Tuesday, 17 January 2017

PowerShell script - add and configure Intune Subscription

I've been deploying Microsoft Intune a lot recently. Adding and configuring the Intune subscription in the Configuration Manager console is very straightforward but can take be time-consuming. I've created a simple PowerShell script to automate this.

This script adds an Intune subscription to ConfigMgr Current Branch and configures the subscription to enable management of Android, iOS, Windows and Windows Phone devices.

The cmdlets in this script require a valid Intune subscription. They require Configuration Manager 1511 or later, although it is recommended to use 1606 or later. There are published workarounds for using the cmdlets in pre-1606 environments.

Instructions for use
  1. Download an APN certificate request from ConfigMgr and generate the APN certificate directly from Apple in advance of running this script. Save the Apple APN certificate to a local folder eg (E:\Sources\MDM\Apple\AppleCert.pem) https://identity.apple.com
  2. Save script to installation folder
  3. Install the System Center Configuration Manager Cmdlet Library (if you are already using PoSH with ConfigMgr you will have done this already) https://www.microsoft.com/en-us/download/details.aspx?id=46681
  4. Run PowerShell and browse to the installation folder (you may have to run PoSH as administrator as the first step is to set the execution policy to unrestricted)
  5. Run IntuneSubscriptionScript.ps1
  6. The script will prompt you to enter the following information:
  • Enter Site Server name
  • Enter Site Code
  • Enter Intune subscription username
  • Enter Intune subscription password
  • Enter Company Color Scheme (options: Blue, Magenta, Purple, Teal, Lime, Brown, Pink, Orange, Red or Green)
  • Enter your organization name
  • Enter valid contact email address
  • Enter contact name
  • Enter path to Apple APN certificate
  • Enter Apple APN certificate password - leave blank if no password

The script will create the hybrid Intune subscription with your required parameters.

It will then enable management for Android, iOS, Windows and Windows Phone platforms.

Android enabled.

iOS enabled.

Windows enrolled as MDM enabled.

Windows Phone enabled.
Note that the script does not have much error checking for now. I'll get to that when I have a chance.
Download from the TechNet gallery and try it.
Until next time....

Monday, 2 January 2017

Manage Windows Defender ATP with ConfigMgr or Intune

As a result of a customer request I was recently reading about Windows Defender Advanced Threat Protection (ATP). It is a really cool Microsoft cloud service that integrates with Windows 10 v1607 (Enterprise, Education and Professional versions) and allows organizations to detect, investigate and respond to advanced threats on their networks. The service uses telemetry data sent from the Windows 10 devices to a private and isolated cloud instance of Windows Defender ATP. This telemetry data is supplemented by advanced threat intelligence and is translated into detections and recommended responses.

This sounded great to me so I wanted to give it a go. I was very curious to find out how straightforward it would be to deploy the technology in an organization and how quickly and easily I could receive meaningful information and recommendations.

How do you get Windows Defender ATP?

A Windows 10 Enterprise E3 license includes advanced security features such as Device Guard, Credential Guard and Managed User Experience. A Windows 10 Enterprise E5 license includes all the features and functionality available in Windows 10 Enterprise E3 plus Windows Defender Advanced Threat Protection and advanced IT administration management.

OR you can do what I did for this blog post and apply for a trial. Sign up for a Windows Defender ATP trial here

Tip: There is no guarantee that you will be accepted for a trial. I was turned down once but was approved the second time. In my second application I was economical with the truth regarding the number of PCs in my company.

You will get an acknowledgment to tell you that your application will now be reviewed and that you will be contacted within 7 business days. In actual fact it will be more like 3 days.

You will then receive an email with log in details and endpoint onboarding instructions.

Welcome to the Windows Defender Security Center.

Endpoint onboarding

Select Endpoint Management > Endpoint Onboarding

There are five methods of onboarding available. Select the one you need and click "Download package".

Group Policy
Use this method if you have no device management tool.

The package contains an admx and adml file that are to be deployed to the endpoints. You will find full instructions here

SCCM 2012/2012R2/1511/1602
Use this method for SCCM versions earlier than 1606. Why are there two different deployment methods for SCCM? This is because Windows Defender ATP Policies are natively integrated with SCCM v1606 and later.

This download package contains a single script that you can deploy using the traditional package/program method - full instructions here

Microsoft Intune

This package contains a single .onboarding file. This is to be deployed using a Windows 10 custom configuration policy with the following OMA-URI settings:
  • Setting name: eg Windows Defender ATP Policy
  • Setting description: eg Windows Defender ATP Policy
  • Data type: Select String.
  • OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding
  • Value: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
Local script
Use this option if want to onboard devices manually (for testing purpose perhaps).

The package contains a single script file that you can run manually (as administrator) on a Windows 10 device.

SCCM v1606
This is the option I am interested in for this blog post.

The package contains a single .onboarding file which we can deploy with SCCM.

First navigate to Administration > Cloud Services > Updates and Servicing > Features. Right click and Turn on Windows Defender Advanced Threat Protection. 

Restart the console and navigate to Assets and ComplianceEndpoint Protection. Windows Defender ATP Policies is new.

Right click to create a new policy.

Name the policy and choose onboarding.

Browse to the .onboarding file that you downloaded earlier. The Organization ID automatically populates.

Choose All files. The default is not to share any files.

Click Next to continue and create the policy.

The policy has been created and now can be deployed to a collection of Windows 10 1607 devices.

Troubleshooting endpoint onboarding

I manually ran Machine Policy retrieval on my test computer (I only had one) but nothing seemed to happen for about an hour. I wasn't sure how long it should take so I carried out some troubleshooting in the mean-time.

Deployment status:

All looked normal with the SCCM deployment.

Event log:

Applications and Services Logs > Microsoft > Windows > SENSE

No errors in event log. Actually there was evidence that the local Defender ATP service had successfully contacted the cloud service.

Telemetry and diagnostics service:

Service enabled and started.

Defender ATP Service:

Service started.

If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. You can find full details of this here

So what now??

After about an hour of unnecessary troubleshooting and second-guessing I could see my endpoint onboarded and healthy.

Navigate to Monitoring > Security > Windows Defender ATP Status to see the health of your endpoints.

You can also see the status in the Windows Defender Security Center.

Now refer back to the welcome email. We are given instructions on how to run an attack simulation.

We are invited to open a safe looking MS Word document which could be delivered by email.

Once we enable macros an attacker's command shell opens on the computer.

The attacker can then run some innocent looking commands remotely.

Almost immediately the attack is detected in the Windows Defender Security Center (this was literally almost instantaneous).

Details of the attack and recommended actions are provided.

Note that we can configure email notifications for high severity alerts.

I have to say that I'm seriously impressed with how easy it was to get started with this service. It was very straightforward to onboard devices and the speed of threat detection was alarming.

Have a look at a recent Microsoft blog post describing a real life attack. It's quite impressive.

I hope this blog post was useful. Until next time.....