TechCommunity

Microsoft TechCommunity Top Posts January 2022, Week 4

Here’s my selection of TechCommunity posts for this week. My plan was to pick 5ish, but there’s a heck of a lot of content to go through, read, then decide if it’s worthy:

Mainframe Data Modernization to Azure

If you like visuals, you’ll like this post. The exponentially increased amount of data we have to work with becomes more difficult to manage on-premises, and this article covers some of the considerations around this and methods to move your data to the cloud. Nice for some future planning considerations.

Windows Server End of Support: Key Dates

Don’t forget those end of support dates! Windows Server 2022 is out, 2008 + R2 is on extended security updates, and 2012 + R2 has a bit under 2 years left before standard support ends (unless of course it gets extended). If you have 2008 or 2012 servers in your environment, just remember how old those are already. Upgrade sooner rather than later, instead of getting caught out by a project where something needs your domain forest level at 2019, and all your DC’s aren’t even on that version of Windows Server…

Users get intermittent credential prompt on client browser when using IIS Windows Authentication

January 2022 wasn’t a good month for Microsoft patches, one of many problems was this “After installing this update on domain controllers (DCs), affected versions of Windows Servers might restart unexpectedly.” Nice. Spend some time understanding the state of patches right now and make sure you’re not experiencing any of the several issues we’ve seen, including this.

Achieve better patch compliance with Update Connectivity data

A nice report in Intune shows the ‘Update connectivity’ stats of devices – the idea behind this is to see if devices aren’t online long enough to get updates. This data doesn’t really give you solutions to the problem, but does give you an idea on the risk in your environment if devices aren’t getting patched regularly, and how many devices have this as an issue. Everyone loves a donut graph, especially Microsoft.

Microsoft Teams users can now chat with any Teams user outside their organization

Pretty big news for work based Teams talking to external people via their Microsoft personal (consumer) account, or phone number. Note that this doesn’t create a SMS conversation, it requires a Microsoft account and will invite someone to sign up if they don’t already have one. This can be a good way for staff to talk to external people live, but still in a regulated/logged way, and the same way they’d talk to internal staff. External people also don’t need to install software (back in the day everyone wanted Skype installed to talk to that 1 external person) which is another plus. Lots of details on this post showing how it works and how to make sure it’s enabled in your tenant.

Sending From Email Aliases – Public Preview

I like this one. You can turn on the setting ‘SendFromAliasEnabled‘ in your tenant which lets users pick from a list aliases to send from – across Outlook for the Web and Outlook for iOS and Android. There are known issues so be very careful about enabling this in your tenant, but for people who need to send from different aliases for different reasons, this looks like a very useful new feature in Exchange Online.

Announcing general availability of vulnerability management support for Android and iOS

That other device that every employee has is often deemed as too hard to do much about, so it’s good to see something actually happening in the iOS and Android space for Defender – although there’s not too much it can do yet (especially for iOS). Still, this is worth looking into and is probably one of those things that if something bad did happen, you’d be happy you proactively rolled it out.

Onboarding Devices in the Microsoft 365 Apps Admin Center

Lots of content in this one. I don’t see too much content around the Microsoft 365 Apps Admin Center (and maybe that’s because when I see the name, my brain drops out the word ‘Apps’ and I’m thinking of the wrong portal). It’s https://config.office.com/ and the feature list here is continually growing. Looking through the reports will give you a better insight into what’s happening in your environment, and probably raise some questions :)

That’s it for this week, as always you can see the entire feed of TechCommunity posts at https://twitter.com/MSITTechNews and you can see my previous TechCommunnity picks here https://www.adamfowlerit.com/tag/techcommunity/

Microsoft TechCommunity Top Posts January 2022, Week 3

Another week, a bunch more TechCommuntiy posts. Here’s my picks of interesting ones:

Task management tips for Planner beginners

Getting started blog posts are always valuable. I particularly like the first image, showing an overall diagram of what makes up the Planner view. To me it’s (almost) all fundamental stuff I worked out, but it’d be quicker to read this then start using it than fumble my way through :) One thing I hadn’t done before was creating a Task from a Teams message which is a nice workflow option.

Microsoft Defender for Office 365 Ninja Training: January 2022 Update

There is so much good content in the Defender Ninja Training (Office 365, Sentinel etc, all of the different parts!) and once you’re caught up, you can keep up to date monthly with these posts that show what’s changed or new. Now all we need is more time to watch all the content!

