CAA2000C
Server message: User is required to permit SSO.

I’m running Windows 11 and it seems to be caused by: 2024-01 Cumulative Update Preview for Windows 11 Version 23H2 for x64-based Systems (KB5034204)

Uninstall the KB, restart and everthing is back to working again.

it may be related to: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upcoming-changes-to-windows-single-sign-on/ba-p/4008151

Script to configure Azure AD Cloud Kerberos Trust

Posted on by
1

As businesses increasingly operate in hybrid environments spanning both on-premises and cloud infrastructure, the need for seamless authentication across multiple environments becomes paramount. To address this challenge, organizations are turning to automated processes for implementing and managing Cloud Kerberos Trust. This automated approach streamlines the integration of Kerberos-based authentication in diverse environments, ensuring efficient and secure access to cloud resources.

The PowerShell script Enable-CloudKerberosTrust.ps1 simplifies and automates the process of Configuring Azure AD Cloud Kerberos Trust.

To get a deeper understanding and a great story, You should also read to following article series by Ben Whitemore and Michael Mardahl who inspired the script.

Simplify Windows Hello for Business SSO with Cloud Kerberos Trust – Part 1
1. Install Azure AD Kerberos PowerShell module
2. Prompt the user for domain admin credentials (if it detects it is not running as domain admin)
3. Create a Kerberos Server object
4. Verify a Kerberos Server object has been created successfully
5. Create "CKT-Policy" Intune configuration profile 
6. Create OMA-URI for Cloud Kerberos Trust enablement
7. Assign the configuration profile

1. Azure Active Directory global administrator.

2. Active Directory domain administrator.

3. Approve admin consent for the following permissions in Microsoft Graph application in Azure AD apps:
CloudPC.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, Directory.Read.All
.PARAMETER Domain
Specifies the on-premises Active Directory domain. A new Azure AD Kerberos Server object will be created in this Active Directory domain.
.PARAMETER UserName
Specifies the UPN of an Azure Active Directory global administrator.
.PARAMETER TenantID
Specifies the Azure AD tenant ID for the new Intune configuration policy.
.PARAMETER Group
Specifies the device group to assign the new Intune configuration policy.
.PARAMETER LogPath
Specifies path to save script output to.
.EXAMPLE
.\Enable-CloudKerberosTrust.ps1 -Domain xyz.com -UserName admin@tenant.onmicrosoft.com -TenantID 0570e92c-8fb4-4775-9eb8-61f20dd2ce72 -Group Group1 -LogPath .\

Download the script: Enable-CloudKerberosTrust.ps1

NOTE: THIS SCRIPT IS CONTINUALLY BEING IMPROVED – If you would like to suggest additional checks or improvements, feel free to reach out with your input.

How to Improve Network Efficiency with Delivery Optimization and Endpoint Configuration Manager

Posted on by
Reply

Can Microsoft’s Delivery Optimization and Configuration Manager help solve enterprise network efficiency problems supercharged by the coronavirus pandemic?

The COVID-19 pandemic has forced numerous companies to adopt hybrid working models. This has seen demand for bandwidth capacity increase considerably.

Couple bandwidth-busting traffic connecting from all over with spiraling data costs and network administrators have something to worry about. With no end in sight of this global pandemic, enterprises are now looking for solutions to counter these issues.

As a result, the question that’s now at the fore for many network administrators is how to improve network efficiency as cost-effectively as possible in the New Year. 

COVID-19 and Network Efficiency

Pre-COVID, 17% of the American workforce worked remotely at least 5 days per week. Since the onset of the pandemic, this number has increased to 44%.

With nearly 6% of the population (i.e. 21 million people) having no high-speed connection, enterprises have begun to ask questions such as how best can they keep all their employees connected to their networks?

A range of solutions has been proposed in order to modernize the existing mainframes including the adoption of key technologies such as Microsoft’s Delivery Optimization, Connected Cache, and Configuration Manager.

Let’s examine each of these in greater detail.

What is Delivery Optimization

Delivery Optimization is an inbuilt Windows component. It’s distributed cache technology which means that it is software designed to act as an intermediary between an enterprise’s primary storage solutions and remote employees’ computer.

The benefits that Delivery Optimization provides include optimizing cloud download efficiency, minimizing internet bandwidth, and lowering the latency in data access.

This is excellent because you want to keep your internet bandwidth high. It translates to a faster and better experience for employees, particularly those working remotely.

