Posts

Showing posts from November, 2020

Intune - Microsoft Edge browser settings & extensions

Image
In this blog I will cover some of the settings of Microsoft Edge browser configured using built in administrative templates in Intune.  Using Intune to manage and enforce policies is equivalent to using Active Directory Group Policy or configuring local Group Policy Object (GPO) settings on user devices. For a complete list of Microsoft edge policies, you can check the link here . Let’s begin 1.      Sign-in to the  https://endpoint.microsoft.com 2.      Browse to Devices – Windows – Configuration profiles 3.      Click Create Profile 4.      Choose Windows 10 and later as Platform 5.      Choose Administrative Templates as Profile type 6.      Click Create 7.      Give a name 8.      Use the search field ("Search to filter items ...") to find a specific setting you want to configure as shown below. Configure the home page URL     Enable the default search provider     Hide the First-run experience and splash screen   Default search provider URL fo

Intune - BitLocker silent and automatic Encryption Settings for Lenovo Thinkpads

Image
A while ago, I was working on an endpoint management project and one of the key requirements was to roll out BitLocker policies to the Windows 10 MDM enrolled devices. As much as this may seem routine, what made things interesting was that the customer only had Lenovo devices and apparently it required some additional bits and pieces to be put in place along side the Intune BitLocker encryption settings. I will cover the details and my experience through this blog. Before going into the details, please make a note of the requirements for automatic BitLocker device encryption: 1. Device should be running 1903 with latest CU or newer build. 2. TPM 1.2 or 2.0. 3. UEFI Secure Boot should be enabled. 4. DMA protection should be enabled. As for my project requirements for enabling BitLocker encryption are concerned, they are as follows - 1. Enable BitLocker of OS drive. 2. Configure BitLocker automatically and silently without any kind of user interaction. 3. Disable Startup Pin. 4. Escrow

Conditional Access: Restricting Office 365 access to Managed Devices only

Image
A lot has been said about enforcing CA for Exchange Online and there are several scenarios that can play out. One such scenario is restricting access of not just Exchange Online, but the complete Office 365 to managed devices only. In this blog, I am going to cover my experience of creating the CA policy. Configuration The policy requirements that I have taken into consideration are – Office 365 Device Platform (iOS & Android) Enforced across Browser & Mobile apps Require MFA Require Devices to be marked as compliant Require approved client app Let’s begin. 1. Open the endpoint.microsoft.com and navigate to Devices-> Conditional Access | Policies->New policy . 2. Give a name and select the Users & groups . ( Since the policy will result in restrictive experience by limiting the access to corporate data, it is advisable to test it against a selected group of users. For testing, I have just added myself, but it is recommended to use a test account inste

Attack Surface Reduction Rules within Microsoft Defender for Endpoint

Image
This week it has been all about helping a customer improve on their Microsoft Security Score. A lot of recommendations were related to Attack Surface Reduction (ASR) and I wanted to cover some tips and tricks in setting things up through this blog. There are various ways of rolling out ASR through Intune. Namely – 1. Endpoint protection configuration profile. 2. MDM Security baseline profile. 3. Microsoft Defender ATP Baseline. 4. Custom configuration policy  I chose to deploy all the rules as part of the Microsoft Defender ATP Baseline as I wanted to cover all aspects of Defender as part of the rules. But for now I am only covering ASR. Before you begin, there are some pre-requisites that one needs to be mindful of. They are as follows – - Licensed tenant for Enterprise Mobility + Security E3 and Windows E5 (or Microsoft 365 Business Premium) -  Microsoft Intune environment, with  Intune managed  devices that are Azure AD joined. -  Microsoft Defender ATP  environment whic