The setting to block potentially unwanted apps is turned off. Your device may be vulnerable
After upgrading to Windows 10 2004, I noticed an alert in Windows Defender. It was alerting that something needed to be turned on, and I wondered what as I needed to do this in Group Policy for the entire organisation.
Clicking the area around the ‘turn on’ button takes you to the App & browser control – containing another ‘Turn on’.
Go into the ‘Reputation-based protection settings’ link and there’s more info:
Aha! an option that’s not on – Block downloads. This is actually a Microsoft Edge setting which you can toggle, and will at the same time tick ‘Block downloads’:
I couldn’t find where this was set in Group Policy, so used Procmon to work out what was changing with that toggle. I ended up working out it was in the registery: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled and setting the default value to 1:
Great, now I knew what was changing, I could work backwards. Using GPSearch I looked for “SmartScreenPuaEnabled” and came back with
Configure Microsoft Defender SmartScreen to block potentially unwanted apps – User Configuration\Administrative Templates\Microsoft Edge\SmartScreen settings\
I didn’t have this Group Policy setting, so checked I had the latest ADMX files loaded for Windows 10 2004 – which I did, and they include templates for the Chromium based Microsoft Edge.
What I then discovered (or remembered!) was that there were separate ADMX files to get for Microsoft Edge, updated with each release. Downloading and loading these into my central repository brought in the “Configure Microsoft Defender SmartScreen to block potentially unwanted apps” setting I wanted. Enabling that, running a gpupdate set the value to what I wanted, and cleared the Microsoft Defender alert.
Long story short – if you’re still using Group Policy like me, you may want to get into the habit of updating your ADMX files for Microsoft Edge more frequently than your Windows 10 builds – Microsoft releases major versions of Edge every 6 weeks.
Microsoft Lists is available for a lot of people already, and should be globally available by the end of October 2020. Users can start using it as soon as it’s released for your tenant, which is great; but you might get caught out by the same date and time regional problem I did.
Creating a List is easy (right now I have the option available in Teams, but the app in Office 365 hasn’t turned up yet), and there’s many use cases for wanting a date or time field.
However, the suggestion on what day it is was wrong:
Today is actually Wednesday, October 14th 2020. It’s being caused because the timezone is wrong for the list. How do we fix that?
A Microsoft List can be created two ways – in the single user context, or in a Microsoft 365 Group context. If you’re doing in in Teams then the later only applies. Individually, it’s saved in the same area as your OneDrive for Business (which is backeneded by SharePoint), but for a Group it’s saved straight into the Site for the Group.
Lists in OneDrive for Business
For the individual point of view, there’s already a Microsoft Answer on how to fix this – change your Time Zone and Region Locale. The link for this is indivualised for your tenant and account, but you can access it by:
Click the cog in the top right corner and choose ‘OneDrive Settings’
Click ‘More Settings’ in the left hand list
Under ‘Region and Language’ choose ‘Regional Settings’
Choose the correct Time Zone and Locale for your account
Changing this for all users is a bit more of a problem. There’s a PowerShell script here to update all existing ones, and new users there appears to be no way to do it based on this outstanding UserVoice – if you find anything different, please share and I’ll update this post.
Lists in SharePoint Online
A Microsoft List tied to a Microsoft 365 Group will read the Time Zone and Region settings from the Group’s site, which is accessed a bit differently:
If you have the Lists app in the left hand menu, choose that and skip to step 5
If there is no Lists app, click the SharePoint app from the left hand menu
Choose the Microsoft 365 Group that contains the Microsoft List (if you’re unsure, you can try finding the List in Teams, clicking the elipsis and choosing ‘Open in SharePoint’.
Click the cog in the top right corner and choose ‘Site Contents’ then choose ‘Site Settings’
Click ‘Regional Settings’ under ‘Site Administration’
Choose the correct Time Zone and Locale for your Group and press ‘OK’ in the bottom right corner.
This works for a single site, but what about a company wide default?
In the SharePoint admin center, under Settings then Site creation, you can set the default time zone for new sites. This won’t help any existing Microsoft 365 Group already created (as a site is created at the time the group gets created), but will help with future sites.
