PowerShell – Microsoft Security Vulnerabilities with CVE ID and details as a monthly report for Windows 10\11 or Windows Server OS

27 Mar

Microsoft Security Response Center (MSRC) publishes a monthly consolidated report for all the Critical, Important, Moderate and Low security vulnerabilities affecting Microsoft products. The information posted there helps organizations manage security risks and keep their systems protected.

https://msrc.microsoft.com/update-guide

The monthly release notes provide https://msrc.microsoft.com/update-guide/releaseNote/2023-Mar lot of additional information for all affected products.

Requirements (What are we trying to solve?)

Looking at the overall release notes for all the affected products (30+ products) and filtering the OS you are interested in can become overwhelming. E.g. You are only interested in products Operating Systems – Windows 11 22h2 or Windows Server 2016/2019/2022. Not saying other information is not essential, but imagine you are only responsible for the Operating Sytems. In such situations, you can use the below script to get a monthly report of CVE (Critical & Important) for a particular OS over to you in an email.

Prerequsites

You will need the MSRCSecurity PowerShell module. Run the command to install the module; further, you can import the module within the script.

#Install Module
Install-Module MSRCSecurityUpdates -Force

#Import Module
Import-Module MSRCSecurityUpdates

Following are the Operating System (OS) products you can fetch the information against. If you want details for any other operating systems, copy that value and, in my script, paste it under the variable $ClientOS_Type. In my demonstration, we used “Windows 11 Version 22H2 for x64-based Systems”

$ID = Get-MsrcCvrfDocument -ID $Month

$ID.ProductTree.FullProductName

ProductID Value                                                                                 
--------- -----                                                                                 
10049     Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
10051     Windows Server 2008 R2 for x64-based Systems Service Pack 1                           
10287     Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)      
10378     Windows Server 2012                                                                   
10379     Windows Server 2012 (Server Core installation)                                        
10407     Microsoft Outlook 2013 RT Service Pack 1                                              
10483     Windows Server 2012 R2                                                                
10543     Windows Server 2012 R2 (Server Core installation)                                     
10601     Microsoft Office 2013 Service Pack 1 (32-bit editions)                                
10602     Microsoft Office 2013 Service Pack 1 (64-bit editions)                                
10603     Microsoft Office 2013 RT Service Pack 1                                               
10611     Microsoft Office Web Apps Server 2013 Service Pack 1                                  
10612     Microsoft SharePoint Foundation 2013 Service Pack 1                                   
10654     Microsoft Excel 2013 Service Pack 1 (32-bit editions)                                 
10655     Microsoft Excel 2013 Service Pack 1 (64-bit editions)                                 
10656     Microsoft Excel 2013 RT Service Pack 1                                                
10729     Windows 10 for 32-bit Systems                                                         
10735     Windows 10 for x64-based Systems                                                      
10739     Microsoft Excel 2016 (32-bit edition)                                                 
10740     Microsoft Excel 2016 (64-bit edition)                                                 
10753     Microsoft Office 2016 (32-bit edition)                                                
10754     Microsoft Office 2016 (64-bit edition)                                                
10765     Microsoft Outlook 2016 (32-bit edition)                                               
10766     Microsoft Outlook 2016 (64-bit edition)                                               
10810     Microsoft Outlook 2013 Service Pack 1 (32-bit editions)                               
10811     Microsoft Outlook 2013 Service Pack 1 (64-bit editions)                               
10816     Windows Server 2016                                                                   
10852     Windows 10 Version 1607 for 32-bit Systems                                            
10853     Windows 10 Version 1607 for x64-based Systems                                         
10855     Windows Server 2016 (Server Core installation)                                        
10950     Microsoft SharePoint Enterprise Server 2016                                           
11099     Microsoft SharePoint Enterprise Server 2013 Service Pack 1                            
11568     Windows 10 Version 1809 for 32-bit Systems                                            
11569     Windows 10 Version 1809 for x64-based Systems                                         
11570     Windows 10 Version 1809 for ARM64-based Systems                                       
11571     Windows Server 2019                                                                   
11572     Windows Server 2019 (Server Core installation)                                        
11573     Microsoft Office 2019 for 32-bit editions                                             
11574     Microsoft Office 2019 for 64-bit editions                                             
11575     Microsoft Office 2019 for Mac                                                         
11585     Microsoft SharePoint Server 2019                                                      
11600     Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)                      
11605     Microsoft Office Online Server                                                        
11655     Microsoft Edge (Chromium-based)                                                       
11664     Microsoft Dynamics 365 (on-premises) version 9.0                                      
11726     OneDrive for Android                                                                  
11762     Microsoft 365 Apps for Enterprise for 32-bit Systems                                  
11763     Microsoft 365 Apps for Enterprise for 64-bit Systems                                  
11800     Windows 10 Version 20H2 for x64-based Systems                                         
11801     Windows 10 Version 20H2 for 32-bit Systems                                            
11802     Windows 10 Version 20H2 for ARM64-based Systems                                       
11902     Microsoft Malware Protection Engine                                                   
11921     Microsoft Dynamics 365 (on-premises) version 9.1                                      
11923     Windows Server 2022                                                                   
11924     Windows Server 2022 (Server Core installation)                                        
11926     Windows 11 version 21H2 for x64-based Systems                                         
11927     Windows 11 version 21H2 for ARM64-based Systems                                       
11929     Windows 10 Version 21H2 for 32-bit Systems                                            
11930     Windows 10 Version 21H2 for ARM64-based Systems                                       
11931     Windows 10 Version 21H2 for x64-based Systems                                         
11935     Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)                    
11951     Microsoft Office LTSC for Mac 2021                                                    
11952     Microsoft Office LTSC 2021 for 64-bit editions                                        
11953     Microsoft Office LTSC 2021 for 32-bit editions                                        
11961     Microsoft SharePoint Server Subscription Edition                                      
11969     Microsoft Visual Studio 2022 version 17.0                                             
11987     Azure HDInsights                                                                      
12051     Microsoft Visual Studio 2022 version 17.2                                             
12085     Windows 11 Version 22H2 for ARM64-based Systems                                       
12086     Windows 11 Version 22H2 for x64-based Systems                                         
12097     Windows 10 Version 22H2 for x64-based Systems                                         
12098     Windows 10 Version 22H2 for ARM64-based Systems                                       
12099     Windows 10 Version 22H2 for 32-bit Systems                                            
12129     Microsoft Visual Studio 2022 version 17.4                                             
12137     CBL Mariner 1.0 x64                                                                   
12138     CBL Mariner 1.0 ARM                                                                   
12139     CBL Mariner 2.0 x64                                                                   
12140     CBL Mariner 2.0 ARM                                                                   
12142     Microsoft Edge (Chromium-based) Extended Stable                                       
12155     Microsoft Office for Android                                                          
12156     Microsoft Office for Universal                                                        
12167     Microsoft Visual Studio 2022 version 17.5                                             
12169     OneDrive for MacOS Installer                                                          
12170     OneDrive for iOS                                                                      
12171     Azure Service Fabric 9.1 for Windows                                                  
12172     Azure Service Fabric 9.1 for Ubuntu                                                   
12173     Snipping Tool                                                                         
12174     Snip & Sketch for Windows 10                                                          
9312      Windows Server 2008 for 32-bit Systems Service Pack 2                                 
9318      Windows Server 2008 for x64-based Systems Service Pack 2                              
9344      Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Variable Region

