Disabling screen rotation on Windows tablets with Intune

I had a recent requirement to disable screen rotation for Windows tablets. 

This is easy to do within Windows. There is a Display setting to turn on the Rotation lock. However, I had to automate this using Intune. There doesn't seem to be a Windows CSP for this so it's not possible to use a custom OMA-URI policy. 

However, this is something you can do by configuring the registry. If you navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation you'll see that the Enable key is set to 1. This needs to be changed to 0 to disable screen rotation. This is easy to configure with a PowerShell script:

New-ItemProperty -Path Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation -Name Enable -Value 0 -Force -PropertyType DWord

Once you have the script, upload it to Intune. Select Devices > Scripts > Add (Windows 10 and later). Choose the script location and configure the following:

• Run this script using the logged on credentials - NO
• Enforce script signature check - NO
• Run script in 64 bit PowerShell Host - YES

Assign the script to a group of Windows tablets and screen rotation will be disabled.

I hope this helps. Until next time......

Suppressing key mapping on Zebra tablet using Intune

I've been doing a lot of work with Zebra devices recently. In this blog post, I showed how to use Zebra StageNow to create an XML file which could be deployed by Intune. I used the same technique to solve this latest problem.

I've developed an Android Enterprise dedicated device solution to turn Zebra ET40 rugged tablets into kiosk devices running Chrome only. Everything was working correctly except for one minor detail. I could press the top left button on the device which displayed the settings menu for the device. That's not what you want on a kiosk.

The button is labelled number 3 in the graphic above. The Zebra documentation tells me that this is a programmable button (or a key that supports key mapping) called P1. I carried out a lot of testing and I discovered that pressing P1 on the ET40 defaults to the settings app. I needed to suppress this key mapping on P1.

I was able to do that by creating a StageNow Xpertmode profile.

I added the KeyMappingMgr CSP.

I selected the following settings and saved the profile:

• “Remap Key” button
• "The key to modify" :  Select “P1 button” from drop down
• "Key behaviour": Suppress Key

 Then I exported the settings to xml.

<wap-provisioningdoc>

  <characteristic version="9.2" type="KeyMappingMgr">

    <parm name="Action" value="1" />

    <characteristic type="KeyMapping">

      <parm name="KeyIdentifier" value="P1" />

      <characteristic type="BaseTable">

        <parm name="BaseBehavior" value="5" />

      </characteristic>

    </characteristic>

  </characteristic>

</wap-provisioningdoc>

This XML file was then use to create an Intune configuration profile based on the Zebra OEMConfig app. 

Select Configure > select the three dots next to Transaction Steps > and then select Add setting.

 

From the list of settings select, Device Administration Configuration.

Under Device Administration Configuration only two settings are required.

• Action = Submit XML
• Submit XML = the .xml data we copied above. Paste it into this field.

Complete the wizard to create the device configuration profile and assign it to a group of your devices. Now pressing the P1 button now has no effect and the kiosk is secure.

Until next time......

Microsoft Defender Application Control and the unwanted reboot

I came across this issue again this week on a customer site. Windows 10 computers were being rebooted without warning. 

You’re about to be signed out 

Windows will shut down in 10 minutes

I narrowed this down to Microsoft Defender Application Control in Microsoft Endpoint Manager, "Application control code integrity policies" being set, even to Audit Only. 

This is created as a Windows 10 configuration profile, choosing the Endpoint Protection template, then selecting the Microsoft Defender Application Control.

If you use the tooltip and follow the "Learn more" link, you are directed to the Applocker CSP page, so clearly that's what is in use here. 

According to the Microsoft docs, prior to Windows 10 version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). Interestingly, this is the only AppLocker setting that causes a reboot. It's well documented on the Applocker CSP page. 

"The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI".

I can verify that the reboot occurs when you apply the policy but also when you remove it.

Some of my colleagues have suggested ways to avoid the reboot. 

• Peter van der Woude talks about creating a custom code integrity policy using OMA-URI and the Application Control CSP.
• Rudy Ooms talks about the WDAC wizard.
  
• You can read about creating a new base policy in the official docs using the WDAC wizard. 

This reboot is not a problem when you configure the same setting with ConfigMgr.

In ConfigMgr, the WDAC wizard allows us to de-select the check box to enforce the required reboot.

I hope this helps.

Until next time.......

