Tag: Enterprise Mobility + Security

Defender for Identity: NTLM Warning Troubleshoot

Hi everyone hope you guys are enjoying your weekend, today is actually the day where Malaysian votes for their new leader (Prime Minister).

Prove that I have voted! This year voting allocation for special needs and old folks was really convenient.



Anyway, let’s start the topic of today!

Microsoft recently alerts tenant’s Defender for Identity admin portal due to new requirements require to implement on the domain controller’s GPO.

The warning should look like this in your Defender for Identity Admin portal:

There is a link of recommendations that it should guide you to how to resolve this issue. However, I realize the article by Microsoft did not CLEARLY wrote the steps on how to locate the Group Policy. This feedback had been raised to the authors and they had already attended to it.

In your domain controller’s Event viewer logs you should receive an event ID showing 8004.

It would affect to those domain controllers that does not have this policy enabled. To enable the policy, you should follow the steps below.

Resolution Steps:

  1. Login to a writable domain controller with the right permission that can modify the GPO
  2. Go to Start > Search and Launch Group Policy Management
  3. Select Group Policy Objects > Find Default Domain Controllers Policy > Right click and edit Default Domain Controllers Policy
  4. Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  5. Select “Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers” > Choose Audit all > OK
  6. Select “Network security: Restrict NTLM: Audit NTLM authentication in this domain” > Choose Enable all > OK
  7. Select “Network security: Restrict NTLM: Audit Incoming NTLM Traffic” > Choose Enable auditing for all accounts > OK
  8. Go to Start > Search and launch Command Prompt > Run this command “gpupdate /force“. (For immediate apply, do this to all the available Domain controllers with the sensor agent too)

References:

  1. https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#event-id-8004

Active Directory and Microsoft Defender for Identity: Defender for Identity agent failed to communicate with domain controller

Hi guys hope you guys are having a nice day today. Today I would like to bring to you about an experience that I had met involving the defender for identity and domain controller.

The problem was the defender for identity stop working all of the sudden and same goes to the group policy. This environment has more than 1 domain controllers running and only 1 of them having issue. There was no one to keep track of what was being done previously.

There was no proper error code to be found in the event logs, on the affected domain controller mentioning what was the reason. There was list of Kerberos error code and intermittent sync on the DNS, DFS replication and directory sync.

Hence, I have collected the event logs on the affected domain controller and the defender for identify logs from C:\Program Files\Azure Advanced Threat Protection Sensor\version number\Logs. Based on my findings, that the affect domain controller’s computer object was not in the default domain controller organizational unit.

These was what in the defender for identity logs shows:

A task was canceled. Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers

Warn GroupManagedServiceAccountImpersonationHelperGetGroupManagedServiceAccountAccessTokenAsync started. Error Service Controller Extension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed. at System.ServiceProcess.ServiceController. WaitForStatus(ServiceControllerStatus desiredStatus,TimeSpam timeout]

Resolution

  1. Schedule a downtime if required
  2. Analyze the affected domain controller’s computer object location
  3. Move the affected domain controller into the default domain controller Organizational Unit
  4. On impacted domain controller, run the command sc triggerinfo kdssvc start/networkon.  By doing this, we are changing the trigger for the Microsoft Key Distribution Service (KdsSvc) to start the service as soon as the network is available
  5. Then restart the affected domain controller

References

  1. https://docs.microsoft.com/en-us/defender-for-identity/troubleshooting-using-logs

Exchange Online Protection: Configuration Analyzer (Your Mail Security Advisor)

Hi guys and ladies, today I’m going to write about the hidden guru in your Exchange Online Protection, a.k.a Office 365 Mail Security or Microsoft Defender for Office 365.

Why improving your mail security configuration is important? Well, malicious attacks gets improve from time to time, so does security too. In the past, scammers used to send fake letters to houses claiming to be from the bank or police officer, to lure you into turning yourself in with money. Now 2022, scammers are sending blast mails to any IP address or available legit domain in the world, claiming to be an authorized organization and to seek their victims.

There are times you would like to compare what your vendors recommendation and the global recommendation of mail security configuration, now you have it in your Microsoft Exchange Online portal. Basically configuration analyzer scans your existing policies and provide either Standard or strict recommendation to improve your mail policies.

*Note:

Do not make changes to default policies by Microsoft. Recommended to create new ones.

How to get that?