Delcare all the variable within this section. Lets take a look at what we are declaring within the script:

  • The MSRC website releases the montly report in the following yyyy-MM format
#Month Format for MSRC
$Month = Get-Date -Format 'yyyy-MMM'
  • The operating system we want to focus on and leave the rest. If you are interested in any other OS, change the value from the above prerequisites, and it will give you Critical/Import vulnerabilities for that OS or product.
# Enter the Operating System you specifically want to focus on
$ClientOS_Type = "Windows 11 Version 22H2 for x64-based Systems"
  • Enter the details for sending the email (subject line, to and from etc.) for the report
#Email Details
$Recipients = "askaresh@askaresh.com", "someone@askaresh.com"
$Sender = "cve-report@askaresh.com"
$SMTP_Server = "smtp.askaresh.com"
$Subject = 'CVE List for Windows 11 22H2 on '+$Month
  • HTML report formatting (CSS, Title of the report, Logo and Header) information
$Css="<style>
body {
    font-family: cursive;
    font-size: 14px;
    color: #000000;
    background: #FEFEFE;
}
#title{
    color:#000000;
    font-size: 30px;
    font-weight: bold;
    height: 50px;
    margin-left: 0px;
    padding-top: 10px;
}

#subtitle{
    font-size: 16px;
    margin-left:0px;
    padding-bottom: 10px;
}

table{
    width:100%;
    border-collapse:collapse;
}
table td, table th {
    border:1px solid #000000;
    padding:3px 7px 2px 7px;
}
table th {
    text-align:center;
    padding-top:5px;
    padding-bottom:4px;
    background-color:#000000;
    color:#fff;
}
table tr.alt td {
    color:#000;
    background-color:#EAF2D3;
}
tr.critical {
    color: white;
    background-color: red;
}
</style>"
$Title = "<span style='font-weight:bold;font-size:24pt'>CVE List for Windows 11 22H2 on " + $Month + "</span>"
$Logo = "<img src='C:\Scripts\WinSvr\askareshlogo.png' alt='Logo' height='100' width='100'>"
$Header = "<div id='banner'>$Logo</div>`n" +
          "<div id='title'>$Title</div>`n" +
          "<div id='subtitle'>Report generated: $(Get-Date)</div>"

Execution block

Execution code block within this section. Lets take a look at what we are we executing within the script:

  • We are quering the MSRC using the powershell module and getting all the vulnerablity only for my OS – Windows 11 22H2
  • I am filtering only Critical/Important as I am not interested in Moderate and Low
  • Add additional tables for Base and Temporal scores
  • Adding the HTML formatting to highlight the Critical vulnerabilities in RED
#Main Script Logic
$ID = Get-MsrcCvrfDocument -ID $Month
$ProductName = Get-MsrcCvrfAffectedSoftware -Vulnerability $id.Vulnerability -ProductTree $id.ProductTree | Where-Object { $_.Severity -in 'Critical', 'Important' -and $_.FullProductName -like $Server_Type }

$Report = $ProductName | Select CVE, FullProductName, Severity, Impact, @{Name='KBArticle'; Expression={($_.KBArticle.ID | Select-Object -Unique) -join ', '}}, @{Name='BaseScore'; Expression={$_.CvssScoreSet.Base}}, @{Name='TemporalScore'; Expression={$_.CvssScoreSet.Temporal}}, @{Name='Vector'; Expression={$_.CvssScoreSet.Vector}} | ConvertTo-Html -PreContent $Css -PostContent "</table><br>" -As Table -Fragment | ForEach-Object {
    if($_ -match "<td.*?Critical.*?>") {
        $_ -replace "<tr>", "<tr class='critical'>"
    }
    else {
        $_
    }
}

Final Script

Here I will paste the entire script block for seamless execution in a single run. Following is the link to my GitHub for this script – https://github.com/askaresh/avdwin365mem/blob/main/Win11VulnMSRCReport

### Install the module
#Install-Module MSRCSecurityUpdates -Force

### Load the module
Import-Module -Name MsrcSecurityUpdates

#Email Details
$Recipients = "askaresh@askaresh.com", "someone@askaresh.com"
$Sender = "cve-report@askaresh.com"
$SMTP_Server = "smtp.askaresh.com"
$Subject = 'CVE List for Windows 11 22H2 on '+$Month

#Month Format for MSRC
$Month = Get-Date -Format 'yyyy-MMM'

# Enter the Operating System you specifically want to focus on
$ClientOS_Type = "Windows 11 Version 22H2 for x64-based Systems"

# Environment Variables
$Css="<style>
body {
    font-family: cursive;
    font-size: 14px;
    color: #000000;
    background: #FEFEFE;
}
#title{
    color:#000000;
    font-size: 30px;
    font-weight: bold;
    height: 50px;
    margin-left: 0px;
    padding-top: 10px;
}

#subtitle{
    font-size: 16px;
    margin-left:0px;
    padding-bottom: 10px;
}

table{
    width:100%;
    border-collapse:collapse;
}
table td, table th {
    border:1px solid #000000;
    padding:3px 7px 2px 7px;
}
table th {
    text-align:center;
    padding-top:5px;
    padding-bottom:4px;
    background-color:#000000;
    color:#fff;
}
table tr.alt td {
    color:#000;
    background-color:#EAF2D3;
}
tr.critical {
    color: white;
    background-color: red;
}
</style>"
$Title = "<span style='font-weight:bold;font-size:24pt'>CVE List for Windows 11 22H2 on " + $Month + "</span>"
$Logo = "<img src='C:\Scripts\WinSvr\askareshlogo.png' alt='Logo' height='100' width='100'>"
$Header = "<div id='banner'>$Logo</div>`n" +
          "<div id='title'>$Title</div>`n" +
          "<div id='subtitle'>Report generated: $(Get-Date)</div>"


#Main Script Logic
$ID = Get-MsrcCvrfDocument -ID $Month
$ProductName = Get-MsrcCvrfAffectedSoftware -Vulnerability $id.Vulnerability -ProductTree $id.ProductTree | Where-Object { $_.Severity -in 'Critical', 'Important' -and ($_.FullProductName -match $ClientOS_Type) }


$Report = $ProductName | Select CVE, FullProductName, Severity, Impact, @{Name='KBArticle'; Expression={($_.KBArticle.ID | Select-Object -Unique) -join ', '}}, @{Name='BaseScore'; Expression={$_.CvssScoreSet.Base}}, @{Name='TemporalScore'; Expression={$_.CvssScoreSet.Temporal}}, @{Name='Vector'; Expression={$_.CvssScoreSet.Vector}} | ConvertTo-Html -PreContent $Css -PostContent "</table><br>" -As Table -Fragment | ForEach-Object {
    if($_ -match "<td.*?Critical.*?>") {
        $_ -replace "<tr>", "<tr class='critical'>"
    }
    else {
        $_
    }
}

#Send Email
Send-MailMessage -To $recipients -From $Sender -Subject $Subject -Body "$Header $Report" -SmtpServer $SMTP_Server -BodyAsHtml

I recommend you create a schedule task for running this report on every 2nd Tuesday of the month.

