aOSKL 2020: How secure your endpoint protection?

Hey guys and girls, hope you are having a good day. I know is Monday Blues, I was having the blue mood this morning, not a good way to start the new day. Anyway, Covid-19 is still high alert in our area, it went from 600 to 800 users per day affected. Please don’t travel as a huge group, stay concern about people around you.

Is almost end of 2020, and here is another event that I am going to speak at, virtually of course. This is my 3rd year speaking at aOS Community event. Every year is a new experience and meeting new people in this event.

This year event, I’m going to talk about Endpoint Protection. Do register yourself if you are interested in this event.

Peace Out!

PowerShell: Unable to delete Stuck Data Leak Policy using “-ForceDeletion”

Hi Guys and girls, hope you all are doing well, and remember to stay safe. Just got the PowerShell check on the command “Remove-DlpCompliancePolicy“, it seems that Microsoft had made some changes to it and had removed the “-ForceDeletion” parameter from the “Remove-DlpCompliancePolicy” command.

Appreciated and thanks to the commenter that ping me on this at one of my older blog post https://sabrinaksy.com/2019/01/04/office-365-security-and-compliance-data-leak-protection-dlp-azure-information-protection-aip-integration-unable-to-delete-dlp-policy/ .

Just to announce that if you would like to remove or delete the stuck DLP policy in Security and Compliance, you would have to raise a ticket to Microsoft and inform them to perform the force deletion at their backend. There are users experience this and it is resolved through Microsoft Support.

 

References

  1. https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlpcompliancepolicy?view=exchange-ps
  2. https://answers.microsoft.com/en-us/msoffice/forum/all/dlp-policy-stuck-on-deleting/6b7bc384-e330-4ca8-bfdd-f84101f814c8

Intune Azure Portal is Retiring

I think some of you are still not noticing that Intune Azure portal experience will be retiring this coming August, 2020.

In the year 2017, the first time I was experience with Azure portal, well it was the old Azure portal (manage.windows.com), and slowly transition to portal.azure.com and now endpoint.microsoft.com.

So this is how Microsoft Endpoint Manager looks like,

Capture

 

Capture

Do give it out a try for yourself, if you haven’t.

 

Where do I get to know that Intune Azure Portal experience is retiring? When you select Intune in your Azure portal you will notice that is a prompt at the top the the image below,

Capture

Intune is Group Policy Management

Hey guys and girls, sorry about not updating my blog because I have been occupied with work. I feel so bad to break this goal, which is to write every once a week.

So I think my title caught your attention right? You thought that this post is going to be talking nonsense? Hahaha…No! I do still receiving people having misunderstanding what is Intune, its capability and its limitations. I do see quite a lot of blogs are only talking about the wins and lose of Intune and Group Policy Management,  not many in explaining.

Familiar questions that I usually get;

“I thought Intune is a replacement of GPO?”

“Why do we still need to rely on GPO?”

“No,  you are wrong, I saw there is administrative templates in Intune”

I am here to explain it to you properly.

If you took your time to look closely on Intune’s Device configuration categories, you will notice their settings are actually not as complete as GPO for Windows. So seeing something half does not mean it gives you full understanding of Intune capability and limitations until you put yourself and it into experiment or lab testing.

The journey I had with Intune, I would say it was a roller-coaster, I experience its limitations, behavior and good part. Yes, technology keeps changing to ease our daily challenges.

Throughout my experience, I would say that Intune does their job but still not stable enough. I usually have to combine other technology to achieve the work. You might thought of this “Urgh…is lots of work and to keep track on.”, well, if you are creative person, these are your possibilities to your resolutions from stopping you to get that work done.

In conclusion, Intune is not Group Policy Management, but Intune and Group Policy Management can be one (combine) to get your work done.

 

 

 

Azure & PowerShell: Service Plan Information

Hey dudes and ladies! Malaysia Movement Control Order has announce extend till 12th May but with relax conditions. Before the announcement, there was a decrease in number of reported cases and we had hope that there won’t be another extend announcement. However, the reported cases increases. Anyway, hope you guys are doing good at home, to those are infected by Covid-19, hope rapid recovery and to those are getting racism attack or getting criticism from past infection, hope you don’t hurt yourself which is not your fault.

Have you ever have customers that wanting to disable certain service plans in subscription or license? Are you going to manually click person by person to disable? Of course not! Things like these is best to use PowerShell, you could even generate/export a report.

Note:

  1. Don’t call Microsoft Support to identify your service plans because they have no idea and they most likely don’t take your case. Trust me I been there.