  1. First you login to your https://security.microsoft.com portal
  2. At the left taskbar, you can see the “Email and collaboration” category
  3. Select the “Policies & rules”
  4. Select “Threat policy”
  5. Select “Configuration Analyzer”

As you can see they do scan your default policies by you can ignore them. The most important thing inside this table, is the structured and convenient information that provide you understanding on how you can improve your existing policies.

You may refer to the references below to know whether is your license has this feature available.

References

  1. https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-worldwide

Microsoft Information Protection: Planning Your Sensitive Labels

Hey guys and girls, hope you guys are having a great weekend! Remember to stay healthy and stay safe as your priority.

Today’s blog is more towards talking about the Microsoft information protection labels, how to plan before deploying it. Each organization has their own preferences and requirements. Planning is a crucial part of every deployment especially when the deployment would have to roll-out to the users to use it for their daily work. Layman is the key to the users understanding.

Some organization have a compliance team and some does not have it. Having a compliance team would able to make this deployment much more clearer in terms of what the organization needs. If the organization does not have a compliance team, then we would help to identity together in terms what do they require only. Labels are structure in the form of priorities, so best to make it simple, and easier for administrator to manage too.

Phase 1: Give them the feel and look

Microsoft do provide default labels to organization, you can roll-out these default labels to smaller team or compliance team, allowing them to play around with it for a period of time. This allows them to have an idea how sensitive labels works and coming out a template would be easier for them. Having a template is the quickest way and easier way to roll-out the labels.

Default labels

Phase 2: Feedback and Drafting Template

Getting feedback and drafting template phase, is a closer phase to rolling out the labels that suits the organization needs. In this phase, there are few items that you would need to involve into and would take a bit of time,

  • Categories the labels based on location (Exchange online, SPO, OneDrive and etc)
    • There is difference in terms of protection features for each location
  • What can or can’t do in the labels
  • Users description about the labels (keep it as layman as you can)
  • Priority of the labels
  • Design structure of the labels/sub-labels (Simple is better)
  • Permissions (Flexible or Set)
  • Action for the priority labels (Flexible, Warning or Strict-Justification)
  • Customization notifications (Majority would decide to maintain the default, so you don’t need to spend too much time on this part)

Here are some design types that you can reference,

Design type 1

This design is for organization that would like to remain some default labels, and has new labels for other departments and its purposes. No sub-labels to be manage.

Design type 2

This design is for organization that would wish to keep some default labels but does not want to have other new labels to manage. Has sub-labels to manage.

Design type 3

This design is for organization that would like to manage their labels in the form of departments and with each department has their own labels. I wouldn’t recommend this though, because is complicated. As I mention earlier, labels are arrange in the form of priority.

Phase 3: Final Template

This is the phase where you can start to roll-out the final template of the labels back to the small team or compliance team to give it one last confirmation.

References:

  1. https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
  2. https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide

MDM: Preventing Meeting Room devices registered to Intune by user account

Hey guys and girls, happy new year and hope you guys are healthy and safe!
I’ve come across of issues of users kept login their own corporate user accounts into a meeting room device through Microsoft Teams. Thus, this will also registered the meeting room device under the user’s account.

Kept manually deleting the devices objects from the user account is not flexible to administrators. Clean up is really not something that as administrators has to do every time a user uses that meeting room device. Our meeting room devices are not hybrid join. So this solution does not really impact the Windows license but this does not mean it would not cause issue for your environment. Recommended that you test it out at your lab environment. Our meeting room devices are custom made/design.

I was able to came across an article that really helps my situation. This solution require to modify the device’s registry editor.

Note:

Please run a lab test.

  1. Launch the registry editor on the affected machine
  2. Direct to this location HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin
  3. Create a new DWORD item and name it BlockAADWorkplaceJoin with the value of 1
  4. Reboot the machine
  5. You may run a command line “dsregcmd /status” to check the MDM status
    • WorkplaceJoined: No
    • SSO state: No

If you have multiple devices that you would need to apply this settings you could export and save this registry settings or use PowerShell method. You may refer the PowerShell method via the references below.

References:

  1. https://msendpointmgr.com/2021/03/11/are-you-tired-of-allow-my-organization-to-manage-my-device/
  2. https://support.microsoft.com/en-us/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692

Microsoft Endpoint Manager: Troubleshoot Hybrid Device Joined

Good day everyone, hope you all are taking care of your health and safety during this pandemic. Hope you guys are also getting your booster shots.