Report

After you finish running the script, you will receive an email which should be like the following:

Useful LinksCredits
Security Update Guide – https://msrc.microsoft.com/update-guideMicrosoft
Release Notes for Security Updates – https://msrc.microsoft.com/update-guide/releaseNote/2023-Mar (Simply replace the last three letter of the Month for previous reports)Microsoft
Original Script and Credits of this work – How to Get Latest CVE from MSRC with PowerShell – AventisTechAventis Technologies

I hope you will find this helpful information to gather Microsoft Security vulnerability reports for a specific operating system using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , ,

Windows 365 Cloud PC – Alert Monitoring – Get your alerts in a Microsoft Teams Channel using Azure Logic Apps

23 Mar

If you’re managing Windows 365 Cloud PCs, keeping track of alerts can be a daunting task. Fortunately, Azure Logic Apps can help automate this process by sending alerts directly to your Microsoft Teams channel. In this blog post, we’ll explore how to set up this integration, so you can stay on top of your Windows 365 environment without constantly checking the portal or notifications within the Intune portal.

Note – Within the Microsoft Intune admin center portal you can already send notifications via email.

Set up your Microsoft Teams channel

To start, you’ll need to create a Microsoft Teams channel where you want to receive alerts. If you don’t have one already, create a new channel and name it something like “Windows365Alerts.”

Next, within the newly created channel, add the Connector – Incoming Webhook

Click on Configure of the Incoming Webhook connectors by entering the Name – Win365Alerts and custom image. Why not use the Windows 365 Cloud PC Logo and click on create.

Please copy the link and save it for all future reference purposes. We will be using this URL within the Azure Logic Apps.

https://blahblahblahblah.webhook.office.com/webhookb2/9cd8bac0-XXXX-4e30-XXXX-00700XXXX0@XXXX-d8f4-4c55-XXXX-0eec698XXXXXX/IncomingWebhook/3aXXXXXXXXbed497fbc4d9857XXXXX/57cadd96-b493-4bf6-a665-b0e9XXXXXXX

Azure Active Directory Enterprise App (MS Graph API)

Let’s pre-create the application ID and client secret we will use to connect and leverage the Microsoft Graph APIs via Powershell

  • Connect to Azure Portal and go to Azure Active Directory
  • Click on App Registrations and select – New Registration
  • Give the App a Name – GraphAPI-App
  • You will get two important information created for later use within Powershell
    • Application ID
    • Tenant ID
  • Now let’s grant this App GraphAPI-App Permission. Click on Add a permission and select MS Graph and search for Cloud PC– CloudPC.ReadAll and select read permissions and Add Permissions
  • Select Grant admin consent for domain
  • We are using client secret so now lets enable that. Click on Certificates & Secrets – Client Secrets and select New client secret\
  • Give it a name (Deviceconfig_secret) and expiry date (12 months)
  • Copy the Secret Value

Azure Key Vault – (Store the Secret)

This is an optional step, and I highly recommend this step for all production environments as the secret is stored within the Azure Key Vault, and within the Azure Logic Apps, you will call this secret.

After creating the value, go to Secret and click on Generate/Import, and under manual, enter a name and paste the secret key we created in the above step.

Additionally, I will dedicate a service account(svc_kv_api) specifically for this secret retrieval for the Azure Logic Apps. Let’s add the service account with the necessary permissions under the Access Policies and give it Get and List permissions.

Create an Azure Logic App

Next, you’ll need to create an Azure Logic App. In the Azure portal, search for “Logic Apps” and click “Create.” Give your Logic App a name and select your desired subscription, resource group, and location. Then click “Review + Create” and “Create” to create your Logic App.

Configure your Logic App

Once your Logic App is created, click “Logic App Designer” and select blank logic app template and add the other operations shown below:

Step 1 – Recurrence (A schedule that will be triggered)

Depending upon your SLA agreements, put a trigger. In this example, I have selected every 3 min.

Step 2 – Fetch the Secret from the Azure Key Vault

In the earlier step, we created the Azure Key vault and stored the secret there. In this step, we will make the Azure Logic Apps Fetch the Secret

  • Tenant ID – Copy from the above steps
  • KeyVault Name – Copy from the above steps
  • Click on Sign and use the dedicated service account to fetch this Secret

Step 3 – HTTP Get the Alerts for Windows 365 Using MS Graph API

We shall create the HTTP request using the Windows 365 Alert API – List and authenticate the call using the secret. Enter all the information shown in the screenshot.

https://graph.microsoft.com/beta/deviceManagement/monitoring/alertRecords

Step 4 – We shall Parse the JSON output from the above API GET request

Create the Parse JSON operation, and we will enter the below sample JSON output. Note I have run the GET and got the output from the API. Paste the below code into the schema example. It will auto-generate the below output for your use without values inside.

{
    "properties": {
        "@@odata.context": {
            "type": "string"
        },
        "value": {
            "items": {
                "properties": {
                    "alertImpact": {
                        "properties": {
                            "aggregationType": {
                                "type": "string"
                            },
                            "value": {
                                "type": "integer"
                            }
                        },
                        "type": "object"
                    },
                    "alertRuleId": {
                        "type": "string"
                    },
                    "alertRuleTemplate": {
                        "type": "string"
                    },
                    "detectedDateTime": {
                        "type": "string"
                    },
                    "displayName": {
                        "type": "string"
                    },
                    "id": {
                        "type": "string"
                    },
                    "lastUpdatedDateTime": {
                        "type": "string"
                    },
                    "resolvedDateTime": {
                        "type": "string"
                    },
                    "severity": {
                        "type": "string"
                    },
                    "status": {
                        "type": "string"
                    }
                },
                "required": [
                    "id",
                    "displayName",
                    "status",
                    "severity",
                    "alertRuleId",
                    "alertRuleTemplate",
                    "detectedDateTime",
                    "resolvedDateTime",
                    "lastUpdatedDateTime",
                    "alertImpact"
                ],
                "type": "object"
            },
            "type": "array"
        }
    },
    "type": "object"
}

Step 5 – Post the Alert to Microsoft Teams using the HTTP operation

Create the HTTP Operation, select POST, enter the webhook URL from the above step on MS Teams, and paste it within the URL. With the Headers add Content-Type: application/json and paste the below body code.