Migrating to a Microsoft Defender solution

This is becoming very popular and many of my customers have recently made the switch. It seems like a no-brainer, especially if you have purchased Microsoft 365 E5 licenses. 

This information should help you to plan and implement a migration from another endpoint protection solution.

Is Microsoft Defender Antivirus free?

It is, kind of. Microsoft Defender Antivirus is a core component of Windows 10. It's built into the operating system and is included in the cost of Windows. This is often good enough for a home user but certainly not for an enterprise organization. Defender AV needs to be managed and you must license the management tools. Microsoft Endpoint Manager (SCCM or Intune) are the favourites here.

What is Defender for Endpoint?

I've found that this is the most confusing part for customers. Defender for Endpoint (DfE), formerly Defender Advanced Thread Protection (ATP) is not Defender Antivirus. It's an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Data from Defender antivirus can be consumed and used by DfE by onboarding devices independently to the service. You can currently access DfE (until 6th July 2021) using the Microsoft Defender Security Center 

https://securitycenter.windows.com/ (see next question).

What is Microsoft 365 Defender?

This is an integrated solution including the following:

• Microsoft Defender for Endpoint
• Microsoft Defender for Office 365
• Microsoft Defender for Identity
• Microsoft Cloud App Security

You can access the M365 Defender portal at https://security.microsoft.com/

The Microsoft Defender Security Center standalone portal will no longer be available from 6th July 2021. 

What license do I need for Defender for Endpoint for my workstations/laptops?

Microsoft Defender for Endpoint requires one of the following Microsoft volume licensing offers:

• Windows 10 Enterprise E5
• Windows 10 Education A5
• Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
• Microsoft 365 A5 (M365 A5)
• Microsoft 365 E5 Security
• Microsoft 365 A5 Security
• Microsoft Defender for Endpoint (this is a standalone offering where you don't have any of the above subscriptions)

These are user based. Eligible licensed users may use Microsoft Defender for Endpoint on up to five concurrent devices. 

I have Microsoft 365 E5 licenses for all my users. Does this cover servers?

No, in this case you will need Microsoft Defender for Endpoint for Server (one per covered server). This is also covered with "Azure Security Center with Azure Defender enabled".

Can I just purchase Microsoft Defender for Endpoint for Server only?

No. Customers may acquire server licenses (one per covered server Operating System Environment (OSE)) for Microsoft Defender for Endpoint for Servers if they have a combined minimum of 50 licenses for one or more of the following user licenses:

• Microsoft Defender for Endpoint
• Windows E5/A5
• Microsoft 365 E5/A5
• Microsoft 365 E5/A5 Security

What else should I consider when migrating to a Microsoft Defender solution?

It's possible that this migration is not as simple as just switching to a new antivirus solution. There are a number of considerations.

• Will you also be using Defender for Endpoint? This is recommended.
• How will you manage Defender antivirus settings? It is recommended to use SCCM or Intune antimalware policies.
• Note that Intune does not manage servers so you need to consider that.
• Is your current solution providing more than antivirus functionality, which you must replace before decommissioning? Windows Firewall configuration is common, for example.

Can Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions co-exist?

Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another (non-Microsoft) antivirus/antimalware solution is used? It depends on whether you're using Microsoft Defender for Endpoint together with your antivirus protection. 

• In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool.
• In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. 
• When EDR in block mode is turned on (in Microsoft Defender for Endpoint) and Microsoft Defender Antivirus is not the primary antivirus solution, it will detect and remediate malicious items. EDR in block mode requires Microsoft Defender Antivirus to be enabled in either active mode or passive mode.
• When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution.
• If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. The service requires common information sharing from Microsoft Defender Antivirus service in order to properly monitor your devices and network for intrusion attempts and attacks. 
• When Microsoft Defender Antivirus is in passive mode, you can still manage updates for Microsoft Defender Antivirus; however, you can't move Microsoft Defender Antivirus into active mode if your devices have an up-to-date, non-Microsoft antivirus product that is providing real-time protection from malware. 
• When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. 

The following table summarizes what happens with Microsoft Defender Antivirus when non-Microsoft antivirus/antimalware solutions are used together, with or without Microsoft Defender for Endpoint.

Notes:

1. On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. you can set Microsoft Defender Antivirus to passive mode by setting the following registry key

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Name: ForceDefenderPassiveMode

Type: REG_DWORD

Value: 1

2. Passive mode is not supported on Windows Server 2016. If you are using a non-Microsoft antivirus product, you cannot run Microsoft Defender Antivirus in either passive mode or active mode. In such cases, disable/uninstall Microsoft Defender Antivirus manually.

