Some time ago I was inspired to check something out. Of course, almost all schools are working with Teams nowadays and so is my son’s school. After installing teams and logging in with my son’s office365 account, I was asked the famous question if I’d wanted to “allow my organization to manage my device”. Okay… So the school allows anyone to register a device to their tenant? I guess the school has a lot of devices to manage. If it…
Starting with Microsoft 365 business is an excellent idea. It contains almost everything you need for a secure modern workplace. With almost everything I mean you’ll be missing out on some great features contained within the Microsoft E5 license. The biggest example would be Microsoft Defender for endpoints, it also has some addons like web content filtering. I can imagine for the SMB, Microsoft E5 might be too expensive for now. The price difference between a Microsoft 365 Business premium…
Today I was called in to take a look at a weird excel addin error. Suddenly on all Windows 2016 terminal servers from a specific customer, they got the following error when opening excel: The first thing that will come to mind, is looking at the latest Windows and office patches that have been installed. And so I did, after removing all the latest patches within a test environment the problem remains. So, I excluded patching problems. What’s next? AppLocker…
The power of remote wiping your device is great to have. When your devices are configured with Autopilot, a remote wipe will make sure your devices will return to factory defaults and will begin to enroll your device with all that’s configured in Intune. Transforming to a zero-trust modern workplace will require some work. You’ll need to setup Autopilot, collect the hardware hashes, remote wipe, and reset the device to let it enroll in Azure Ad with autopilot. But how…
This blog is going to show you 2 options you have, when you want to make sure the end user without admin permissions could still install printer drivers when needed Implementing adminless can be hard, especially when a user is accustomed to the possibility of installing printers on their own. To take away some of this trouble of introducing adminless, you can give your end-users the possibility to install printer drivers on their own. Of course, Printix or Microsoft Universal…
Automating your tenant deployment is crucial in preventing human mistakes. This is one example from my own experience when working in the field with PowerShell and JSON. When automating your conditional access deployments as I did, you can run into some very weird situations… So, what did I do? I fired up a PowerShell session from a special Win10 VM (created for deployments) and logged in with my admin user within the customer (test)tenant WVDCLOUD: admin@wvdcloud.nl. I checked once again…
After being inspired by Alexander Fields about the CIS framework and Microsoft 365, I took a deep dive into mapping ISO 27001 to a zero-trust modern workplace. I’ll try to show you how Microsoft 365 Business can help you with your ISO 27001 adventure. The ISO 27001 Framework has many CIS controls included. You can check out the mapping of CIS controls to ISO 27001 right here: I’ve created the ultimate Visio flow to help our customers transform their organizations…
Granting your users local admin permissions when deploying Windows 10 is really really best practice…I’m joking, no it’s not! I must be saying this a lot lately. You need to be certain all of your endpoints are managed, so you can make sure your users don’t have local admin permissions. You don’t believe me that your endpoints need to be managed? Take a look at these two examples (Alex Fields): Removing local admin permissions mitigates a lot of critical Microsoft…
Some time ago I showed you the options you have to block the administrative tools like CMD and Regedit. Within the latest insider preview 20185 I noticed a new ADMX file So? We can block cmd and regedit by configuring a CSP, right? I enrolled a new Window 10 Enterprise VM and updated to the last insider preview update. After my new VM was configured, I tried to configure this CSP by creating a new device configuration profile like this:…
Restricting guest access is very important. Normally you don’t want a guest user to see the membership of any groups. Of course, there are some situations you don’t want to change this setting. You can simply change this in the user manage external collaboration settings inside the azure ad portal. https://aka.ms/AADRestrictedGuestAccess Or just use PowerShell. Add this setting to your Enrollment template so when enrolling a new customer, this setting will not be forgotten. get-AzureADMSAuthorizationPolicy | Set-AzureADMSAuthorizationPolicy -GuestUserRoleId ‘2af84b1e-32c8-42b7-82bc-daa82404023b’ Conclusion:…