{
  "text": "**Alert name:** @{items('For_each')?['displayName']} \n\n **Status:** @{items('For_each')?['status']} \n\n **Severity:** @{items('For_each')?['severity']} \n\n **Detect Date:** @{items('For_each')?['detectedDateTime']} \n\n **Resolved Date:** @{items('For_each')?['resolvedDateTime']} \n\n **Alert Rule Template:** @{items('For_each')?['alertRuleTemplate']} \n\n **Alert Impact:** @{items('For_each')?['alertImpact']}",
  "title": "Windows 365 Cloud PC Alerts  with status and Severity "
}

Step 6 – Run the workflow

The above will now start running the Azure Logic Apps every 3 mins and keep sending the alerts to Microsoft teams

I need help filtering the alerts based on specific Status and Severity. If you manage to get to that, please message me, and I will happily include those bits in the blog post.

I hope you will find this helpful information for enabling Windows 365 Alerts within the MS Teams using the Azure Logic Apps. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , , ,

Alternate Azure Network Connection for Windows 365 Cloud PC

15 Mar

Alternate ANCs (Azure Network Connections) are secondary or backup connections to the Microsoft Azure network used to provide redundancy and high availability for Windows 365 Cloud PC provisioning of new desktops. Alternate ANCs can be used when a primary connection fails or experiences connectivity issues, ensuring access to Windows 365 Cloud Provisioning continues for the desktops uninterrupted using the backup ANC.

Introduction

Alternate ANCs can be used when a primary region availability fails, ensuring access to Windows 365 Cloud Provisioning continues for the new desktops uninterrupted using the backup ANC. As long as the first ANC in the list is Healthy, it will always be used for provisioning Cloud PCs using this policy. If the first ANC is not healthy, the policy will use the next ANC in the list that is healthy.

My Scenario

I have an Azure VNET in the region (Australia East) and a dedicated subnet for the Windows 365 Cloud PC desktops in my environment. Now imagine a scenario if the Azure region Australia East had issues. It will directly impact the provisioning of the new Cloud PC desktops.

How will we increase HA/DR capability during Cloud PC Provisioning Issues

Create a backup VNET in different region (Asia Pacific East Asia – HK)

Go to you Azure Portal and create a new VNET in a different region of you choice (Azure Portal — Virtual Networks – Create Network)

Create a dedicated subnet for Windows 365 Cloud PC

Go into the newly created VNET – W365-Bckup-VNET01 and select Subnet and click + Subnet and create a dedicated subnet for the Windows 365 Cloud PC.

Add the additional Azure Network Connection in Intune Portal

I have a previous blog post on creating the the PowerShell – Create Azure Network Connection (ANC) for Windows 365 Cloud PC you can either use that or create one in the Microsoft Intune admin center. We are creating an Azure Network Connection that includes the following:

  • Display Name of the network – Win365-Bckup-ANC01
  • Azure Subscription Name – Azure subcription 1
  • Type – There are two types we are selecting Azure AD join – azureADJoin
  • Resource Group ID – The resource group within Azure – W365-AVD-RG01
  • Virtual Network ID – The VNET within Azure – W365-Bckup-VNET01
  • Subnet ID – The subnet for W365 within VNET – Win365-ASE-Bac-Sub01

Cloud Provisioning Policy

Go into your Cloud PC Provisioning Policy and select Edit. Under the Azure Network Connection you will be able to see the newly added ANC – Win365-Bckup-ANC01 make sure you choose that. It will automatically assign the priority as 2 and will come into effect during network outages in the region.

In the above scenario, at all times, it will use the ANC-W365-Sub01 (Priority 1) network for provisioning all Cloud PC. If there is a contention or issues with the primary ANC, then the backup Win365-Bckup-ANC01 (Priority 2) network will kick in and continue provisioning the new desktops in that region/network.

Note

At the time of writting this blogpost, when i tried to create the backup VNET in Australia SouthEast and Australia Cental it said unsupported region when adding the Azure Network Connection. This was the reason i selected the Asiapacifc East (Honkong) region as the second best choice. I am sure at somepoint in time it will be fixed and I would be able to create a backup ANC within the country.

I hope you will find this helpful information for creating an Alternate Azure Network Connection for increasing the HA and DR on the cloud pc provisioning of new desktops. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

PowerShell Enable Remote Help in Microsoft Intune

7 Mar

Remote Help in Microsoft Intune works by enabling IT administrators to remotely control a user’s mobile device, allowing them to view the device’s screen and interact with it in real-time. This enables administrators to quickly diagnose and fix issues on the device, without needing to be physically present with the user.

To use Remote Help in Microsoft Intune, IT administrators first need to enable the feature in the Intune console. Once enabled, administrators can initiate a remote session with a user’s device by sending an invitation link to the user via email or text message. The user then clicks on the link to join the remote session, allowing the administrator to remotely control the device.

In the blog post I will showcase how to enable this feature via PowerShell instead of the Microsoft Intune admin center portal.

Pre-requsites

  • An active Microsoft Intune subscription.
  • An Azure AD (Active Directory) subscription with administrative access.
  • The Azure AD application registration credentials, including client ID and secret.
  • Permissions to access and manage Microsoft Intune and Microsoft Graph API resources.
  • PowerShell and AzureAD PowerShell module installed on the local machine to run PowerShell scripts.
  • A valid Azure AD authentication token to authenticate and authorize Microsoft Graph API requests.

Create the Client Secret for MS Graph

Let’s pre-create the application ID and client secret we will use to connect and leverage the Microsoft Graph APIs via Powershell

  • Connect to Azure Portal and go to Azure Active Directory
  • Click on App Registrations and select – New Registration
  • Give the App a Name – MSGraph-DeviceMgmt-Secret
  • You will get two important information created for later use within Powershell
    • Application ID
    • Tenant ID
  • Now let’s grant this App MSGraph Permission. Click on Add a permission and select MS Graph and search for Device – DeviceManagementConfiguration and select read-write permissions and Add Permissions
  • Select Grant admin consent for domain

Note that RemoteSettings, aka Remote Help, falls under Device Management Configurations. We will use that for the permissions (read-write)

  • We are using client secret so now lets enable that. Click on Certificates & Secrets – Client Secrets and select New client secret\
  • Give it a name (Deviceconfig_secret) and expiry date (12 months)
  • Copy the Secret Value

Variable Region

Delcare all the variable within this section. Lets take a look at what we are declaring within the script:

