Ever thought about your end-users really think before clicking?
How often does your end users (who have local administrator rights in some way) just install stuff without thinking?
To start with, your end-users should not be local administrators on their machines, but many still are. If they are not all the time lot`s of companies have sollutions where end-users can elevate them self for a certain time frame.
But let`s make them think an extra time before actually installing stuff that require administrator privilegdes on their machine by forcing them to type their username and password instead of just “Yes/No”.
One way to change this is to use the Registry and force the UAC to prompt username / password.
for several of my customers I deploy this registry setting to the end-user using Endpoint Manager (Intune), and this is really easy!
Head into Endpoint Manager (Intune)
https://endpoint.microsoft.com
Dive into “Device” and and choose “Scripts” and hit “+ Add”
3. Give it a “name” and “Description” hit next. 4. Upload the script (see code block over and save it as .ps1) 5. Lett all settings be at “no”
6. Assign it to “All Devises”, next and add!
Now all your devices will get this deployed and after the next reboot your users will need to provide both username and password to be able to install something that requires administrative rights.
After upgrading my machine from Windows 10 to Windows 11 (Insider) i stumbled onto an issue with BitLocker witch was not enabled anymore on my machine.
I have compliance policies in Microsoft Endrpoint Manager (Intune) witch need`s BitLocker enabled to give the machines the “Compliant” stamp.
When trying to enable BitLocker we got the error message:
So a work-arround to fix this is to delete some registry entries from this location
In this post I want to go through some steps that I think is quickest method to get started with Microsoft Endpoint Manager. This will not cover ALL the features but it will give you an quickstart to the service.
For instance, what shold you start with?
To be honest, start with something easy and creates quick ROI (Return of investment) and that could be more than just how to get my money back – rather it could mean that your infrastructure is getting more secure.
So to start with something “easy” let`s kick it of with mobile devices. Many companies does not have any Mobile device management in place and their Cloud services is available for EVERYONE to attache to. So let`s start with demanding compliant devices and closing the door for others!
Requirements: Microsoft 365 E3 / E5 or EMS E3 / E5 or Intune licenses
Devices Android devices will work straight “out of the box” with Intune but to be able to join iOS/iPadOS Devices to Intune we need to generate and apply a “Apple MDM Push certificate”.
Let`s start with the Certificate for Apple devices (this certificate is also needed for MacOS devices). The only thing you need here is an Apple ID and follow the guide from “Devices -> iOS enrollment -> Apple MDM Push Certificate”. When this is in plnace we can procede.
When it`s created you have a valid Certificate for the next 365 days. That means that you need to remind your self to renew the certificate every year! When the certificate expires your intune services will stop against Apple devices.
So what is a compliant device?
A compliant device is a device registred to Intune and has passed the Compliance policy that you have created.
The policy can contain several “settings” that must be enabled or set on your device for it to be marked as “Compliant Device”. For iOS/iPadOS we have at the moment (04.04.2020) 17 settings we can check to validate the device and for Android 19 settings (04.04.2020).
Here is a simple set of compliant device policies for Android and iOS.
iOS/iPadOS Comliance.
Navigate to “Devices -> iOS -> Compliance policies” and create a new policy. Give it a name, set some settings and click create. In this policy i have just put on two settings, “block Jailbroken devices” and “Require password to unlock device”
Hit Create and go to “Assignments”, in this menu we will assign the policy to all users so that everyone that tries to enroll their device will get the policy. (this is the same step for both iOS and Android).
Android Compliance
Navigate to “Devices -> Android -> Compliance policies” and create a new policy. Give it a name, set some settings and click create. In this policy i have just put on two settings, “block Rooted devices” and “Require password to unlock device”
And like the iOS policy we need to assign it to all users, so head in to Assignents after creating the policy and assign it to all users.
Block devices that are not compliant
To block users from connecting with other devices we will use Conditional Access to prevent devices that are not enrolled in your organization. The policy is created from the Microsoft Endpoint Manager portal under “Endpoint security -> Conditional Access. Create a new policy and name it “Require compliant devices”
The policy looks like this and will of course not block the Intune enrollment portal 😊
Users and groups
Include all users and create exclution for users you want to exclude from the policy
Cloud Apps or actions
Include “All cloud apps” and click on “Exclude” and search after “Microsoft Intune Enrollment”
Conditions
Device platforms, configure it and choose Android and iOS from the list.
Access controls
Grant access and choose “Require device to be marked as compliant”
Now you can enroll your first device, i`ll show it with an iPad her, but first you need to downlod the Company Portal to your iPad.
Then you stat the application and sign in – then starts the enrollment of the device.
Sign-in
setup device
Apply profile
Enrolled!
When that`s completed the device is registred in the Device pane in Microsoft Endpoint Manager Admin Center and you`ll see complance status on it.
That`s it! Now you have a new requirement for all users, they need to enroll their devices (mobile devices) within Microsoft Endpoint Manager to gain access to cloud resources!
Many people wonder what Microsoft Endpoint Manager is and how to quickly gain value to their company by using it.
In this post i will
give you some quick information on what it is and later on create a how to get
started quckly with Microsoft Endpoint Manager!
So what is Microsoft
Endpoint Manager?
Some people are saying “It`s the new name of Intune” and that`s not what it is at all! or Intune is in there, but it`s so much more.
MS Endpoint Manager is a tool set witch are combining several solutions and gives you “One place to manage” several infrastructure services. To name them:
Microsoft Intune (ofcourse :))
Microsoft Endpoint Configuration Manager (SCCM)
Windows Autopilot
Desktop Analytics
Microsoft Defender ATP
Azure Active Directory
By doing this Microsoft achieves a ground breaking new management solution for us that gives us ability to manage all major platforms like Windows devices, Apple devices, Linux distros and Android devices.
So to be clear,
Microsoft Intune or Microsoft Endpoint Configuration Manager (SCCM) will not be
discontinued! They both will live their life but be combined with Microsoft
Endpoint Manager.
So what do you need
to start using Microsoft Endpoint Manager?
You need to have either Intune licenses or SCCM licenses and you also need to have Azure Active Directory Premium P1 to utilize Azure AD Conditional Access.
I will in the next blogpost come up with a brief guide om how to get started using Microsoft Endpoint Manager and quickly gain usage of yours EMS package!
So this is the third post in my blog post series “S for Security in EMS” and I will try to cover some Microsoft Intune benefits and quick-wins meaning how to quickly get started with Intune and to gain some benefits right the way.
First, what is Microsoft Intune?
Microsoft Intune is an cloud based mobile device manager, this does not mean that MS Intune only can be used for
Celular phones and tablets. All devices can be enrolled into Intune and by requireing this of your users we can start protecting business data with other tool-sets like Conditional Access, Information Protection and so on.
When users enroll their devices into intune (that can be Windows, macOS, Android or iOS) the device goes through an “Compliance policy” that you have configured to “measure” the device and stamp it as compliant or non-compliant based on evaluations against the the compliance policy.
So why is Intune so important for the Security part within the EMS Suite? Well! When your device is added to Intune and gone through the Compliance policy marking the device as an Compliant device we can use that status with for example Conditional access to deside on what services a user can access based on compliant device or not.
And the last but not least, you have an inventory of devices that can access your enterprise data and applications! Thats a big value to have in your pocket! 🙂
