Unleash your Azure CSP subscription for Cloud Management Gateway deployments

The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients on the internet. By deploying the CMG as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet ‘without’ additional (on-premise) infrastructure.

Merged_Azure_CSP_and_Visual_Studio_subscription

Create & deploy cloud services with an associate Azure subscription.

However, there is a limitation when deploying CMG using Azure CSP subscription.

This capability does not enable support for Azure Cloud Service Providers (CSP). The CMG deployment with Azure Resource Manager continues to use the classic cloud service, which the CSP does not support. For more information, see available Azure services in Azure CSP.

As CSP model is becoming more and more popular as Azure subscription, this scenario is a potential blocker for many customers having a CSP subscription which wants to deploy a CMG. The Microsoft product teams are aware of this situation and I’m sure they will solve this the sooner or later.

Converting your CSP subscription to an eligible Azure subscription is no option here (managed by CSP Partner). Therefore I would like to take you how to deploy a CMG while you’re on a CSP subscription. Yes it’s possible! In this blog I’ll describe what it takes to achieve this. Continue reading “Unleash your Azure CSP subscription for Cloud Management Gateway deployments”

Advertisements

Part 2:  Improve your endpoint security /w Windows Defender ATP & Microsoft Intune: Exploit Guard & SmartScreen

In my previous blog I highlighted the Security Analytics Dashboard of the Windows Defender Advanced Threat Protection and how to improve your organizations security excellence covering two improvement area’s: Windows Defender Antivirus and Windows Defender Application Guard.

In this blog I’ll cover two other improvement areas: Windows Defender Exploit Guard and SmartScreen Continue reading “Part 2:  Improve your endpoint security /w Windows Defender ATP & Microsoft Intune: Exploit Guard & SmartScreen”

Part 1: Improve your endpoint security /w Windows Defender ATP & Microsoft Intune: Windows Defender Antivirus & Application Guard

Remark: Some information relates to pre-released product (Windows 10 Insiders Preview build) which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

In my previous blog I highlighted some of the new (preview) features – Security Analytics Dashboard – of Windows Defender Advanced Threat Protection (WDATP). In this blog I’ll go into more details how you can improve your organizations endpoint security posture by translating the actionable recommendations into Microsoft Intune device restrictions profiles (aka policies).

Windows Defender Advance Threat Protection

Windows Defender ATP sheds light on configuration issues and provide insights to machines where security features are not configured or out of date. It does provide actionable recommendations to improve your endpoint security. The actual actionable improvement must be performed by your administrator. In this blog I’ll explain how to improve the security baseline of your endpoints by using Microsoft Intune. Continue reading “Part 1: Improve your endpoint security /w Windows Defender ATP & Microsoft Intune: Windows Defender Antivirus & Application Guard”

Improve your endpoint security /w Windows Defender Advanced Threat Protection

Last week Microsoft announced the public preview of Windows Defender ATP Windows 10 Fall Creator update. I’m quite excited – we’ll should – of the new capabilities which allows you to better protect your endpoints from threats.

I had the opportunity to work with this for a while and like to highlight my personal favorite feature – Security Analytics Dashboard. Why? It’s because this feature gives me insights of my current endpoint (Windows 10, Windows Server, Linux* & Mac OS*) security posture and what it takes to utilize the full potential.

For a complete overview of all Windows Defender ATP preview features please read the official announcement here. Continue reading “Improve your endpoint security /w Windows Defender Advanced Threat Protection”

Improved MDM diagnostics from Windows 10 Insider Preview #16232

Note: the content in this blog post may subject to change as it’s based on Windows 10 Insider Preview build 16232/16237.

In the early days of Windows 8.x modern management made it’s appearance but due it’s limitations at that time not widely adopted.

Traditional vs Modern

The introduction of Windows 10 as the cloud OS with tight integration of Azure AD changed this rapidly. Combined with configuration service provider (CSP) modern management provides increased capabilities and therefore closing the gap with traditional management.

