Security: Exploring Windows LAPS for Azure Active Directory – Initial Impressions in a Cloud-Only Setting

Recently, Windows LAPS for Windows Server Active Directory was made available to the public, and I shared my initial test impressions:
Getting to Know Windows LAPS for Active Directory – First Look

As of April 21st, 2023, Windows LAPS for Azure Active Directory is now also accessible in a public preview. This presents an opportunity to test it in a cloud-only environment, and in this blog post, I will be sharing my initial testing impressions of Windows LAPS with Azure Active Directory in this scenario.

Continue reading

Security: Getting to Know Windows LAPS for Active Directory- First Look

In October 2022, I published a blog post titled The 10 most important details about the upcoming Windows LAPS solution, which revealed that Microsoft was developing a new LAPS solution called Windows LAPS. This solution would address the long-awaited support for cloud-only devices. As of April 11, 2023, Windows LAPS for Windows Server Active Directory is now publicly available. Previously, Windows LAPS was only accessible through private preview. Unfortunately, Windows LAPS for Azure Active Directory remains in private preview and is not open to new customers. However, the Azure Active Directory LAPS scenario is anticipated to enter public preview in Q2 2023. In this blog post, I will be sharing my initial testing impressions of Windows LAPS with the Windows Server Active Directory (on-premises) scenario.

  1. Supported platforms
  2. The advantages of Windows LAPS over Legacy Microsoft LAPS
    1. # Seamless integration
    2. # Password encryption
    3. # More New capabilities
  3. Windows LAPS for Windows Server Active Directory – Configuration
    1. Windows LAPS Requirements
    2. Prepare Windows LAPS ADMX templates
    3. Update the Windows Server Active Directory schema
    4. Grant the managed device permission to update its password
    5. Delegate Windows LAPS permission
    6. Configure policy settings for Windows LAPS
  4. Windows LAPS for Windows Server Active Directory – Admin Experience
    1. Read Windows LAPS Password
    2. Windows LAPS password rotation
    3. Get Windows LAPS Password History
    4. Password backup for DSRM accounts
  5. Conclusion
Continue reading

Microsoft Intune: First impressions of Endpoint Privilege Management (EPM)

Endpoint Privilege Management (EPM) is one of the most anticipated features of the Microsoft Intune premium add-on suite and was already announced at Microsoft Ignite 2022. With EPM, Microsoft has finally developed a solution for assigning temporary administrator rights. Users no longer need to be made local administrators. Instead, your users can be given standard account permissions and be designated administrators for specific tasks. Microsoft has now released a first public preview. This blog article covers first test impressions about the new Microsoft Intune Endpoint Privilege Management feature.

  1. Licensing
  2. Windows Client requirements
  3. What files can be elevated
  4. Documentation
  5. Activate Endpoint Privilege Management (EPM)
  6. First test run – First impressions
    1. Admin Configuration – Elevation settings policy
    2. User Experience with Elevation settings policy in place
    3. Admin Configuration – Elevation rules policy
    4. User Experience with elevation rules policy in place
  7. Troubleshooting and further testing
  8. Conclusion
Continue reading

Security: Application Whitelisting with Microsoft Intune and AppLocker

While AppLocker has been around since Windows 7 and Windows Server 2008 R2, I have rarely found the solution in enterprises. The main reason was always that the implementation is very time and resource consuming and that you must constantly maintain a whitelist. This is a bummer, because the security gain is enormous when a solution like AppLocker is used. If you deal with the AppLocker rules intensively and have developed a good concept at the beginning, you will realize that you do not have to adjust the rule regularly and that the operation is not as complex as you thought.

This blog article shows the important things to consider when implementing AppLocker, how to create a usable basic ruleset that requires minimal maintenance, and how to manage with Microsoft Intune.

  1. Application whitelisting technology overview
  2. AppLocker basic recommendations
  3. AppLocker deployment considerations
  4. AppLocker OS Requirements
  5. AppLocker AppIDSvc Service Requirements
  6. Configure AppLocker and start with Audit Only Mode
  7. Configure Basic Ruleset
  8. Exceptions
    1. Path Exeptions
    2. Publisher Exception
  9. AaronLocker
  10. AppLocker deployment with Microsoft Intune
  11. Event monitoring
    1. AppLocker Event IDs
    2. _PSScriptPolicyTest*. PowerShell Scripts
    3. Azure Log Analytics / KQL
      1. Check for Audit Mode Events with KQL
      2. Check for Enforce Mode Events with KQL
    4. AppLocker Microsoft Intune Rules Storage Location
  12. Configure Enforce Mode
Continue reading

Security: First impressions of the new Windows 11 22H2 security feature Enhanced Phishing Protection

This blog article covers the new Windows 11 22H2 security feature Enhanced Phishing Protection in Microsoft Defender SmartScreen and gives first impressions.