What is Microsoft Connected Cache?

Microsoft Connected Cache is an application installed on a Windows Server 2012 or later. It is also a high-speed data storage function that works hand-in-hand with Delivery Optimization to reduce latency and improve efficiency.

Connected Cache acts as a dedicated cache on your enterprise network. This server-based solution caches the managed downloads that Delivery Optimization extracts from the Cloud.

It’s ideal for companies because it serves as a local cache on your on-premise network.

What is Microsoft Endpoint Configuration Manager

Microsoft Endpoint Configuration Manager, formerly known as System Center Configuration Manager (SCCM) or Systems Management Server (SMS) is a full-feature systems management software. It sets out to manage computers on a larger and streamlined scale.

Configuration Manager works by providing patch management, remote control, operating system deployment, software inventory, software distribution, and network access protection capabilities.

Now that we’re up to speed about what each of these features are and what they do, let’s look at the advantages and disadvantages of Delivery Optimization.

Delivery Optimization Pros

No Upfront Costs

For enterprises already encumbered by high remote operating costs, this is a welcome reprieve. There are no upfront costs because Delivery Optimization exists as part of Windows 10. Therefore, it’s a feature that’s paid for through your regular Windows 10 license.

Leverages Peer-to-Peer Efficiency

Delivery Optimization enables PCs connected to your network and to download updates in a more streamlined manner from other peers within the network that have already downloaded the content. In this way, there’s an overall reduction in bandwidth. This also mitigates update-related traffic.

Same Time Send/Reception of Update Files

Gone are the old days of having to wait long periods of time while update files sent and received in succession. Today, Delivery Optimization facilitates simultaneous sending and receiving of update files. This allows updates to easily and seamlessly take place.

Can Resume Interrupted Downloads

Do you remember the times when downloads would interrupt because of a network glitch and had to restart? This meant updating PCs across company networks took longer and sometimes pushed up data costs for enterprises. Thankfully, one of the perks of Delivery Optimization is the ability to resume downloads should they experience an interruption.

Load Balancing Capabilities

Network administrators can use all the help they can get to distribute workloads in a uniform manner across enterprise servers and employee PCs.

Load balancing is an incredibly important process as it promotes more efficient processing. It provides balance, so there are no uneven overloads on individual computer nodes. Delivery Optimization presents itself as a tool that expedites this distribution of network traffic.

Windows Native and Cumulative Updates Enabled

As a Windows 10 native feature, Delivery Optimization is Cumulative Updates enabled. This means that on all the PCs equipped with the DO feature, updates – both old and new – these can be bundled together into a single update package.

But it’s not all fun and games with Delivery Optimization. Here are a couple of disadvantages network administrators have to also contend with.

Delivery Optimization Cons

No Analytics and or Reporting

In Deloitte’s The Analytics Advantage report, analytics are highlighted as important as they enable companies to drive business strategy and facilitate data-driven decisions. Thus, it comes as a big disappointment that Delivery Optimization provides no such insights neither in the form of analytics nor reports.

No Content Control

Being able to control both the content that’s being downloaded and transmitted across networks is imperative for network safety. The fact that Delivery Optimization doesn’t give network administrators such control is frustrating.

No Support for Windows 7/10 Migration

Are you thinking of migrating from Windows 7 to Windows 10? Well, unfortunately, you’ll have no help from Delivery Optimization. It’s not clear as to why the developers over at Microsoft thought it was a good idea to complicate migration in this way.

No Support Packages and App Deployment

That’s not all, but Delivery Optimization also offers no support for Packages and Application with Configuration Manager stand-alone deployments. This greatly hampers the standardization and streamlining process of installing software on employees’ work devices.

No Smart Agent

Delivery Optimization is a tool full of potential. However, it is baffling trying to understand why this supposed network optimizing resource has no smart agent to facilitate Optimal Source Selection.

No SCCM Support

Microsoft’s System Center Configuration Manager (SCCM) is integral in the management, deployment, and security of connected enterprise devices as well as apps within the network. However, this Windows product doesn’t receive any support which is a major disadvantage.

Needs Manual Boundary Definition

Boundaries, according to Microsoft, are network-specific locations on enterprise intranets that can contain your PCs or other devices making them easier to manage. When using Delivery Optimization, boundaries aren’t automatic, you have to take time to manually define each boundary you want to be created.

