Modern Device Management

Just a while ago, I blogged on  How to enable and configure Web Content Filtering within Microsoft Defender for Endpoint   and also on  Creating custom Network Indicator rules in Defender for Endpoint .  Now as part of a wider implementation for Defender features, I moved on to configuring Application Guard . While the configuration of Application Guard is straight forward, I found out that this feature cannot work along side Web Content Filtering . Why is that? Well to understand this, let's first see what Application Guard is and how does it work. Application Guard For Microsoft Edge, Application Guard helps to isolate untrusted sites that have not been defined in the trusted web sites, cloud resources, and internal networks. Everything else is considered untrusted and  sites open in an isolated Hyper-V-enabled container. Similarly, in case of Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Here too

One of my customers recently reported an issue where RDS was not reachable from an AAD joined Windows 10 device. They were trying to connect remotely and reported the following error. The devices are enrolled in Intune and users are setup as Standard accounts. So what does the error mean? Based on my research, the error indicates that the RDP connection failed to establish using HTTP with UDP. RD Gateway role is used for securing connectivity to Remote Desktop Services via the Internet.  RD Gateway uses the following 3 transport protocols - 1. RPC over HTTP – used with RDP 7.1 and previous clients, or when connecting to a Windows 2008 R2 RD Gateway. 2. HTTP – RDP 8.0 clients always use HTTP as the default transport, falling back to RPC over HTTP if the HTTP transport is not available. The HTTP transport uses the Secure Sockets Layer to establish secure connections between the remote desktop client and the remote desktop server through RD Gateway. This transport type became available

If you work on Defender 365 Portal, then there is a good chance you would have seen a security recommendation to  Enable EDR in block mode just like the one below. Nothing unusual about this, but what if you are already running Microsoft Defender Antivirus as the primary AV solution on your devices? Do you still need to Enable EDR in block mode ? To answer this, let's first understand what is EDR and how it works. Endpoint detection and response (EDR) in block mode is a capability in Microsoft Defender for Endpoint that turns EDR detections into blocking and containment of malicious behaviors. This provides an additional layer of post-breach blocking of malicious behavior, malware, and other artifacts that your primary antivirus solution might miss. When EDR in block mode detects malicious behaviors or artifacts, it stops related running processes, blocking the attack from progressing. These blocks are reported in Microsoft Defender Security Center, where security teams can see d

In my previous post on  How to enable and configure Web Content Filtering within Microsoft Defender for Endpoint , I touched upon some of the requirements that were needed for enabling Web Content filtering. One such requirement was enabling of Network Protection & Smart screen within Defender for endpoint. Let' start with Network Protection and understand what it is all about. Network protection is an attack surface reduction capability which helps in protecting devices from Internet-based events arising from accessing dangerous domains through applications, phishing scams, exploits, and other malicious content. With the help of Microsoft Defender SmartScreen, all outbound HTTP(s) traffic that attempt to connect to low-reputation sources (based on the domain or hostname) gets blocked. Network protection also extends the protection to the operating system as a whole. It provides web protection functionality in Edge, other supported browsers and non-browser applications. Additio

On September 3 2021, Microsoft published MC282986  in the Message center that Intune APP/MAM will be moving to support Android 9 and higher. According to Microsoft, This change is to align with Office mobile apps for Android support of the last four major versions of Android and it will be coming into effect on October 1, 2021. So what does it really mean? If you are using app protection policies on any device that are running Android version 8.x or lower then these devices will no longer be officially supported for APP.  APP policies will continue to be applied to devices running Android 6.x – Android 8.x however, if you do run into issues with an Office app and APP, Microsoft support will request you to update to a supported Office version for app troubleshooting. So it appears that while APP will continue to apply on devices running Android versions older than 9.x, Microsoft will not support should you run into issues. This may be an issue for lot of organizations as a lot of device

The not so new Office app was made 'generally available' in Feb 2020 . Since then, Microsoft have already addressed the requirement for supporting App protection policies using Intune. As a matter of fact, I have been applying the policies myself for some time now, but every time I have worked on this, I felt that the details on the application of the policies are not that properly documented in Microsoft's official documentation and which is why I decided to blog about this now. Unlike the traditional Microsoft office apps like Word, Excel, PowerPoint etc, Office app has been made available under the following categories - For Android - Office Hub – Meant to be installed on devices in China which is under the custom bundle id  com.microsoft.office.officehub. Office Hub [HL] – Meant to be installed on devices in the US which is under the custom bundle id  com.microsoft.office.officehubhl. Office Hub [ROW] – Meant to be installed on devices outside of the US and China w