 

There are 2 type of command library you could use to extract these information either Azure AD PowerShell or MSOnline PowerShell. Play around with the service get to know which is the service that it belongs to and which service has dependency.

Below the list of service plans for Office 365 Enterprise E3 and E5;

  • I grab the below information using MSOnline PowerShell, this was during the year 2017. I will post up a new update.
Office 365 Enterprise E3
-------------------------
Deskless
FLOW_O365_P3
POWERAPPS_O365_P3
TEAMS1
ADALLOM_S_O365
EQUIVIO_ANALYTICS
LOCKBOX_ENTERPRISE
EXCHANGE_ANALYTICS
SWAY
ATP_ENTERPRISE
MCOEV
MCOMEETADV
BI_AZURE_P2
INTUNE_O365
PROJECTWORKMANAGEMENT
RMS_S_ENTERPRISE
YAMMER_ENTERPRISE
OFFICESUBSCRIPTION
MCOSTANDARD
EXCHANGE_S_ENTERPRISE
SHAREPOINTENTERPRISE
SHAREPOINTWAC

Office 365 Enterprise E5
-------------------------
Deskless (StaffHub)
FLOW_O365_P2 (Flow)
POWERAPPS_O365_P2 (PowerAPPS)
TEAMS1 (MsTeams)
PROJECTWORKMANAGEMENT (Planner)
SWAY (Sway)
INTUNE_O365 (Mobile Device)
YAMMER_ENTERPRISE (Yammer)
RMS_S_ENTERPRISE (Azure Right management)
OFFICESUBSCRIPTION (O365ProPlus)
MCOSTANDARD (Skype For Business)
SHAREPOINTWAC (Office Online)
SHAREPOINTENTERPRISE (SharePoint Online)
EXCHANGE_S_ENTERPRISE (Exchange Online)

Below Microsoft 365 Enterprise E5 using Azure PowerShell;

*the list is too long so I’m just going to show partial only.

Capture

This below is using the MSOnline Powershell;

Capture

 

References:

  1. https://docs.microsoft.com/en-us/office365/enterprise/powershell/view-account-license-and-service-details-with-office-365-powershell
  2. https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolaccountsku?view=azureadps-1.0

 

 

Azure Storage & Office 365 Import PST: Troubleshoot Error “HttpStatusMessage: Bad request”

Hey guys and girls, just hope everyone are good during this Covid-19, movement control. Those that are hospitalize, hope that you recover. Those that have recovered, hope that you don’t face any criticism from others and not fall for Covid-19 again.

Well for IT field workers, our work still continues. In my lab environment, I was testing out Office 365 Import PST feature in Security and Compliance. Personally I feel this is a good feature but there is too much manual work on it.

Note:

Using network upload to import PST files is free.

Check out license plan to have this import feature at the reference below.

So just a brief explanation of what I was performing, in the Office 365 Import PST has 2 option for us on how we want to upload the PST, either network upload (free) or physical (Charges). I choose network upload to upload my PST, it require to use AzCopy command to run the upload. I have a PST that the size is more than 1 GB, and the upload failed with the following error message on the AzCopy console shows “HttpStatusMessage: This request is not authorized to perform this operation using this permission.

At first I thought that there could be limitation on the upload size, due to the given Azure Storage is temporary only. Looking through the documentation it didn’t state any upload limitation. Hence, further research.

The resolution to this was to disable the ATP agent that was in my lab PC, to prevent blocking the upload. Rerun the AzCopy command again to reupload the PST.

If you have any third party or applications that has network control or ATP functionality, would recommend that you disable to avoid this problem happen to you.

 

References:

  1. https://docs.microsoft.com/en-us/microsoft-365/compliance/faqimporting-pst-files-to-office-365?view=o365-worldwide
  2. https://www.microsoft.com/en-us/microsoft-365/business/compare-more-office-365-for-business-plans

Office 365: What to know about Data Investigation?

“A data spill occurs when a document containing confidential, sensitive, or malicious content is released into an untrusted environment. When a data spill is detected, it’s important to quickly contain the environment, assess the size and locations of the spillage, examine user activities around it, and then delete the spilled data from the service. “

If you would like to try this preview out, I highly recommend that you test it out in a new test tenant. Please review the reference below for further explore. 

There is one functionality in this that caught my attention, is it even investigate unsupported files, example, files that are password protected cannot be processed since the files are locked or encrypted. Using error remediation, investigators can download files with such errors, remove the password protection, and upload the remediated files.