Today’s issue is related to Microsoft Endpoint Manager, on hybrid device joined. I notice that when a device’s Azure AD Registered icon is removed from the Endpoint Manager portal and if the machine didn’t reboot immediately and leaving the device there for more than an hour after I have made the changes in the portal, the device will have issue in joining/registering as hybrid join.

There is this cache that the device stored, I’m not too sure about what is the refresh time that the device retrieve the new update from portal.

Symptoms that your hybrid join was not successful:

  1. The device’s Register status keeps showing/stuck at Pending, at Endpoint Manager
  2. The device’s MDM status keeps showing/stuck System Center Configuration instead of Microsoft Intune, at Endpoint Manager
  3. Command prompt keeps showing the MDM warning, when I perform “gpupdate /force” even though the machine’s object is no longer found in Endpoint Manager
  4. In the dsregcmd /status shows the DeviceAuth: Failed.Device is either disconnected or deleted.

Steps to resolve:

  1. First clear the machine object from Endpoint Manager
  2. Run an Azure AD Connect synchronization from on-premises
  3. Once the Azure AD Connect synchronization completed then proceed to the next step…
  4. Reboot the machine
  5. Launch the command prompt as administrator on the affected machine, and run the following command “dsregcmd /leave”
  6. Then run “dsregcmd /status”, check to make sure the the device is unjoined
  7. Go to the registry editor, “HKLM\SOFTWARE\MICROSOFT\Enrollments” delete all the GUID looking keys
  8. Reboot the machine
  9. Try again the hybrid join procedure

If you can’t delete some of the keys due to the system not allow, then it is fine, you can proceed deleting the ones that can delete.

References:

  1. https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/pending-devices
  2. https://www.itpromentor.com/troubleshooting-weird-azure-ad-join-issues/

Azure: Troubleshoot Azure Information Protection installer via Intune

What’s up ladies and dudes!

Today’s topic is about the Azure Information Protection installer, yes is the MSI installer, AzInfoProtection_UL.msi.

Every MSI application you would need to use this following command to install them into the machine “msiexec /i <application name> /quiet“, but somehow for this case YOU DON’T NEED IT!

Basically you would just leave the command-line arguments empty.

References:

  1. https://www.microsoft.com/en-us/download/details.aspx?id=53018

Azure: Troubleshooting Conditional Access App Control for iOS

Good day everyone. Even with the Covid-19 is rising drastically in Malaysia, kind of brings my hopes down. Anyway, I still have to keep going with life.

Today’s topic is about the Azure’s conditional access policy. We found a bug in conditional access for iOS device platform. So basically our situation is that, if we would need the conditional app control to be functioning in the Cloud App Security, we would need to setup a conditional access policy. Our setup was only to achieve monitoring mode only. However, after enabling the policy we retrieve reports saying that all iOS devices are having trouble accessing their exchange online. Users are receiving an email notification, stating that their exchange online access is being blocked. We had to disable the policy temporary to troubleshoot it.

This was the email notification:

No Exchange Server, just Exchange Online
  • This was our configuration for the conditional access policy;
    • Assignment: Include a test group, Exclude the VIP accounts
    • Cloud apps: All cloud apps
    • Conditions: None
    • Session: Use conditional app control (Monitor Only)

So this is the Microsoft article shows how the configuration/enablement is being setup in the conditional access in order for the app control to work, as you can see there weren’t any conditions being setup. Hence, it should not be doing any requirements checking or blocking.

There are not enough explanation
As you can see the condition shows zero

To be honest, I had raise ticket to MCAS, Exchange Online and Azure team, and none of them able to get back to me an answers. MCAS team state that “no conditions are setup it SHOULD NOT be performing blocking”.

I had to stop relying the Microsoft Support for this case, as I had to find a way to identify it. So based on the image above, we can see that the article is not mature enough, because there weren’t any solid references or notes stating the limitations/restriction of monitor only of conditional app control.

Upon further checking, I had to analyze the logs of Azure Sign-in activity and Cloud App Security Activity log of that user whom experience the issue. We notice that the sign-in was shown as “Interrupted” and there was no failure sign in status. For your information, the iOS version is 14.

Error code 1: This is not an error – this is an interrupt that triggers device authentication when required due to a Conditional Access policy or because the application or resource requested the device ID in a token. This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that the device authentication challenge was passed succesfully or failed.

Error code 2 : This is an expected part of the login flow, where a user is asked if they want to remain signed into this browser to make further logins easier. For more details, see https://techcommunity.microsoft.com/t5/Azure-Active-Directory/The-new-Azure-AD-sign-in-and-Keep-me-signed-in-experiences/td-p/128267

Error code 3: 50097

Another finding was that there weren’t any Exchange mobile device access policy/rules being configure to perform the blocking.