If you want to update existing sites in PowerShell, you’ll need to start with this command:
A lot of details there just to change the date detection in Lists, but hopefully this gives you enough information to understand the scenarios and how to resolve them.
Was stumpted on this one and had to get advice from Microsoft Support.
A single user couldn’t log in via Multi-Factor Authentication. SMS code would say it was sent, wouldn’t come through. Phone call also wouldn’t come through. Trying to set up another MFA method aka.ms/mfasetup would receive one of these errors:
You are blocked from performing this operation. Please contact your administrator for help.
We’re sorry, we ran into a problem. Please select “Next to try again.
There were zero search results for that first error word for word, which is never a good sign.
There’s several areas you can check for blocked users such as:
And of course, that’s where the user was listed. They’d had some suspicious activity (a MFA phone call they didn’t initiate) so chose the option to block future sign in attempts, as you’d hope. This also triggered an email alert to admins, and that link is where the user’s block is listed until released.
The New Microsoft Edge browser is great and everyone should use it :) Especially if you’re still on Internet Explorer, you can make Edge use IE mode for the sites you have that still require IE, without having to actually use IE.
I had a scenario where I wanted Internet Explorer users to be changed to Microsoft Edge. Previously, we’d had business requirements to set IE as the default – but now that’s no longer required, I wanted to flip their default. At the same time, I didn’t want to change Google Chrome default browser users as they’d already made that choice, and didn’t want to shove a similar Chromium browser down their throats.
As per Microsoft’s doco https://docs.microsoft.com/en-us/deployedge/edge-default-browser you can use an XML file with default associations, and use Group Policy to point to that XML. It doesn’t stop users from changing the associations, but it does reset the associations each time the user logs in – so not ideal if you want to set a default, but also allow flexibility.
I worked out how to do this based on current default browser and using GPO still, so here’s what I did:
As per the doco above, create an XML file that sets Microsoft Edge as the default application for certain protocols:
Note that .PDF is included, so if you’d rather not default .PDF files to Microsoft Edge, remove that line from the code.
The Group Policy in the doco to set this XML is called Set a default associations configuration file – and all it’s doing is populating a registry key. Instead of using the Group Policy setting, create a registry setting to apply a value to:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
DefaultAssociationsConfiguration - REG_SZ - Path to XML e.g. \\dfs\share\defaultapplication.xml
The Group Policy registry setting will look like this:
We only want this registry setting to apply when the default browser is IE, and not apply any other time. We can use two options to do this – Remove this item when it is no longer applied, and Item-level targeting:
“Remove this item when it is no longer applied” will remove the registry setting when the item-level targeting condition is no longer true, which will stop the default browser applying again and again once the default browser isn’t IE.
“Item-level Targeting” is where we’ll check another registry value to see if IE is the default browser.
This is checking the registry key path Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
and the Value name ProgId
and the Value Data IE.HTTP
Only when all this is true, will the XML reg key apply. Next time someone logs on, the default program associations file will be read and apply the new browser default. Then, next time Group Policy evaluates, the registry setting will be out of scope and removed, so the default program assocations file registry setting will be removed.
For reference, Chrome will be the value ChromeHTML and Edge will be MSEdgeHTM.
This method worked quite well and gave me what I was after – a one time change from Internet Explorer to Microsoft Edge, without bothering Chrome and Firefox users.
Note that this will also keep kicking in if the user changes their browser default back to Internet Explorer, which might be what you want – but if not, you’d need to add another Item-level target using a flag file or registry setting to mark that the default browser has already been applied once.
Synology sent me a new DiskStation to review after I’d acquired an older one myself to look at it’s ability to back up Microsoft 365 data (the updated name for Office 365). Being a Microsoft MVP in Office Apps and Services category, so I was very interested to see how it worked.
After reading up on and seeing that it was a completely free piece of software available as part of owning a DiskStation, I was hoping this would be a good solution at an incredibly low price – buy your DiskStation and disks, some time to set it up, and you’re done. To me, that’s already a very appealing offering, along with Synology having a good reputation for maintaining and supporting their hardware several years on – which was proved by the 7 year old DS1813+ I set up a few months ago.
