Continuous Access Evaluation: Rise of the Claim challenge

Continuous Access Evaluation: Rise of the Claim challenge

Hi, Refresh tokens, Hi lag when Terminating users or setting a new password. Welcome continuous access evaluation (CAE), bye lag (1 hour refresh token) Claim challenge is a mechanism to indicate the token was rejected and a new token needs to be issued. So what are the benefits: User termination or password change/reset: User session revocation will be enforced in near real time. Network location change: Conditional Access location policies will be enforced in near real time. Token export to…

Read More Read More

MCAS: Judgement Day

MCAS: Judgement Day

This blog will be about how I broke my own Microsoft Cloud App Security instance. Cloud App Security is a fantastic product, it can help you discovering and protecting all that’s in your Microsoft 365 tenant. Some time ago I wrote an article on how to automate your Cloud App Security Enrollment. It can come in handy when you want to deploy all your custom made alerts to a new tenant. In the mean time I added a lot more…

Read More Read More

The Man Who Shot Office Hardware acceleration

The Man Who Shot Office Hardware acceleration

This simple blog will be about why Outlook can be seriously lagging while typing. And I mean seriously lagging. Some letters will pop up 10/15 seconds after typing.  The probability this issue will be resolved by buying a new laptop is very small. I have seen this happen on all kinds of devices, old and new devices. Open your Task Manager and look at gpu-engine. You will notice: GPU 0 – 3D This means Outlook is using hardware graphics acceleration. …

Read More Read More

Guardians of the Local Admin rights

Guardians of the Local Admin rights

Granting your users local admin permissions when deploying Windows 10 is really really best practice…I’m joking, no it’s not! I must be saying this a lot lately. You need to be certain all of your endpoints are managed, so you can make sure your users don’t have local admin permissions. You don’t believe me that your endpoints need to be managed? Take a look at these two examples (Alex Fields): Removing local admin permissions mitigates a lot of critical Microsoft…

Read More Read More

The never-ending Command Prompt

The never-ending Command Prompt

Some time ago I showed you the options you have to block the administrative tools like CMD and Regedit. Within the latest insider preview 20185 I noticed a new ADMX file So? We can block cmd and regedit by configuring a CSP, right? I enrolled a new Window 10 Enterprise VM and updated to the last insider preview update. After my new VM was configured, I tried to configure this CSP by creating a new device configuration profile like this:…

Read More Read More

Lost in monitoring Onedrive

Lost in monitoring Onedrive

In this blog, I will be showing you why it’s very important to monitor OneDrive and how to set up Onedrive Monitoring on your endpoints. When you enabled KFM and mounted some Team sites as I showed in one of my blogs, you have to make sure OneDrive is always working and your files are up-to-date. Monitoring your users OneDrive can be a Bitch, because there are no event logs or register values you can monitor to make sure OneDrive…

Read More Read More

The Place Beyond the Guests

The Place Beyond the Guests

Restricting guest access is very important. Normally you don’t want a guest user to see the membership of any groups. Of course, there are some situations you don’t want to change this setting. You can simply change this in the user manage external collaboration settings inside the azure ad portal. https://aka.ms/AADRestrictedGuestAccess Or just use PowerShell. Add this setting to your Enrollment template so when enrolling a new customer, this setting will not be forgotten. get-AzureADMSAuthorizationPolicy | Set-AzureADMSAuthorizationPolicy -GuestUserRoleId ‘2af84b1e-32c8-42b7-82bc-daa82404023b’ Conclusion:…

Read More Read More

Thank you for Application Guard for Office apps.

Thank you for Application Guard for Office apps.

In this blog, I will show you, how to start testing with Application Guard for Office apps. To make sure Malware can’t get their foot in the door, you have to protect your endpoint. Hardening your Office apps is the first step. Some time ago Microsoft created the possibility to isolate your Office app documents you open from an untrusted location… First you have to meet the minimum software and license requirements Windows 10 Enterprise edition, Client Build version 2004…

Read More Read More

Sensitivity Labels DLP’s Excellent Adventure

Sensitivity Labels DLP’s Excellent Adventure

In this blog, I’ll be talking about using DLP in combination with sensitivity labels and device protection. A perfect addition to labeling your data with sensitivity labels. Labeling your data may already be the best option you have to protect your data but adding an additional barrier by making sure data can’t be moved is even more excellent! Yeah! Microsoft 365 E5/A5 compliance license or the information protection and governance add-on is the “only” big requirement you need to start…

Read More Read More

Blocking administrative Tools part 2

Blocking administrative Tools part 2

In one of my last blogs, I showed you how to block the administrative tools: It can easily be done within the Intune for Education portal. Of course, that’s is really nice. But I just noticed some admx updates https://blogs.windows.com/windowsexperience/2020/08/05/announcing-windows-10-insider-preview-build-20185/ I hope this amdx update within the Insider preview build 20185 will help us to prevent access to the command prompt/ powershell and registry without using applocker?