  • GraphEndpoint and resource URL if you notice we are using the remoteAssistanceSettings
$graphEndpoint = "https://graph.microsoft.com"
$resourceUrl = "$graphEndpoint/beta/deviceManagement/remoteAssistanceSettings"
  • From the above section we have the values for Client ID, Secret and tenant id which we will paste in here.
$clientId = "XXXXXXXX-6f08-XXXXX-a6ff-XXXXXXXXXXXXX"
$clientSecret = "Q-D8Q~XXXXXXXXXXXXXXXXXXXXXXXXXXX"
$tenantId = "XXXXXXXXXX-d8f4-4c55-XXXXX-XXXXXXXXXXX"
$authority = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$scope = "https://graph.microsoft.com/.default"

Execution block

Execution code block within this section. Lets take a look at what we are we executing within the script:

  • The body payload to enable disable the Remote Help Assistance settings
    • RemoteAssistanceState – Enabled/Disabled
    • AllowSession to Unenrolled Devices – $true or $false
    • Block chat – $true or $false
$payload = @{
    "@odata.type" = "#microsoft.graph.remoteAssistanceSettings"
    "remoteAssistanceState" = "disabled"
    "allowSessionsToUnenrolledDevices" = $false
    "blockChat" = $false
} | ConvertTo-Json

Final Script

Here I will paste the entire script block for seamless execution in a single run. Following is the link to my GitHub for this script – https://github.com/askaresh/avdwin365mem/blob/main/enableremotehelpmem

# Define the Graph API endpoint and resource URL
$graphEndpoint = "https://graph.microsoft.com"
$resourceUrl = "$graphEndpoint/beta/deviceManagement/remoteAssistanceSettings"

# Define the authentication parameters
$clientId = "XXXXXXXX-6f08-XXXXX-a6ff-XXXXXXXXXXXXX"
$clientSecret = "Q-D8Q~XXXXXXXXXXXXXXXXXXXXXXXXXXX"
$tenantId = "XXXXXXXXXX-d8f4-4c55-XXXXX-XXXXXXXXXXX"
$authority = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$scope = "https://graph.microsoft.com/.default"

# Authenticate to the Graph API and obtain an access token
$tokenResponse = Invoke-RestMethod -Method Post -Uri $authority `
    -Body @{
        client_id = $clientId
        client_secret = $clientSecret
        scope = $scope
        grant_type = "client_credentials"
    } `
    -Headers @{
        "Content-Type" = "application/x-www-form-urlencoded"
    }

$accessToken = $tokenResponse.access_token


# Define the payload for the PATCH request
$payload = @{
    "@odata.type" = "#microsoft.graph.remoteAssistanceSettings"
    "remoteAssistanceState" = "enabled"
    "allowSessionsToUnenrolledDevices" = $false
    "blockChat" = $false
} | ConvertTo-Json


# Send a PATCH request to the remoteAssistanceSettings resource with the updated payload
$headers = @{
    "Authorization" = "Bearer $accessToken"
    "Content-Type" = "application/json"
    "Content-length" = $payload.Length
}

Invoke-RestMethod -Method Patch -Uri $resourceUrl -Headers $headers -Body $payload

Validations

After running the powershell script now check the portat it will be enabled

Overall, Remote Help in Microsoft Intune is a powerful tool for IT administrators, enabling them to quickly diagnose and fix issues on mobile devices, improving productivity and reducing downtime. If you’re using Microsoft Intune, be sure to take advantage of this powerful feature to improve your device management capabilities.

Useful LinksCredits
Update remoteAssistanceSettings – https://learn.microsoft.com/en-us/graph/api/intune-remoteassistance-remoteassistancesettings-update?view=graph-rest-betaMicrosof
Enabling Remote Help and Supporting Users with Intune – Microsoft Community HubMicrosoft

I hope you will find this helpful information for enabling Remote Help using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

Upgrade VMware Horizon – An alternate method

3 Mar

In my previous blog post Upgrade from VMware Horizon 7.13.1 to 8.6 (2206) fails with VMware Horizon View Blast Secure Gateway (VMBlastSG) could not be installed. In this post, I will go into the details on the manual uninstall process and installation of the latest version of the VMware Horizon.

Why inplace upgrade fails?

The core reason for the in-place upgrade failing was that the VMware Service around Horizon was not getting deleted during the uninstall performed by the setup, which was rolling back the change.

What is the solution?

The quick solution is to uninstall the VMware Horizon 7 HTML Access, followed by VMware Horizon 7 Connection Server. Perform a reboot on the broker virtual machine, and this step will delete the services from about that were not getting deleted automatically. Install the VMware Horizon 8.x setup, and the installation will go smoothly.

What is the alternate method detailed steps?

The in-place upgrade method described here – Upgrade Connection Servers in a Replicated Group works 99.99% of the time in corner cases like mine. You will have to perform this method. Ensure you follow the basics of a full backup of the brokers, ADAM database, SQL database, backup of the locked.properties file and Disable vCenter provisioning.

Don’t perform this method without seeking proper VMware Support guidance. If you run into issues, you will be in unsupported territory and might ask yourself how you ended up here.

Uninstall existing VMware Horizon

  • Login to the broker you are going to perform the upgrade and open the Programs and Features
  • First, uninstall the VMware Horizon 7 HTML Access
  • Second, uninstall the VMware Horizon 7 Connection Server
  • You will be left with the AD LDS Instances (Local and CloudPod partitions). Make sure you leave them as-is.

Reboot

To get rid of the ghosted services perform an reboot of the broker VM.

Install the latest release 8.x

  • Login to the broker you are going to perform the upgrade
  • Validate whether the above services are deleted
  • Right click and run as administrators on the Connection server.exe of the 8.x setup
  • Make sure you select – Standard Server and click on HTML access and IPv4
  • It will detect the instance of the Horizon and you need to click on OK
  • Select Configure the Firewall within Windows
  • The Horizon 8.x will be installed successfully on the virtual machine
  • Repeat this steps on the other brokers within your POD

Validations

You must wait approximately 5-7 mins for the Horizon Administrator console to come online. Validate the Health dashboard for any errors and check the desired 8.x version is present.

I hope you will find this information useful if you encounter the issue and it should help you save time. If you manage to tweak or improvise further on this solution, please don’t forget to keep me posted.

Thanks,
Aresh Sarkari

Tags: , , , , , ,

Disable Search Highlights on Windows 365 Cloud PC and Azure Virtual Desktop using Microsoft Intune

24 Feb

Search Highlight is a feature in Windows 11 (Enterprise\Multi-session) that highlights search results in the Start menu and taskbar search box. While this feature can be helpful for some users, others may find it distracting or unnecessary. Fortunately, it is possible to disable the Search Highlight feature in Windows 11 using Microsoft Intune. Plenty of information is available on disabling the Windows 11 Search Highlight using Group policy, Registry and UI. However, we will leverage Custom OMA-URI settings from Microsoft Intune in this blog post.