Needs Substantial Boundary Configuration

It’s not enough to manually define the boundaries required either, you also need to make sure that each boundary is properly configured. This additional work can be automated so it’s a wonder why Delivery Optimization doesn’t come with boundary configuration pre-set.

5 Steps to Improving Network Efficiency with Delivery Optimization

Faced with hybrid work models and more employees working remotely, enterprises must be smart about network management. Here are the top 5 ways to improve network efficiency using Delivery Optimization, Configuration Manager, and Microsoft Connected Cache in 2022.

Improve Network Efficiency Step# 1. Remove Performance Bottlenecks

When it comes to network efficiency, congestion in the network is one of the major network problems that most enterprises face. There are many causes of bottlenecks in your network which you will need to remove in order to improve network efficiency. These range from:

a)     Network Overload

Network overload happens when you have numerous hosts within your broadcast domain. Delivery Optimization can aid in this particular case by allowing optimized cloud-managed downloads which reduce network pressure.

b)    Broadcast Storms

Broadcast storms occur when you receive more requests on the network than it can handle.

c)     Low Bandwidth

This occurs when there are too many people connected to the network at once. Delivery Optimization and Connected Cache are peer-to-peer cache technology and significantly help to lower the latency and minimize internet bandwidth.

d)    Not Enough Retransmitting Hubs

Failure to have sufficient retransmitting hubs slows down your network. Retransmitting hubs are necessary in order to make data transmission across the network easier.

e)     Multicasting

While created to help ease congestion, multicasting can in fact cause bottlenecks when two packets transferred simultaneously collide leading to congestion

f)      Old Hardware

Technology is changing so fast and hardware components need to be routinely upgraded otherwise servers, routers, and switches can inadvertently lead to network congestion

g)     Poor Configuration Management

When scripts are one-off or repetitive, they can introduce bugs that cause congestion. Thankfully Delivery Optimization and Configuration Manager can help to get rid of this issue.

h)    Foreign Adapter Broadcasts

When rogue adapters connect to your network, this can increase the network load leading to bottlenecks. A rogue adapter is any device that connects oftentimes illegally onto your network and exists like a parasite until it’s removed. These foreign devices also pose a security threat.

Fortunately, network monitoring tools like Configuration Manager make it possible to handle the life cycle of all the devices and configurations within your network. Such visibility can assist in identifying slow traffic and congestion so you can eliminate it.

And speaking of configurations…

Improve Network Efficiency Step# 2. Reconfigure Network Hardware

It doesn’t matter if it’s an installation of cumulative updates or new hardware, every element joining the company network must be properly configured. Failure to do so can lead to poor network efficiency.

When devices are incorrectly configured, they can’t communicate with their peers effectively. This will lead to routing problems and or increase latency.

Network administrators must ensure that each time a device is configured or reconfigured the network is tested to check network performance. Configuration Manager can be used to see whether the new configuration/reconfiguration is affecting the network negatively.

Improve Network Efficiency Step# 3. Educate Employees on Correct Network Usage

Now with more employees working remotely, it can be difficult to control what people do on the company network. However, it is pivotal to educate them on avoiding applications that are bandwidth-heavy and engaging in activities that consume a lot of data such as downloading movies, music videos, and other large files.

The more bandwidth employees are using in non-work-related activities, the less will be available for work slowing down the entire network. Configuration Manager can be used to curb non-work-related activities if necessary by blocking certain devices. 

Improve Network Efficiency Step# 4. Consider Creating a Guest Network

Have you ever thought of creating a separate guest network for people visiting your company?

You don’t want strangers and outsiders to be able to connect to your enterprise network. This is a major security threat. By creating a disparate guest network they will have their own distinct network to connect to.

In this way, guests’ activities don’t interfere with enterprise bandwidth and security threats are reduced.

Improve Network Efficiency Step# 5. Compress Network Traffic and Data

Every day, colossal amounts of data are transmitted across enterprise networks. More so now, in a world where virtual meetings are the order of the day. These data-heavy online activities necessitate data compression and compression of network traffic.

By compressing enterprise data, companies get more out of their internet packages. And with Windows components like Delivery Optimization, you get to stretch your data out more.

You see, Delivery Optimization extracts content from the cloud, stores it in a temporary cache, where peer PCs/devices can easily access said files in smaller, minute data-friendly sizes without having to download all the large files for each connected device.