I do know that once this conditional app control is enabled there will have this prompt page before entering into the Exchange online, this is my iPad Air by the way, running on the latest version. The prompt page can be turn off though. Anyway, that is not the case here. I ran a test to mimic the situation but I didn’t experience any email notification send to me stating my exchange online access is being blocked. There is no MFA or Biometric setup on my iPad.

The questions still lies is there a pre-requisites for iOS devices for conditional access policy, even though there is no conditions being set?

Below is image from web browser;

Below image from my iOS outlook app;

Intune & PowerShell: Creation of Email accounts automation on Outlook

Hey guys and girls, hope you all are having a good day. Today’s topic has a relation of 3 platform.

  • Intune/Microsoft Endpoint Manager
  • PowerShell
  • Outlook App (Windows)

This topic is more related to migration situations, so basically the environment is running IMAP and are on the stage of migrating to Office 365. Hence, to allow users to able to proceed to make use of the new mailbox and having to receive latest emails without disruption or downtime, would need to create the office365 email account on their Outlook profile.

If you notice that you have an email account, user@abc.com with the type “IMAP” on your outlook default profile, but you would like to also add the user@abc.com with the type “Microsoft Exchange” on the outlook default profile too. This is where the issue happen, majority would just proceed to try to add the account from the Outlook app but it will never let you successfully add the new account in and return with the message saying “This account has been added.” It seems to me that the Outlook App unable to differentiate TYPES. If you dig into Google Search you will only get articles, guiding you to create a new Profile just for the Office 365 account.

Wait…there is a solution to this. Please don’t bother raising case to Microsoft Support from Intune, if you’re lucky you will meet a support that willing to go extra miles for you. Usually the support would recommend you to turn on this feature from Intune “Automating the creation of outlook profile for Exchange Accounts” this only applies to new profile not existing profile.

So basically the solution is simple but I’m still unable to find an automation way to perform this. Hence, manually, but luckily is was just a small business organization, else I’m poof of words. Just type organization that is not willing to spent other migration products such as BitTitan and etc..

Anyway, to create an email account o the default outlook profile we would need to

  1. Launch your Start/Windows button
  2. Search for “Control Panel”
  3. Search for “Mail” in Control Panel
  4. Select the Mail > select “email accounts”
  5. Then select “New”
  6. Enter the following details and click Next
  7. Wait for the establish processing…
  8. You will now have 2 user@abc.com accounts in the default Outlook Profile with different types, IMAP and Microsoft Exchange.

If you are still wanting to go with having 2 profiles in Outlook to serve each types here is a simple PowerShell Script that you can upload to Intune;

#This is to create new Profile with the new Profile name
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Outlook\Profiles\<Profile Name>" -Value ""

#This is to allow the prompt to users to choose which Outlook profile
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Exchange\Client\Options" -Name "PickLogonProfile" -Value "1"

Azure ATP: Troubleshoot sensor keeps disconnecting

Hey guys good morning! Is a rainy day today, just brings the relax mood on.

Here is another topic on Microsoft Defender for Identity, is the troubleshooting on sensors.

When you notice that your sensor keeps disconnecting, while it was fine during the first 2 weeks of the deployment.

There are many possibilities that causes this issue, so I’m glad that there is this Sizing tool that you can use to identify the traffic on the domain controllers and it will provide you recommendation of the hardware requirements that needs increasing or look into it.

Sometimes this is not due to domain controllers or the sensor issue, it could meant that the environment is growing and numbers of applications required the LDAP authentications with the closest domain controllers or the FSMO holder domain controller.

This is how the alert looks like on the ATP portal;

To proof that whether the domain controller needs increment of the hardware resources

  1. Download the sizing tool
  2. Install the sizing tool on the domain controller that has issue with the sensor
  3. *it does not require restart of domain controller
  4. Run the application for 24 hours
  5. It will export a excel file on directory of the application

This is how the reports looks like, filename is TriSizingToolResults_<date>

ATA Summary
Azure ATP Summary

As you can see above the I have 3 domain controllers that exceeds 30k of packets per second, and it recommended me to increase the RAM size.

Below is a diagram of requirements needs to be meet;

I highlighted ones is needs to be met for my 3 domain controllers.

References:

  1. Planning your Microsoft Defender for Identity deployment | Microsoft Docs