Search – CSP Details

The Search – Policy configuration service provider enables the enterprise to configure policies on Windows 11. Following are the details on the one we are using for disabling the search highlights:

How to disable Search Highlights in Microsoft Endpoint Manager

To disable the Search Highlight feature in Windows 11 (Enterprise/Multi-session) using Microsoft Intune, follow these steps:

  • Login to the MEM Portal – https://endpoint.microsoft.com/
  • Select Devices > Configuration Profiles > Create Profile.
  • For Platform, select Windows 10 and later.
  • For Profile type, select Templates > Custom and select Create.
  • Enter a Name – DisableSearchHighlight and description and choose Next
  • Under the OMA-URI Settings, clicks on Add
  • Enter the Name, Description, and OMA-URI fetched in the references from the MS CSP link below. The value is an integer based on the documentation, and as we disable the setting, the value is 0.
  • Remember the MS documentation called out this setting only applies to Devices. In the case of Assignments, we will target Windows 365 Device Group and Azure Virtual Desktop Session Host Pools.
  • Click on Review and Save

Validate the Policy is applying

After 10-15 mins of waiting, go into the newly configured configuration profiles policy, and you will start seeing it getting applied to the targeted devices (MEM Portal > Devices > Configuration Profiles > DisableSearchHighlights)

Cloud PC – Within Windows 11

Login to the Windows 365 Cloud PC, and now when you click on Search, the advertisements and search highlights are gone.

Useful LinksCredits
Search – CSP Policy – https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-searchMicrosoft
5 Unique Ways to Disable Search Highlights on Windows 11Prajwal Desai
Disable Enable Search Highlights in Windows 11Jitesh Kumar

I hope you will find this helpful information towards disabling the annoying Search Highlights on Windows 365, AVD environment and physical endpoints using Microsoft Endpoint Manager. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , , ,

Microsoft Defender for Endpoint – Web Content Filtering for Windows 365 Cloud PC and Azure Virtual Desktop

22 Feb

In today’s world, online security has become more important than ever, especially for businesses. As more and more companies shift their workloads to the cloud, the need for effective security measures has increased. One of the most critical aspects of security is web content filtering. Microsoft Defender for Endpoint is an excellent solution for protecting your Windows 365 Cloud PC and Azure Virtual Desktop environments. If you haven’t see my previous blog post on – Microsoft Defender for Endpoint (MDE) – Getting started for Windows 365 Cloud PC and Azure Virtual Desktop check that first.

Usecase

Web content filtering is a critical aspect of online security that can be used in many different scenarios. Here are some common use cases for web content filtering:

  1. Business Security: Blocking access to malicious websites and other dangerous content, web content filtering helps prevent cyber attacks and data breaches.
  2. Compliance: Many organizations are required to comply with industry-specific regulations and standards, such as HIPAA or PCI-DSS. Web content filtering can help ensure that employees are not accessing websites or content that violates these regulations.
  3. Employee Productivity: Web content filtering can also be used to enhance employee productivity by blocking access to non-work-related websites, such as social media or gaming sites.
  4. Education: Educational institutions can use web content filtering to prevent students from accessing websites that are not educational or age-appropriate.
  5. Guest Wi-Fi: Businesses that offer guest Wi-Fi can use web content filtering to protect their network and guests from online threats.

Overall, web content filtering is a versatile tool that can be used in a variety of settings to enhance online security, productivity, and compliance.

Pre-requisites

To use Microsoft Defender for Endpoint web content filtering on Windows 365 Cloud PC and Azure Virtual Desktop, there are a few prerequisites that you need to meet:

  • Portal Access to Microsoft 365 Defender Portal
  • Windows Defender SmartScreen Enabled on all Browsers (Edge, Chrome etc.)
  • Network Protection must be enable on the endpoint devices
  • Microsoft Defender for Endpoint (MDE) Plan 1 or 2
  • MDE for Business
  • Windows 10/11 or Multi-session Operating System

Enable Web Content Filtering

To enable Web Content Filtering in Microsoft Defender for Endpoint (MDE), you need to follow these steps:

  • Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
  • Navigate to Settings and select Endpoints
  • Click on Advance Features and enable Web Content Filtering

Create Device Group for Windows 365 & AVD in Microsoft 365 Defender Portal

To assign the policy to particular devices such as Windows 365 Cloud and Azure Virtual Desktop Session, we will create the Device Groups:

  • Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
  • Navigate to Settings and select Endpoints
  • Under Permissions, click on Device Groups
  • Select Add device group and give it a name – Win365Devices
  • The Cloud PC start with CPC, I will be using that along with OS type – Windows 11
  • For the Azure Virtual Desktop – My Session host start with AVD-, I will use that as the device group along with OS Type – Windows 11

Enable Network Protection under Microsoft Endpoint Portal (Intune)

Under the Enpoint Secruity – Antivirus policy we will enable the configuration:

  • Login to the MEM Portal – https://endpoint.microsoft.com/
  • Select Endpoint security > Antivirus > Create Policy.
  • For Platform, select Windows 10, Windows 11, and Windows Servers.
  • For Profile type, select Microsoft Defender Antivirus, and then select Create.
  • Enter a Name – W365-AVD-AV-P01 and description and choose Next
  • Under the Configuration Settings
  • Enable Network Protection – Enable (Block Mode)

In my previous blog post on getting started, I enabled Network Protect and other configurations. Here I am trying to give you a quick config guidance.

Enable Smart Screen under Microsoft Edge Browser via Intune

I want to use the security baseline around Microsoft Edge for enabling global configuration across all the endpoints:

  • Login to the MEM Portal – https://endpoint.microsoft.com/
  • Select Endpoint security > Security Baseline > Microsoft Endge Baseline.
  • Click on Create a profile and give it a name – MSEdge-Sbaseline-01
  • Enable the SmartScreen config
  • I am applying this security baseline to All Devices

Note you can enable them via configuration profiles too. In this scenario, I prefer using the security baselines.