Wrap up

2020 and 2021 have disrupted the way business is done. With more companies eager to try out hybrid work models that allow employees to work remotely with some days in the office, network administrators have their work cut out for them in terms of making sure networks are efficient and running at optimal round the clock.

And with so much uncertainty about when things will return to normal, enterprises need to get comfortable with the idea of remote work. Resources such as Delivery Optimization and Configuration Manager will prove to be more and more important in 2022 and beyond.

Relying on such Windows features, organizations can rest easy knowing that there are tools to help with improving network efficiency in a cost-effective manner.

Should You Allow Self-Service With Windows Autopilot?

Posted on by
Reply

With Windows Autopilot, Microsoft gives clients a collection of technologies designed to eliminate the challenges that come with building, maintaining, and applying custom images.

It’s a platform that IT professionals can utilize to set new desktops to join pre-existing configuration groups and apply profiles to the desktops. All of this is so that new users can access fully functional desktops from their first logon.

By using Windows Autopilot, you can simplify the entire lifecycle of Windows devices. Meaning that it covers devices from the initial deployment through to the eventual end of the life cycle. The question, however, is should you allow self-service?

Changing landscape with Windows Autopilot

Over the last few years, we have certainly witnessed a rapid evolution in the remote work landscape. And this evolution has become even more pronounced with the prevailing global pandemic. This has made the need for technology like Windows Autopilot even greater.

Self-service technology has plenty to offer any business. Benefits can include improved end-user experience, effortless coordination for a remote or blended workforce, less complicated management, and significant increases in productivity.

So as the way businesses operate continues to evolve, Windows Autopilot can be the perfect tool to deal with the headaches that we have faced in the past with automated deployment and self-service setups.

Using the self-service setup

The way that Windows Autopilot’s self-service setup works is that it makes workplace devices configured and ready out of the box with its self-deploying mode.

This means that when the employee receives the device they only need to turn it on to start working. Self-deploying mode automatically joins a new device into your company’s Azure Active Directory (Azure AD).

The device is then enrolled into Intune for mobile device management (MDM). Also, you don’t need to worry about apps, certificates, policies, and networking profiles provisioned on the device as they will be dealt with as well.

What this means is that everyone has a lot to gain from using Windows Autopilot, whether you’re IT or the end-user. IT people have their processes simplified and no longer have to deal with the time-consuming, outdated, and overly complex IT processes they had before.

And as for the end-user, all one needs to do is unbox the device, turn it on, connect to the internet, and then verify their credentials.

Self-deploying mode of Windows Autopilot

This feature plays a key role in making Windows Autopilot the platform that it is. Using it will allow you to deploy a device with little to no user interaction. If you have an Ethernet connection then no user interaction will be needed. But, end-users whose devices are connected via Wi-Fi will need to choose the language, locale, and keyboard. And then, they need to make a network connection.

By using self-deploying mode, you can deploy a Windows 10 device as a kiosk, digital signage device, or a shared device. Moreover, it’s also possible to completely automate device configuration by combining self-deploying mode with MDM policies. To deploy in self-deploying mode, you need to follow the steps below:

  • The first step involves creating an Autopilot profile for self-deploying mode that has the settings you want.
  • Next, you need to create a device group in Azure AD and assign the Autopilot profile to that group. Before you try to deploy the device, you should check that the profile has been assigned to the device.
  • Finally, you need to boot the device and connect it to Wi-Fi (if necessary). And then wait for the provisioning process to complete.

Gaining value from technology

As already mentioned earlier, the technological landscape is evolving and so businesses can take advantage of these changes to add value to their operations. The ability to seamlessly deploy devices without IT involvement has huge implications in an increasingly remote-working world.

With countless employees not being on-premises, companies cannot afford to have delays between delivery and deployment. Leveraging Windows Autopilot means that you can eliminate OS image re-engineering and customize the out-of-the-box-experience (OOBE).

By doing this, your processes become easier and faster. And this is going to enhance productivity and potentially increase profitability.

Possible scenarios

Windows Autopilot provides support for a growing list of different scenarios, designed to support the varying needs that most businesses will have. These needs often differ depending on the type of business as well as where you are with moving to Window 10 and transitioning to modern management. Below are some of the common scenarios:

  • Deployment of devices that will be set up by an employee of the company and configured for that person.
  • Deployment of devices that will be automatically configured for shared use, as a kiosk, or as a digital signage.
  • Re-deploying a device in a business-ready state.
  • Pre-provisioning a device with up-to-date apps, policies, and settings.       
  • Provisioning of WIndows 365 devices

User-empowered modern workplace

Windows Autopilot is one of the key components in the Microsoft ecosystem that are helping to create a more user-centric workplace. An environment where users are empowered by IT rather than restricted as they were with legacy IT.