Why you shouldn’t set these 25 Windows policies

There’s still someone that cares about Windows Updates, and even WSUS aligning with Group Policy settings in Microsoft, and it’s Aria Carley. Clean up some unused settings if you’re on Windows 10/11, and understand the real world impact of other settings acting maybe not the way you’d expect, with recommendations and links to official doco. I also don’t know what GP and CSP recommendations are as per the comments (GP = Group Policy officially, CSP = Customer Services Provider team inside Microsoft? I always get these wrong), but I’m sure that’ll be explained soon.

“Architecting Adelaide” 🎙 – The Intrazone podcast

The guys didn’t tell me about this one! My old user group in Adelaide that I had to hand over in 2021 is now being run by these awesome guys:

and they were on the Intrazone podcast talking about their IT Pro experiences. Well done you three :)

Getting started with Azure Bicep

As someone who doesn’t deep dive into Azure, I was wondering what Azure Bicep even is. Sonia Cuff explains this and demonstrates how it’s a simpler language evolved from JSON, and that the language can be translated back and forth betwen the two – but the result is templates that are easier to write, especially for those who aren’t developers.

Windows 10 or Windows 11 GPO ADMX – Which One To Use For Your Central Store?

If you’re starting with Windows 11 and have Group Policy still running, you need to read this. It’s not a great state to be while transitioning with all the catches and gotchas. Why they didn’t just have a separate set of policies for Windows 11 and have on the comments on each GPO what versions of Windows it applies to is unclear. There’s a few angry comments already on this. My personal take is that there’s no real benefit of jumping to Windows 11 yet for the enterprise (home it’s fine), so sit tight and wait for some of these things to settle, or at least be clearer as others work them out.

Security baseline for Microsoft Edge v97

There’s 1 new recommendation and 15 new settings (for computers and users) in the latest version of Microsoft Edge. These come out with each version of Edge, so you need to keep up to date and review any recommendations each time. Weirdly, the setting they recommend to turn off “Enhance images enabled” isn’t visible on Edge v97 installed on my home PC or work PC logged in with different profiles, but it should still be disabled in Group Policy so you’re not uploading internal company images to Microsoft to ‘enhance’ them. I question that if the recommendation for Enterprise is to turn it off, why is it safe enough for consumers to use, who I’m sure would have photos at times opened in their browser they don’t want invisbily uploaded? Maybe there’s something else to the recommendation I’m missing, like keeping your data in the country you want where the service could put it anywhere…

Securing Critical Infrastructure with Microsoft Sentinel & Microsoft Defender for IoT

The real answer to this is ‘IoT shouldn’t be on the same network as anything you care about, especially in Enterprise – or just don’t use IoT in Enterprise at all’ is a pipe dream, at least you can monitor what your IoT devices are doing in Sentinel. Looks pretty easy to connect up, but of course just having Sentinel ingest logs isn’t really a 24/7 SOC solution, you need people on top of this.

That’s it for this week, as always you can see the entire feed of TechCommunity posts at https://twitter.com/MSITTechNews and you can see my previous TechCommunnity picks here https://www.adamfowlerit.com/tag/techcommunity/

Microsoft TechCommunity Top Posts January 2022, Week 2

Here’s my weekly picks on the subjectively best blog posts from TechCommunity:

Released: January 2022 Exchange Server Security Updates

Security updates for Exchange 2013, 2016 and 2019 are out, and as always, there’s exploits these mitigate. Note that https://aka.ms/ExchangeUpdateWizard will ask what you’re upgrading from and to, and talk you through the process – although it does expect you’ve done this before with some high level ‘Update your AD schema with this switch’ instructions that require you to go work out how to do that – which does involve downloading the latest ISO for Exchange, mounting it, then running the setup.exe with some switches. It also notes that these patches don’t fix the January 2022 transport queue buildup issue (Y2K22). Get patching!

Create a resume website – no coding experience required!

This one’s a really neat idea – use GitHub Pages for free, to have a static online resume. No fees, no special hosting stuff – it’s what I run msportals.io off of. Good practise in doing something fairly simple on GitHub Pages. A workshop is available to work through it all.

SQl Injection: example of SQL Injections and Recommendations to avoid it

I’m not someone who dabbles in SQL too often, but this is a nice clear post demonstrating simply how SQL Injection can work by searching with the string ‘ or 1=1 or 1=’ – then how to avoid it in code, and how Microsoft Defender for Cloud can detect and notify on those sort of attacks.