Enable Smart Screen for Google Chrome Browser via Intune

To enable Smart Screen on Google Chrome, follow these steps:

  • Login to the MEM Portal – https://endpoint.microsoft.com/
  • Select Devices > Configuration profiles > Create profile
  • Under Platform – Windows 10 & Later
  • Profile Type – Templates and Select Administrative Templates
  • Give the policy a name – GoogleChrome-SmartScreen-CP01
  • Under Computer – Select Configure the list of force-installed apps and extensions
  • Click on Enable and enter the below URL for extension
  • Further assign the policy to the target devices
  • Click on Review and Save
bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx

Create policy for Web Content Filtering

To create a web content filtering policy in Microsoft Defender for Endpoint, follow these steps:

  • Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
  • Navigate to Settings and select Endpoints
  • Under Rules > Web Content Filtering > Add Item
    • Policy Name – Stop Social Media
    • Block Categories > Leisure > Social Networking & Instant Messaging & Professional Networking
    • Scope – Select the Windows 365 Device Group & AVD Device Group (Session Host VMs), as its a targeted policy
  • Wait for approx. 40 mins for the policy to implement for your endpoints

Validate the URLs within Windows 365 Cloud PC

Before going ahead and checking the URLs within the browser verify the following on the virtual desktop or endpoints:

SmartScreen

Open the browser and type edge://policy and make sure the Smart Screen is enabled

Network Protection

Open the Powershell and check if network protection is enable (Value 1) block mode

Microsoft Edge

Open Microsoft Edge and open https:\\www.facebook.com or https:\\www.snapchat.com

Google Chrome

Check reports in Defender Portal

Under the Microsoft Defender Portal go to Reports > Web Protection > Web content filtering categories details

Useful LinksCredits
Web content filtering – https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/web-content-filtering?view=o365-worldwideMicrosoft
How to configure Microsoft Defender SmartScreen via Microsoft Intune? – Endpoint CaveRene Laas
Enabling web filtering with Microsoft Defender for Endpoint – CIAOPSRobert Crane

I hope you will find this helpful information towards web content filtering journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , , , ,

Microsoft Defender for Endpoint (MDE) – Getting started for Windows 365 Cloud PC and Azure Virtual Desktop

16 Feb

If you are using Windows 365 Cloud PC and Azure Virtual Desktop, the Microsoft Defender for Endpoint (MDE) is a security solution designed for protecting endpoints, such as Windows 11/Windows 11 Mutli-Session computers, servers, Azure Virtual Desktops and more from various types of cyber threats. The main reason it’s evident to use MDE is that it seamlessly integrates with the solution with minimal to less effort compared to other solutions. This blog post will discuss how to get started with Microsoft Defender for Endpoint in the Windows 365 Cloud and Azure Virtual Desktop.

Prerequisites

  • Rights to use and deploy Windows 365 Cloud PC and Azure Virtual Desktop and the ncessary licenses
  • Microsoft Defender for Endpoint Plan 1 or Plan 2 depending upon the requirements and $$$.
  • Make sure the license is available and listed Microsoft admin center

Enable MDE in Microsoft 365 Security Portal/Intune

To enable Microsoft Defender for Endpoint (MDE) in the Microsoft Defender Security Center, you need to follow these steps:

  1. Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
  2. Navigate to Settings and select Endpoints
  3. Click on On for Microsoft Intune Connection & Device Discovery
  4. Scroll to the bottom and select Save Preferences

We will manage the endpoints via Intune, so all the rest of the actions and fun will be within the https://endpoint.microsoft.com/ and Endpoint Security. After a brief period of 10-15 mins, you can see the connection status being Available and synchronized.

Create the Endpoint detection and response policy (onboarding)

Our environment is managed via Modern Management, and we don’t have the overhead of legacy setup. We will use the Intune Endpoint detection response (EDR) policy to onboard the devices. This is the simplest method as it doesn’t involve installing the agent manually or via GPOs.

Sign in to the Microsoft Endpoint Manager admin center.

  • Login to the MEM Portal – https://endpoint.microsoft.com/
  • Select Endpoint security > Endpoint detection and response > Create Policy.
  • For Platform, select Windows 10, Windows 11, and Windows Servers.
  • For Profile type, select Endpoint detection and response, and then select Create.
  • Enter a Name – W365-AVD-EDR-P01 and description and choose Next
  • Under the Configuration Settings
    • MDE client configuration package type – Auto from connector (We are a 100% modern managed environment we can leverage this simple option)
    • Sample Sharing – Not configured
    • Telemetry Reporting Frequency – Expedite (We want reporting to be lightning-fast)
  • Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop
  • Review and Create the policy and it will go ahead and enable MDE on the fleet.
  • After sometime all your devices will show whether they are onboarded or not.

Many ways to carry out the onboarding. This is just one way and the most straightforward. Read more options here – https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager?view=o365-worldwide

On the onboarded device, go and run the following command to verify the status

Get-MpComputerStatus

Device Compliance Policy (Update)

I already have my existing Windows 10/11 compliance policy after enabling MDE, and I will go ahead and update the compliance policy to accommodate the changes further. This will allow reporting within the tenant on what device compliance level the endpoints are on and whether corporate governance is maintained.

Create Antivirus Policy in Intune

The next step is creating the Antivirus (AV) Policy with the options that your organization demands. I am starting with a few, but remember most choices will require nailing out with internal security/endpoint/governance teams.

Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements.

Sign in to the Microsoft Endpoint Manager admin center.

  • For Platform, select Windows 10, Windows 11, and Windows Servers.
  • For Profile type, select Microsoft Defender Antivirus, and then select Create.
  • Enter a Name – W365-AVD-AV-P01 and description and choose Next
  • Under the Configuration Settings
Configuration SettingsStatus (Value)
Allow Archive Scanning (Scanning through zip and cab files)Allowed
Allow Behaviour Monitoring Allowed
Allow Cloud Protection (Joining Microsoft MAPS Community)Allowed
Allow Email Scanning (Very useful if you are using Microsoft 365)Allowed
Allow Full Scan Removable Drive Scanning (Scanning of Pen Drives)Allowed
Allow Intrusion Prevention SystemAllowed
Allow scanning of all downloaded files and attachmentsAllowed
Allow Realtime MonitoringAllowed
Cloud Block LevelHigh
Allow Users UI Access (Defender Client)Allowed
Enable Network ProtectionEnabled (Audit mode)
Avg CPU Load Factor Enabled (30%)
Schedule Quick Scan TimeEnable (120)
Signature Update IntervalEnable (8 hours)
  • Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop
  • Review and Create the policy and it will go ahead and enable AV across the fleet.
  • After sometime all your devices will show whether they are onboarded or not.

Create Attack surface reduction (ASR) Policy in Intune

The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. This set of capabilities also includes network protection and web protection, which regulate access to malicious IP addresses, domains, and URLs. In my case I am starting with few, but remember most of the options will require nailing out with internal security/endpoint/governeance teams.

Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements. Here I would like to take the approach of Audit mode first, followed by adding exclusions to refine the block rules (production).

Sign in to the Microsoft Endpoint Manager admin center.