Users will immediately see this from the very beginning as they unbox new devices and have no time-wasting setup involved. Combined with the streamlined benefits of other solutions in the Microsoft ecosystem, this creates a modern, all-digital workplace.

Leveraging digital transformation with Windows Autopilot

So much technological innovation has come to the fore in the last few decades. However, many outdated facets of legacy IT persist including device setup and configuration. But it certainly doesn’t have to be the case for your organization.

Making use of tools like Windows Autopilot has massive potential benefits for your business. Self-service deployments not only make life simpler, but they can help you to operate faster and with fewer complications.

Not to mention how you can create more productive time. The extensive range of capabilities that you get here gives you more automated and user-friendly processes that can enhance your organization’s performance.

Controlling User App Access With AppLocker

Posted on by
Reply

Most organizations could probably gain some benefits from deploying application control policies. This is something that your IT guys could use to make their work easier and improve the overall management of employee devices. AppLocker is a platform that will give admins control over which apps and files users can run including packaged app installers, scripts, executable files, Windows Installer files, DLLs, and packaged apps. Because of its features, AppLocker will help organizations to reduce their admin overhead and the cost of managing computer resources. With that said, let’s go over how AppLocker helps you to control user app access.

Installation

Users that are running the enterprise-level editions of Windows will find that AppLocker is already included. Microsoft allows you to author rules for a single computer or a group of computers. For single computers, you’ll need to use the Local Security Policy Editor (secpol.msc). And for a group of computers, you can use the Group Policy Management Console to author the rules within a Group Policy Object (GPO). However, it’s important to note that you can only configure AppLocker policies on computers running the supported versions and editions of the Windows operating system.

Features of AppLocker

AppLocker offers its clients several great features to help you to manage access control. It allows you to define rules based on file attributes and persisting across app updates. These include publisher name, file name, file version, and product name. You can also assign rules to individual users or security groups as well as create exceptions to rules.

In order to understand the impact of a policy before enforcing it, AppLocker allows you to use audit-only mode to first deploy the policy. Another feature enables the creation of rules on a staging server that you can test before exporting them to your production environment and importing them into a Group Policy Object (GPO). And then by using Windows Powershell cmdlets for AppLocker, you’ll have an easier time creating and managing rules.

Enhancing security

AppLocker works well at addressing the following security scenarios:

  • Application inventory: AppLocker policies can be enforced in an audit-only mode where all application access activity is registered in event logs.
  • Protection against unwanted software: you can exclude from the list of allowed apps any app that you don’t want to run and AppLocker will prevent it from running.
  • Licensing conformance: AppLocker enables you to create rules blocking the running of unlicensed software while limiting licensed software to authorized users.
  • Software standardization: to have a more uniform application deployment, you can set up policies that will only allow supported or approved apps to run on PCs within a business group.
  • Manageability improvement: AppLocker has improved a lot of things from its predecessor Software Restrictions Policies. Among those improvements are audit-only mode deployment, automatic generation of rules from multiple files, and importing and exporting policies.

Apps to control

Each organization determines which apps they want to control based on their specific needs. If you want to control all apps, you’ll note that AppLocker has policies for controlling apps by creating allowed lists of apps by file type. When you want to control specific apps, a list of allowed apps will be created when you create AppLocker rules. Apart from the apps on the exception list, all the apps on that list will be able to run. For controlling apps by business group and user, AppLocker policies can be applied through a GPO to computer objects within an organizational unit.

Allow and deny actions

Because each AppLocker rule collection operates as an allowed list of files, the only files that are allowed to run are the ones that are listed in this collection. This is something that differs from Software Restriction Policies. Also, since AppLocker operates by default as an allowed list, if there is no explicit rule allowing or denying a file from running, AppLocker’s default deny action will block that file. Deny actions are typically less secure because a malicious user can modify a file thereby invalidating the rule. One important thing to remember is that when using the deny action on rules, you need to first create rules allowing the Windows system files to run. Otherwise, a single rule in a rule collection meant to block a malicious file from running will also deny all other files on the computer from running.