How to get to this?

  1. Login to your https://protection.office.com
  2. Scroll to the bottom of the left taskbar
  3. Data Investigation is just after eDiscovery

Capture

Before you could start using this preview, you have to read the Terms of Service and either approve or cancel to proceed. If you cancel, the agreement it will redirect you back to Home tab.

Microsoft takes its preview seriously.

Capture

References:

  1. https://docs.microsoft.com/en-us/microsoft-365/compliance/overview-data-investigations?view=o365-worldwide

Intune Autopilot: Troubleshoot RDP access prompt

So I am testing Autopilot in my lab environment, consist a Hyper-V with its Virtual Machines. Well I am doing a manual registration, so how do I export the device information that is required my VM to be register for Autopilot?

I already have a VM running Windows 10 Pro, and I ran this script to export and automatic import the device information to be register into autopilot. However, I wasn’t running the script before Out-of-the-box-experience (OOBE) happen, so to make Autopilot work on my VM, I had to reset my VM.

Once the VM has reset,  it ask for region, language of my keyboard and next it shows a welcome page with the Display name and the company name. So I key in the email address and password of the user and also setup the PIN. However, I just notice that I set this user with the Standard permission only. Thus, the administrator account is disabled and I keep getting the RDP permission error prompt due to the user account is not in the RDP group in the VM.

Example of the prompt;

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from the Remote Desktop Users group, you need to be granted the right manually.

050317_1039_Tosigninrem1

How I troubleshoot this;

  1. Is to run MMC as administrator > File > Add/Remove Snap-in
    • Capture
  2. Key in your Office 365 admin account (an account with permission that can manage device)
  3. Select Local Users and Groups > Add
    • Capture
  4. Select Local computer > Finish > Ok
  5. Expand the local users and groups > Users > Right click Administrator  > Uncheck Account is disabled
    • Capture
    • Capture
  6. Reset the local Administrator password too
  7. Select Groups > Right click on the remote desktop users > Add > Authenticated users > Ok
    • Capture
  8. Close MMC
  9. Sign out and Sign in again

 

These steps should help you from getting the prompt again.

Please take note that I am doing this in Lab environment. In production, by right not to enabled administrator account and not to do any changes to the local users and groups. 

Azure Information Protection: Office application prompt for privacy notice

Microsoft provide notice to end users that has Azure Information Protection enabled and Policy has set to them. It does not matter either you are on Azure Information Protection Classic or Unified labeling.

When you first launch your office application or relaunch it you will get this notice.

A privacy notice such as below;

privacy.PNG

Differences of AzInfoProtection and AzInfoProtection_UL client application

When unified labeling was announce that it is no longer in Preview mode, and here it comes the new application called, AzInfoProtection_UL, you could find the link to download this application at the references below of this post. There is the Preview application called, AzInfoProtection_UL_Preview.

Before unified labeling, the only application has for Azure Information Protection is AzInfoProtection (Classic client). So what so different about them? Before we jump into getting to know what are the differences, let’s understand the definition or meaning.

Classic client

Azure Information Protection is a new enhancement of rights management and it is manage from Azure portal. If you need scanner and HYOK (your own key) then you install AzInfoProtection.exe (User Profile based installer) or AzInfoProtection_MSI_for_central_deployment (System installer) client application.

word01
Classic client

word03
Classic client

word04
This part shows Azure labels and Office 365 Sensitivity labels. Let’s take “DLP View Only” is a label custom created from Office 365.

 

Unified labeling

Azure Information Protection with Unified Labeling was just announce somewhere the month of June or July 2019. Unified Labeling means that your labels can be manage either from the Azure portal or from Office 365 Security and Compliance portal. This feature is enabled by default. You can migrate your labels from Azure to Office 365 Security and Compliance. Unified Labeling supports for more Office 365 products, such as Microsoft Teams. If you do not need HYOK protection (your own key)  or the scanner, then you install AzInfoProtection_UL.exe (User Profile) or AzInfoProtection_UL_MSI_for_central_deployment (System installer) client application.

word05
This is how it looks like first install, notice the icon is different

word06
Select on the “Sensitivity” icon and click “Show Bar”

word07
These are my Office 365 Sensitivity labels

If you would like to deep-dive the comparison of these 2 application here is a helpful link.

 

References;

  1. https://www.microsoft.com/en-us/download/details.aspx?id=53018
  2. https://docs.microsoft.com/en-us/azure/information-protection/rms-client/unifiedlabelingclient-version-release-history