  • For Platform, select Windows 10, Windows 11, and Windows Servers.
  • For Profile type, select Attack Surface Reduction Rules, and then select Create.
  • Enter a Name – W365-AVD-ASR-P01 and description and choose Next
  • Under the Configuration Settings
Configuration SettingsStatus (Value)
Block Adobe Reader from creating child processesAudit
Block execution of potentially obfuscated scriptsAudit
Block Win32 API calls from office macrosAudit
Block credential stealing from the Windows local security authority subsystemAudit
Block JavaScript or VBScript from launching downloaded executable contentAudit
Block process creatons originating from PSExec and WMI commandsAudit
Block untrusted and unsigned processes that run from USBAudit
Block abuse of exploited vulnerable signed drivers (Devices)Audit
  • Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop
  • Review and Create the policy and it will go ahead and enable ASR across the fleet.
  • After sometime all your devices will show whether they are onboarded or not.
Useful LinksCredits
Microsoft Defender for Endpoint series – Tips and tricks/ common mistakes – Part10 (jeffreyappel.nl) – The most mind blowing and detailed blog post series on MDE. I think I only scratch the surface here however, Jeffrey takes an indept approach.Jeffrey Appel
Configure Microsoft Defender for Endpoint in IntuneMicrosoft
Defend Cloud PCs against threats with Microsoft Defender for Endpoint | Windows in the Cloud – YouTubeChristiaan Brinkhoff | LinkedIn and Paul Huijbregts | LinkedIn

Next step, I plan to write a few blog posts on specific topics like URLs, Networks etc, blocking (TikTok, Facebook etc,) concerning MDE. I hope you will find this helpful information towards your journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , , , , ,

Remove built-in (default) Windows applications from the Windows 365 Cloud PC endpoints

8 Feb

Numerous scripts and vendor optimizers (VMware, Citrix and Microsoft) remove the default pre-installed Windows applications that come within the operating system, aka bloatware. You can get rid of all unnecessary applications using the Microsoft Store app (new) within Microsoft Intune.

I attended the Microsoft 365 Modern Management Meetup, and our very own Steven Hosking demonstrated the uninstall of default applications via Intune. I got inspired and thought about blogging and socializing this trick with everyone.

For my Windows 365 Cloud PC endpoint, I use the Azure image Gallery – Windows 11 22H2 + Cloud PC Optimized image, and for this example, we will uninstall Xbox pre-installed application.

Fetch the Application ID (MS Store)

In specific scenarios, when you try to search the application with the repository, it will not show, and the alternate method is to search via the ID.

Application Removal Steps (Intune Portal)

Here we will look at all the detailed steps involved in removing the applications from the operating system and Windows endpoints:

  • Under Application Information, click on Select App and in my case, I will enter the Application ID I copied in the previous step.
  • Make sure all the application details that it has fetched (auto-populated) look good, and select Next
  • The critical step on the Assignments as we are going to Uninstall it from the environment, we will select Un-install and specify the device group, in this case, Windows 365 Cloud (AAD – Dynamic Device Group)

It is adviced you also leverage Filtering for targeting specifc device types within the environment.

  • Last step review and Create the Uninstall of the default Application

Rinse & Repeat for other applications

Using the above method, you can add other applications of your choice. Note the effort is one-time, so put it in and reap the benefits for all future versions of Windows.

Advantages of using Intune for Default App Removal

Lets take a look at the advantages of using this method:

  • There is no need of using 3rd party scripts posted by unknown sources.
  • You will still have to use the vendor optimizers for other things but you can setup these once within the Intune Portal and it will works for the current and future version of Windows.
  • The Intune method is not very socialized on removing bloatware from the default operating system.

I hope you will find this helpful information for removal of default applications from the Intune Portal. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

Compliance Policy for Azure Virtual Desktop Session Host Virtual machine managed via Microsoft Intune

3 Feb

Microsoft Intune Compliance Policy can be used to manage the security and compliance of Azure Virtual Desktop (AVD) Session Host virtual machines. The policy can enforce specific configuration settings such as password complexity, security updates, and device encryption to ensure that the virtual machines meet the organization’s security and compliance requirements.

To set up an Intune Compliance Policy for an AVD Session Host virtual machine, the virtual machine must be enrolled with Intune. Then, the policy can be created in the Intune portal and assigned to the virtual machine. The policy settings will be enforced on the virtual machine and monitored for compliance.

Note: The Intune Compliance Policy is just one of the ways to manage the security and compliance of AVD Session Host virtual machines. Other tools such as Azure Security Center and Azure Policy can also be used.

Why create the azure virtual desktop session host compliance policy?

There are several reasons why organizations create Azure Virtual Desktop (AVD) Session Host Compliance Policies:

  1. Security: Compliance policies help ensure that the AVD Session Host virtual machines are configured with the necessary security measures to protect sensitive data and prevent unauthorized access. This includes enforcing encryption, password policies, and software updates.
  2. Compliance: Compliance policies help organizations meet regulatory requirements, such as HIPAA, PCI, and SOC, by ensuring that the AVD Session Host virtual machines are configured in accordance with these regulations.
  3. Consistency: Compliance policies help ensure that all AVD Session Host virtual machines are configured consistently and meet the same standards. This makes it easier for administrators to manage the environment and ensures that all users have a consistent and secure experience.
  4. Monitoring: Compliance policies provide ongoing monitoring of the AVD Session Host virtual machines, so administrators can quickly identify and address any deviations from the desired configuration.

By creating an AVD Session Host Compliance Policy, organizations can ensure that their virtual machines are secure, compliant, consistent, and properly monitored, which can help reduce the risk of security breaches and regulatory violations.

What compliance policies are supported with Azure Virtual Desktop?

The following compliance policies are supported on Windows 10 or Windows 11 Enterprise multi-session VMs:

  • Minimum OS version
  • Maximum OS version
  • Valid operating system builds
  • Simple passwords
  • Password type
  • Minimum password length
  • Password Complexity
  • Password expiration (days)
  • Number of previous passwords to prevent reuse
  • Microsoft Defender Antimalware
  • Microsoft Defender Antimalware security intelligence up-to-date
  • Firewall
  • Antivirus
  • Antispyware
  • Real-time protection
  • Microsoft Defender Antimalware minimum version
  • Defender ATP Risk score

Note in my sceanrio I am not using all of the above only a few based on the configuration of my environment. You will need a Azure AD device group containing all the session host for AVD to apply this policy.

What am I configuring?

I am only configuring two things. However, I urge if you to leverage Microsoft Defender and make sure you use the Antivirus and Antimalware settings (Another blog post later day for Defender integrations):

  • Minimum OS version – 10.0.22621.963
  • Firewall – Require

The above is not an extensive list, but I am trying to give you an idea here.

Create the compliance policy for AVD

Open the Microsoft Endpoint Manager admin center and navigate to Devices and Compliance Policies.

  • Click on Create Policy and Select Platform Windows 10 and later
  • Give the policy a name and description
  • Configure the above two parameters
  • An assignment is the most critical aspect, here, you want an Azure AD Dynamic Device Group that will make sure all the AVD Session hosts are covered.
  • My current AAD Dynamic Group query is as follows, I am working towards getting a more refine query to make it understand Multi-session(I have raised a query internally within MS)

Device Compliance (AVD Session Host VMs)

After waiting for 15 mins you will start noticing all your AVD Session host VM’s will now begin to show as compliant.

I hope you will find this helpful information for creating a compliance policy for your AVD Session host VMs. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

← Older Entries