How can Defender antivirus be configured and managed?

Microsoft Endpoint Manager (SCCM or Intune) is my tool of choice for managing these settings. Let's have a look at SCCM first.

• The Endpoint Protection Point is a site system role that must be added.

• Afterwards, we can see Endpoint Protection status under Monitoring > Security.

• Create antimalware policies and deploy to device collections. This includes items like scheduled scans, scan settings, real-time protection and antivirus exclusions.
• Use Automatic Deployment Rules (ADR) to download and install updated Defender antivirus definition files, now called "security intelligence updates".

You can also use Intune to manage the Defender antivirus settings on workstations.

• You can find the antivirus policies under Manage in the Endpoint security node of the Microsoft Endpoint Manager admin center.
• Antivirus policies include the same settings as endpoint protection or device restriction profiles for device configuration policy and are similar to settings from device compliance policy. However, those policy types include additional categories of settings that are unrelated to Antivirus. The additional settings can complicate the task of configuring antivirus.
• Policies contain the same type of settings that we can configure using SCCM.

• Policies are assigned to device groups.

How do I onboard devices to Defender for Endpoint?

Onboarding a client to Microsoft Defender for Endpoint will enable Endpoint Detection and Response, Threat and Vulnerability Management and many other SecOps related functionalities. Once onboarded, the endpoint will appear in the Microsoft 365 Defender portal and advanced security events and insights will become available.

There is a straightforward Microsoft Defender for Endpoint onboarding experience, for any client supported by Microsoft Endpoint Manager, whether it is SCCM, Intune, or co-managed.

For SCCM, we will need an onboarding XML file. This is generated in the M365 Defender portal.

• Navigate to Settings > Endpoints > Device management > Onboarding.
• Choose your operating system and deployment method and generate a download package.

• In SCCM, navigate to Asset and Compliance > Endpoint Protection > Microsoft Defender ATP Policies and create a new policy. 
• Choose an Onboarding policy and navigate to the configuration file.

• Deploy to a collection of devices.

The configuration is more integrated for Intune. The first step you take is to set up the service-to-service connection between Intune and Microsoft Defender for Endpoint. 

• Set up requires administrative access to both the Microsoft Defender Security Center, and to Intune.
• In the MEM portal, select Endpoint security > Microsoft Defender for Endpoint, and then select Open the Microsoft Defender Security Center.

• In Microsoft Defender Security Center, select Settings > Advanced features.
• For Microsoft Intune connection, choose On

• Return to Microsoft Defender for Endpoint in the Microsoft Endpoint Manager admin center. 
• Under MDM Compliance Policy Settings, set Connect Windows devices to Microsoft Defender for Endpoint to On
• When this configurations are On, applicable devices that you currently manage with Intune, and devices you enroll in the future, are connected to Microsoft Defender for Endpoint for compliance.
• Finally create an Endpoint Detection and response profile. In the MEM portal, select Endpoint security > Endpoint detection and response.
• Create a policy as shown.

• Assign to a group.

What is Microsoft Defender Security Center app?

This is the UI on the client and can be accessed by clicking on the Defender shield icon on the system tray. 

The layout can be customized by using an Endpoint Protection configuration profile in Intune. See where I've blocked the Family Options section.

This is the Microsoft Defender Security Center app without Family Options.

Where does OneDrive fit into all this?

It's a good idea to configure OneDrive in advance for your users by using a GPO. 

If you don't you will end up with this warning when Defender is enabled and active. OneDrive is required for file recovery in case of a ransomware attack. The user can continue to set up OneDrive or Dismiss the warning but that's not the best approach.

What advanced features should be configured?

Microsoft Defender has a wide range of options available for configuration using MEM (SCCM or Intune). You should consider configuring all of the following:

• Attack Surface Reduction Rules (ASR): help prevent actions that malware often abuses to compromise devices and networks. It's highly recommended to use ASR rules with a Windows E5 license (or similar licensing SKU) to take advantage of the advanced monitoring and reporting capabilities available in Microsoft Defender for Endpoint.  https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction

• Controlled Folder Access (CFA): feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients. It is especially useful in helping protect against ransomware that attempts to encrypt your files and hold them hostage.  https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access

• SmartScreen: protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Based on how you set up Microsoft Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.  https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview

• Tamper Protection: during some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent these kinds of things from occurring.  https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection

Can I customize the Defender Security Center app for my organization?