I’ve left the new Intel-based DiskStation 1618+ – Quad Core CPU and 4GB RAM (expandable) running for about a month now, backing up my Microsoft 365 tenant’s data. I ticked ALL the options to see how it went. This tenant is just for me, so the data set is smaller than most tenants – but I do run a few live things through it like email and OneDrive. There’s also a little SharePoint Online data from Micrsoft 365 Groups and Teams I’ve played around with.
Here’s what the dashboard looks like now:
Some useful information there around what’s being backed up and how big it is. You might notice there’s a few errors on the summary. I drilled into those and each was because ‘The Microsoft Server is busy’, and a few minutes later it would try again successfully.
This is likely because I used a backup option to get incremental changes, rather than at a set time. Maybe I’m hitting it too much and getting blocked occasionally.
I know I’ve gotten ahead of myself here, so let’s go back to how to set this up. Assuming you have yourself a Synology DiskStation of some sort that supports ‘Active Backup for Office 365‘ – and which models are those? Here’s the list:
From the DiskStation desktop, open Package Center and follow these steps:
Find and click ‘install’ on the ‘Active Backup for Office 365’ package
Click ‘Activate’
Click ‘OK’
Choose the endpoint – for most it’s the default ‘Office 365’ option
Accept the very long list of permissions required using an admin account for your Microsoft 365 tenant
‘Agree’
You need a shared folder to save the backups to – ‘Go to Control Panel’
Enter a name and description for the shared folder
Encypt the data if you like
‘Next’
Make any user permission changes you like and press ‘OK’
Again choose the Office 365 option applicable to your tenant
Pick the user(s) you want to back up, and what data
Choose the ‘Site’ tab to select which SharePoint sites you want to back up
Press ‘OK’
Choose your backup schedule – I used Continuous
Review all the settings and click ‘Apply’
This was a very easy setup to do – I took screenshots of every step involved, but it barely needs an explanation for anyone who’s an admin of a Microsoft 365 Tenant.
The program will then go off and start backing up what you told it. The ‘Activities’ section of Active Backup for Office 365 will show any backups running, and you can also use the inbuilt ‘Resource Monitor’ to see upload/download speeds, disk utilization etc.
It’s also worth noting that the backup you created has an ‘account discovery’ option where it’ll find any new accounts created and automatically add them to the backup, which is great for not having to change backup settings each time you have a new user start.
Running a backup is great, but how do you restore the data? There’s a second app you’ll need, ‘Active Backup for Office 365 Portal’. Launching this will take you to a web interface where admins can browse all data, and users can browse just their own (user access can be disabled if you prefer).
On this web interface, you can then find the file(s) you want to restore, and restore them. You also get a nice timeline down the bottom so you can move backwards and forwards to see a snapshot of a certain time.
Although Mail, Calendar, Contact, and Site (SharePoint) support searching across all backups for names and contents, at the time of writing this isn’t possible for OneDrive backups. It’s worth being aware of this – if someone requests a file restore you’ll need to know exactly when from. I don’t see this as too much of an issue though, as OneDrive has great version control natively, and an automatic recycle bin – so you’d probably rely on the native solution for finding a file, but still it’s worth knowing this existing limitation.
That was the only slight negative I could find while testing. Everything else just worked, was quick to browse and restore, and incremental backups appeared to be on the DiskStation within several seconds after creating a new file in OneDrive.
Again, this is an incredibly cheap Office 365 backup solution. Some may question if you need to back up Office 365 at all. You could set up infinite retention against all content, so why take a backup? To me it’s a definite grey area, and partly depends how much you value the data. Microsoft may never lose your data, but will it be available 100% of the time? What if that important document is in your OneDrive and hadn’t synced down, and there was an outage? We’ve seen a few outages lately, including ones that have broken authentication – your data is still there, but you can’t get to it. In that scenario, having a local copy of something time sensitive could be worth it. Considering the relative low cost of buying a Synolgoy DiskStation – your disks are probably going to cost more than the unit itself, I consider it a pretty easy sell.