New to Microsoft Certification exams? We have something you need to try

Really good idea from Microsoft here – an exam sandbox so you can get a feel for how the exams work (without actual exam questions) which can help people be prepared for what they’ll experience doing their first real Microsoft exam. I’ve added this to https://msportals.io too :)

Continuous Access Evaluation in Azure AD is now generally available!

This is a great addition to the security Azure AD provides. Instead of just assessing risk at the time of login, Azure AD will now continually assess risk, and force re-auth if something changes that it decides has increased the risk of the account such as location change or password change. It’s auto-enabled so you don’t have to do anything, but good to be aware of.

Getting Started with a Windows 365 POC

I personally haven’t even looked at Windows 365 yet – so if I was going to get started, this is the perfect sort of blog post to get things going. It looks pretty easy without too many steps, so check this out if you want to have a play.

Microsoft Defender for Endpoint Plan 1 Now Included in M365 E3/A3 Licenses

Defender for Endpoint P1 is now in M365 E3/A3 licenses. If you’re wondering what P1 is, the article has a comparison table. That means if you have Defender for Endpoint already, it’s probably now P2. Microsoft Defender for Endpoint P1 is looking pretty cheap at $3US per user per month if you don’t already have E3/A3. This still goes to show that Microsoft licensing is hard and confusing, with so many factors to consider.

That’s it for this week, as always you can see the entire feed of TechCommunity posts at https://twitter.com/MSITTechNews

Microsoft TechCommunity Top Posts January 2022, Week 1

This year, I’m going to pick the most interesting TechCommunity Blog Posts on a weekly basis, and talk about them. There’s so much good content that gets posted and can be missed. This is of course from my point of view and the things I care about, but I hope it’ll help others pick up on some things they might have otherwise missed.

I also have a dedicated Twitter feed that posts all TechCommunity and Azure Blog Posts at https://twitter.com/MSITTechNews if you’d rather see everything.

Here’s my picks:

Email Stuck in Exchange On-premises Transport Queues

Yikes, not a great way to start the year off – referred to as the Y2K22 bug, Exchange On-Premises servers (including ones for hybrid) were getting stuck in transport queues and eventually rejecting emails due to a date issue in malware scanning – it didn’t like the year 2022. Amusingly, the fix sets the date on the signature file as December 33rd, 2021 to get around it. The latest CU11 for Exchange 2019 doesn’t fix it, so unlikely other CUs for other versions of Exchange fix it either.

How to Remote Assist Autopilot Deployments with Quick Assist

This is about using Quick Assist to remote onto someone’s computer as part of Autopilot. It’s interesting we don’t have a nice native way of remoting into a computer we control still without requiring user input – but it does make sense if the machine is still being configured. It’d be better if one of the first things Autopilot did was allow remote controlling by an administrator without having to talk the user through opening command prompt with key combos and typing in commands.

Zero-touch onboarding of Microsoft Defender for Endpoint on iOS now in public preview

Using Microsoft Endpoint Manager to deploy Defender to iOS devices without any user input – I love the idea, but this one needs careful planning, testing and communication. What does Defender on iOS actually do? Check out the capabilities such as Web Protection, Threat and Vulnerability Management, and Jailbreak Detection.

Cannot enable Advanced Threat Protection on Managed Instance server

A simple post showing an error when trying to enable Advanced Threat Protection (we’re still apparently calling it that because it’s a pain to update everything with constant name changes!) and workaround. I’ve posted there suggesting they have a readable screenshot of the actual error, and put it there in plain text too so it’s searchable.

How to Manage Microsoft Teams Meeting Recording Auto-Expiration

“New recordings will automatically expire 60 days after they are recorded if no action is taken, except for A1 users who will receive a max 30-day default setting. The 60-day default was chosen because, on average across all tenants, 99%+ of meeting recordings are never watched again after 60 days. However, this setting can be modified if a different expiration timeline is desire”

I’ve gone and turned off the auto-expiring of meeting recordings. Why would I want that? Microsoft’s argument quoted is that people don’t watch them after 60 days 99%+ of the time – except what about the < 1% when you do need it? I only need to lose one meeting to be angry that this setting was ever there. There’s also a slight error in the post:

“To change the default auto-expiration setting for your tenant, go to admin.teams.microsoft.com, navigate to Meetings > Meeting Policies > Add in the left navigation panel”

Add isn’t in the left navigation panel, and we probably shouldn’t be adding a new policy, but instead adjusting the Global (Org-wide default). Creating a new policy that’s not applied to anyone won’t do much :)

I’ve posted the above there and hopefully will get updated.

That’s it for week 1!