Administrator control 

The last thing most organizations would want is any standard user or worse a malicious one modifying their policies. Therefore, AppLocker only allows administrators to modify AppLocker rules to access or add an application. For PCs that are joined to a domain, the administrator can create AppLocker rules that can potentially be merged with domain-level rules as stated in the domain GPO.

Is AppLocker for you?

If you see the need to improve app or data access for your organization then AppLocker is something you should be considering. Also, if your organization has a known and manageable number of applications then you have an additional reason. Ask the question, does your organization have the resources to test policies against the organization’s requirements? Or the resources to involve Help Desk or to build a self-help process for end-user application access issues? If yes to the above, then AppLocker would be a great addition to your organization’s application control policies.

Wrap up

Software that enhances the way an organization controls access to its applications and data can play a significant role in boosting efficiency. AppLocker is one such platform. With all the great features available, it can easily become a fantastic tool for your IT team. Not only does it simplify access control management, but its various actions will also result in greater security. Without a doubt, AppLocker can be a valuable addition to your application control policies.

Windows 10 Registry tweak to disable Microsoft Edge Icon for MDT or ConfigMgr

Posted on by
Reply

The icon for Microsoft Edge is now placed by default in every user profile.
It is not placed in Public Desktop, but created for each user at logon (DOH!)

Thank god there is way to stop this behavior.

You can simple add the following registry key:
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
Value: DisableEdgeDesktopShortcutCreation
Data: 1
Type: REG_DWORD

If your using MDT (Microsoft Deployment Toolkit) or ConfigMgr (System Center Configuration Manager)
You can add the following oneliner task sequence step, to stop the creation of the Microsoft Edge icon.
Commandline: reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer /v DisableEdgeDesktopShortcutCreation /t REG_DWORD /d 1

In case your wondering what i have in the steps to disable Cortana, let me share them:

Registry tweaks for Build and Capture or Windows 10 Deployment task sequences

Disable Cortana Voice:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE /v DisableVoice /t REG_DWORD /d 1

Disable Cortana Search:
reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search” /v “AllowCortana” /t REG_DWORD /d 0 /f

Disable Cortana Search Box:
reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search” /v “SearchboxTaskbarMode” /t REG_DWORD /d 0 /f

Protect Yourself Against Petya Ransomware

Posted on by
Reply

The malware requires administrator rights to the local computer. Standard users should not have this in permission. Consider restricting who has local admin rights to prevent execution of exploit code within organisations. Home users should also consider using a Standard User Account for day-to-day operations.

Access Director can help you by removing permanent local admins.

Recommendations for Enterprises

  • Deploy the latest Microsoft patches, including MS17-010 which patches the SMB vulnerability.
  • Consider disabling SMBv1 to prevent spreading of malware.
  • Educate end-users to remain vigilant when opening attachments or clicking on links from senders they do not know.
  • Ensure you have the latest updates installed for your anti-virus software.
  • Ensure you have backup copies of your files stored on local disks. Generally, user files on local drives are replicated from a network share
  • Prevent users from writing data outside of designated areas on the local hard disk to prevent data loss if attack occurs.
  • Operate a least privileged access model with employees. Restrict who has local administration access.

Petya does not encrypt files. it encrypts the Master File Table, which is the index of where all the files are stored on a hard disk drive.

“Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That’s why patched systems can get hit.”
Mikko Hypponen confirms, Chief Research Officer at F-Secure.

PT Security, a UK-based cyber security company and Amit Serper from Cybereason, have discovered a Kill-Switch for Petya ransomware. According to a tweet, company has advised users to create a file i.e. “C:\Windows\perfc” to prevent ransomware infection.

 

Windows 10 hangs after patches May/17 (Windows Defender & Trend Micro)

Posted on by
Reply

There seems to be an issue with Trend Micro and Windows Defender after Windows/ Defender patches has been applied.

The quick workaround is to deploy are registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
The dword value should be 1: DisableAntiSpyware


In case it does not exist, go ahead and create it.
Restart and you should see things start working again.

If you have the issue, you should be able to deploy it using Group Policy Preferences.

NOTE: You can also enter safe mode and create the needed key.

Reference links:

https://technet.microsoft.com/en-us/library/cc749126(v=ws.10).aspx

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus

https://support.microsoft.com/en-us/help/12376/windows-10-start-your-pc-in-safe-mode