  1. What is Enhanced Phishing Protection?
  2. How does Enhanced Phishing Protection work?
  3. How do I activate and configure Enhanced Phishing Protection?
  4. What are the first impressions?
    1. Warn me about malicious apps and sites
    2. Warn me about password reuse
    3. Warn me about unsafe password storage
    4. Phishing alerts in the Defender for Endpoint (MDE) portal
  5. Sources and additional links
Continue reading

Security: The 10 most essential details about the new Windows LAPS solution

The Local Administrator Password Solution (LAPS) from Microsoft has been around since 2015 and I have always liked using it because it was quite easy to implement and manage. Unfortunately, Azure AD (Cloud Only) support was missing and LAPS could only be used with an on-premises Active Directory. Therefore, in a cloud only environment, you had to use alternatives such as the community solution CloudLAPS. Fortunately, Microsoft is working on a new LAPS solution with the name Windows LAPS that finally offers the long-awaited support for cloud-only devices.

This blog article presents the 10 most essential details about the new Windows LAPS solution.

  1. #1 Operating System Integration
  2. #2 Supported scenarios
  3. #3 Supported platforms
  4. #4 Architecture
  5. #5 New Features
  6. #6 Management & Configuration
  7. #7 Legacy Support
  8. #9 Release Date
  9. #10 Documentation, session and demos
Continue reading

Security: How to configure Advanced Microsoft Authenticator security features in the Microsoft Entra Admin Center and why it is important to implement them now

It’s time to make Microsoft Authenticator more secure for your users. Since October 25, 2022, new Advanced Microsoft Authenticator security features are Generally Available. This blog article shows how to enable the new Advanced Microsoft Authenticator security features in Microsoft Entra admin center.

  1. Why is it important to implement these new Microsoft Authenticator security features and inform your users about them?
  2. Which security features are new available?
  3. How to configure Advanced Microsoft Authenticator security features
  4. With all the new security features enabled, how will the new user experience look like?
Continue reading

News: Microsoft Intune Driver Management and new Microsoft Store integration

Back in 2021, Microsoft announced that Microsoft Intune would get driver management and integration for the new Microsoft Store. For a long time, however, there was no significant news until new developments and first release dates were announced on October 25, 2022 at The Microsoft Technical Takeoff: Windows and Microsoft Intune online event, which is currently taking place from October 24 to 28.

  1. Microsoft Intune Driver Management
  2. Integration for the new Microsoft Store
Continue reading

News: My Top 10 Takeaways from Microsoft Ignite 2022

Microsoft Ignite 2022 took place from October 12-14, happily as a hybrid event, online and onsite in Seattle. Under the headline “Do more with less with the Microsoft Cloud“, Microsoft presented over 100 new solutions or updates to existing products. This blog article presents my top 10 takeaways from Microsoft Ignite 2022 with a focus on Modern Workplace, Microsoft 365 and Security. In conclusion, I will honor my favorite session and give my overall impression of Microsoft Ignite 2022.

  1. Modern Workplace
    1. #1 New Microsoft Intune name branding
    2. #2 New Microsoft Intune product family
    3. #3 New Microsoft Intune suite of advanced solutions
    4. #4 Deliver organizational messages with Windows 11 and Microsoft Intune
    5. #5 What’s new in Windows 365
  2. Microsoft 365
    1. #6 Office is becoming Microsoft 365 and New Microsoft 365 Announcements
    2. #7 New Microsoft Teams Premium Features
  3. Security
    1. #8 Conditional Access Authentication Strengths
    2. #9 Azure AD certificate-based authentication (CBA)
    3. #10 Workload Identities GA in November 2022
  4. Favourite session from Microsoft Ignite 2022
  5. My overall impression of Microsoft Ignite 2022
Continue reading

Security: How to achieve a Microsoft Secure Score for Devices above 95% in Microsoft Defender for Endpoint with Microsoft Intune

This blog article shows how to master the security recommendations of Microsoft Defender for Endpoint (MDE) with Microsoft Intune and achieve a device secure score above 95%.

  1. Security recommendations analysis and how to start
  2. Security recommendations covered by security baselines
  3. Security recommendations overview not covered by security baselines
Continue reading