Yes, you can. You can add details of your organization and support to the Defender Security Center app to assist your end users. Using an Intune Endpoint Protection configuration profile, navigate to the Microsoft Defender Security Center section. 

You can enter the organization name and support telephone number, email address and website URL. I've just entered the organization name and website URL here.

This is what it looks like in the Defender Security Center app. You can see a new button on the bottom right.

Click on the button and you'll see the details you have configured.

This configures the registry as shown:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization

What are the high-level steps for a migration?

Microsoft provides good guidance to switch from non-Microsoft endpoint protection to Microsoft Defender for Endpoint.

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-migration

The high-level steps are as follows (this example uses McAfee): 

• Prepare phase
• Get and deploy updates across your organization's devices
• Get Defender for Endpoint.
• Grant access to the Microsoft Defender Security Center.
• Configure device proxy and internet connectivity settings.
• Setup phase 
• Reinstall or enable Microsoft Defender Antivirus on your endpoints.
• Configure Defender for Endpoint.
• Add Microsoft Defender for Endpoint to the exclusion list for McAfee.
• Add McAfee to the exclusion list for Microsoft Defender Antivirus.
• Set up your device groups, device collections, and organizational units.
• Configure antimalware policies and real-time protection.
• Phase 3 
• Onboard devices to Microsoft Defender for Endpoint.
• Run a detection test.
• Confirm that Microsoft Defender Antivirus is in passive mode.
• Get updates for Microsoft Defender Antivirus.
• Uninstall McAfee.
• Make sure Defender for Endpoint is working correctly.

How do I test Defender functionality?

In the Defender Security Center app we can see at a glance that our policies have been applied.

Also, Microsoft provide assistance to allow us to test demo scenarios. They provide sample files which are harmless and for demonstration purpose only.

https://demo.wd.microsoft.com/

You can test cloud-delivered protection.

Network protection

Controlled Folder access

URL reputation

I hope this helps. Until next time.......

Locating a Windows 10 device with Microsoft Endpoint Manager

This is my favourite new feature in the 2104 service release of Microsoft Endpoint Manager (formerly Microsoft Intune). We have been able to do this with iOS devices for quite some time. I remember Peter Daalmans and I demonstrating the feature at MMS in 2019. Now we can locate Windows 10 devices in the console.

There are two prerequisites before you can use this feature with Windows 10 devices.

Location Services

First you must turn on Location Services on your devices.

You can create a custom configuration policy to do this using the following OMA-URI 

./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessLocation

Configure an integer with value of 1 to forcibly turn on location services.

You could also create a configuration profile using the Settings catalog. In the Privacy category, choose Let Apps Access Location.

Location services are turned on. This is what it looks like on a test client.

Minimum operating system version.

This feature is only supported on the following Windows 10 versions:

• Windows 10 version 20H2 (10.0.19042.789) or later
• Windows 10 version 2004 (10.0.19041.789) or later
• Windows 10 version 1909 (10.0.18363.1350) or later
• Windows 10 version 1809 (10.0.17763.1728) or later

How to locate a Windows 10 device

In the MEM console, select Devices > Windows devices. Click on the device you want to locate. Click on the three dots on the Overview page.

This is my test client. Locate device seems to be greyed out. What could be wrong?

Ah, I see why. It's an unsupported Windows 10 version. This device is 10.0.18363.418 but must be a minimum of 10.0.18363.1350.

I updated the device.

Now the Locate device feature is available. Click Locate device.

You are presented with a warning about local laws and regulations around location data. Essentially there are privacy concerns. You're told that Intune will only retain the location data for 24 hours. 

A Bing map opens with the status Locate device pending.

Within a minute my test device was located and it's location was displayed. This is the Road view.

Click on the drop down arrow in the top right corner to choose the Aerial view. There is also a Bird's eye view but that wasn't available to me.

You can use the + and - buttons to zoom in and out.

This is a great view of the device location. I can see that the street names appear in the Irish language as well as English. I'm not sure where that setting comes from. Also, the location of the device is in the right area but it isn't 100% accurate. You can read more about location services here

Back in the console you will see the status change to Locate device: Completed.

On the device the user is notified that the location of the device has been accessed by the organization. That is crucial for transparency.

I hope this blog post has been useful. Until next time.......