Another often-heard challenge of modern management is the troubleshooting part. This can sometimes be challenging as it is experienced as a black box. Common tools  (e.g. Event Viewer, PowerShell, WMI) are sometimes cryptic and thus challenging to interpret, until today!

Troubleshooting

To illustrate the ease of troubleshooting (low entry), we configured a custom policy by Microsoft Intune which configures Windows Defender Application Guard (currently in preview) and check the process of the policy being applied on our endpoint .

Microsoft Intune Custom Policy

Once assigned the policy in Microsoft Intune we triggered a policy refresh cycle.

Updated interface

Update Management Profile GUI

In the updated GUI we can now determine which policy categories are configured, including our Windows Defender Application Guard (AppHVSI) policy. Besides the outline of the policy categories we can also determine the installed applications. 

 Improved Management Profile GUI PolicyManager MDM Category

Management Diagnostic log files

The updated GUI goes beyond just displaying what is configured/applied and provides the ability drill down to our MDM configuration. The MDM configuration can be exported in a management log file which is exported in HTML format to C:\Users\Public\Documents\MDMDiagnostics\MDMDiagReport.html

MDM Diagnostics GUI

The MDM diagnostic log file provides general information of your system. However the most interesting part is yet to come.

Base MDM Diagnostic Information

First of all it provides insights of the configuration sources and resource (CSPs) and  whether it’s a device- or user based policy. The Resource section correlates to the various policies and installed apps. I highlighted a guid which correlates to an installed application.

MDM Configuration Sources

Further it provides a detailed list of which policy categories are deployed by your MDM solution. These categories are listed in the updated interface I mentioned before. Further this section provides the detailed configuration of your policies.

In our scenario we deployed Windows Defender Application Guard policy. It shows you the policy area, default value, current value and whether it’s a device- or user based policy.  It confirms the custom Windows Defender Application Guard Policy has been landed and successfully applied.

MDM Managed Policies

When looking under the hood we’ve the confirmation here too, Windows Defender Application Guard is configured properly. And mentioned earlier you’ll find the policy categories once again.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\AppHVSI

PolicyManager MDM Registry

Complementary to the Windows Defender Application Guard CSP configuration you can keep track of the group policy (backed ADMX) equivalent.

PolicyManager MDM Group Policy

Installed Applications

As mentioned before the MDM diagnostic log file also includes the list of installed applications through MDM channel.

Managed Applications by MDM

Finally, we also have access to settings which are not set via CSP.

Unmanaged MDM Policies

Summary

The updated interface in this Windows 10 preview build is a simple as ingenious extension and help us to get useful insights to troubleshoot your modern management end-points.

Sources

Introduction to configuration service providers (CSPs) for IT pros

https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers

WindowsDefenderApplicationGuard CSP

https://docs.microsoft.com/en-us/windows/client-management/mdm/windowsdefenderapplicationguard-csp

Continue reading “Improved MDM diagnostics from Windows 10 Insider Preview #16232”

Customize Windows 10 Start menu with Configuration Manager (MDM) or Microsoft Intune #OMA-URI

Undoubtedly you ever been asked the question to customize the Windows 10 start menu? Your response might be like “Sure, I’ll fix this by group policy, imaging (task sequence) or last resort by manually importing a .xml file.” All – almost all – valid options in a fully managed environment where your clients are domain joined (Active Directory) and/or fully managed by Configuration Manager or MDT. But hey what about your non-domain joined Windows 10 devices which are outside the company and managed by Microsoft Intune (MDM)? Well OMA-URI is your best friend! Smile

Configuration Service Provider (CSP)

In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. With Microsoft Intune (MDM), you define the Start layout using an OMA-URI setting, which is based on the Policy configuration service provider (CSP).

Continue reading “Customize Windows 10 Start menu with Configuration Manager (MDM) or Microsoft Intune #OMA-URI”