What's New in Microsoft Defender for Identity in October 2022

Microsoft Defender for Identity

Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate and remediate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).

What’s New

In October 2022, two new versions of Microsoft Defender for Identity were released:

Version 2.192, released on October 23, 2022
Version 2.193, released on October 30, 2022

These releases introduced the following functionality:

New security alert: Abnormal AD FS authentication using a suspicious certificate

The infamous Nobelium actor introduced a new attack on Active Directory Federation Services (AD FS), dubbed MagicWeb. It allows an attacker to implant a backdoor on compromised AD FS servers, which will enable impersonation as any domain user and thus access to external resources.

Defender for Identity version 2.193 and beyond provide an alert when this attack is used and the Defender for Identity sensors are installed on the AD FS servers.

Out of the box support for remediation actions

Defender for Identity can now leverage the LocalSystem account on the Domain Controller to perform remediation actions, like enable user, disable user, force user reset password, in addition to the group Managed Service Account (gMSA) option that is available since Defender for Identity version 2.169 (January 2022).

New health alert

As Defender for Identity relies on healthy sensors on all Domain Controllers, a new health alert has been introduced with Defender for Identity version 2.192.

When NTLM Auditing is not enabled on the server, a health alert is shown on the Sensors settings page in the Microsoft 365 Defender portal with Medium severity. Admins should enable NTLM Auditing on the Domain Controllers that display this alert.

Enable NTLM Auditing events according to the guidance as described at the Event ID 8004 section, in the Configure Windows Event collection page.

IMPROVEMENTS AND BUG FIXES

Both October 2022 Defender for Identity versions releases include improvements and bug fixes for the internal sensor infrastructure.

Posted on November 3, 2022 by Sander Berkouwer in Microsoft Defender for Identity, What's New

On-premises Identity-related updates and fixes for October 2022

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates.

This is the list of Identity-related updates and fixes we saw for October 2022:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB5018411 October 11, 2022

The October 11, 2022 update for Windows Server 2016 (KB5018411) updating the OS build number to 14393.5427, is a monthly cumulative update that includes the following Identity-related improvements:

It introduces a Group Policy setting that enables or disables Microsoft HTML Application (MSHTA) files.
It addresses an issue that affects a primary Active Directory Federation Services (AD FS) node. It might fail to register or update its heartbeat. Because of this, the node is removed from the farm.
It addresses an issue that affects a Server Message Block (SMB) multichannel connection. This issue might lead to stop error 13A or C2.
It addresses a known issue that might affect file copies that use Group Policy Preferences. They might fail or might create empty shortcuts or files that have 0 (zero) bytes.

KB5010439 October 18, 2022 Out of Band

The October 18, 2022 update for Windows Server 2016 (KB5020439) updating the OS build number to 14393.5429, is an out of band update that addresses an issue that might affect some types of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections. These connections might have handshake failures.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5018419 October 11, 2022

The October 11, 2022 update for Windows Server 2019 (KB5018419) updating the OS build number to 17763.3532, is a monthly cumulative update that includes the following Identity-related improvements:

This update turns off Transport Layer Security (TLS) 1.0 and 1.1 by default in Microsoft browsers and applications.
It introduces a Group Policy setting that enables or disables Microsoft HTML Application (MSHTA) files.
It addresses an issue that affects non-Windows devices. It stops these devices from authenticating. This issue occurs when they connect to a Windows-based remote desktop and use a smart card to authenticate.
It addresses an issue that affects the Local Security Authority Subsystem Service (LSASS). LSASS might stop working on a domain controller for a child domain. This might occur when you lose the connection to a domain controller in the parent domain while you are searching for a name that is in many forests or a security identifier (sID).
It addresses an issue that affects Group Policy Objects (GPOs). Because of this, the system might stop working.
It addresses a known issue that might affect file copies that use Group Policy Preferences. They might fail or might create empty shortcuts or files that have 0 (zero) bytes.

KB5020438 October 17 Out of Band

The October 17, 2022 update for Windows Server 2019 (KB5020438) updating the OS build number to 17763.3534, is an out of band update that addresses an issue that might affect some types of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections. These connections might have handshake failures.

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5018421 October 11, 2022

The October 11, 2022 update for Windows Server 2022 (KB5018421) updating the OS build number to 20348.1129, is a monthly cumulative update that includes the following Identity-related improvements:

This update introduces WebAuthn redirection. It lets you authenticate in apps and on websites without a password when you use Remote Desktop. Then, you can use Windows Hello or security devices, such as Fast Identity Online 2.0 (FIDO2) keys.
It addresses an issue that affects cached credentials for security keys and FIDO2 authentications. On hybrid domain-joined devices, the system removes these cached credentials.
It introduces a Group Policy setting that enables or disables Microsoft HTML Application (MSHTA) files.
It addresses an issue that affects Group Policy Objects (GPOs). Because of this, the system might stop working.
It addresses an issue that affects non-Windows devices. It stops these devices from authenticating. This issue occurs when they connect to a Windows-based remote desktop and use a smart card to authenticate.
It addresses an issue that affects the Settings app on domain controllers. When you access System > Display, the Settings app stops working.
It addresses an issue that affects the Local Security Authority Subsystem Service (LSASS). LSASS might stop working on a domain controller for a child domain. This might occur when you lose the connection to a domain controller in the parent domain while you are searching for a name that is in many forests or a security identifier (sID).
It addresses a known issue that might affect file copies that use Group Policy Preferences. They might fail or might create empty shortcuts or files that have 0 (zero) bytes.

KB5020438 October 17 Out of Band

The October 17, 2022 update for Windows Server 2022 (KB5020436) updating the OS build number to 20348.1131, is an out of band update that addresses an issue that might affect some types of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections. These connections might have handshake failures.

KB5018485 October 25 Preview

The October 25, 2022 update for Windows Server 2022 (KB5018485) updating the OS build number to 20348.1194 is a preview update that includes the following Identity-related improvements:

It addresses an issue that affects Distributed Component Object Model (DCOM) authentication hardening. It automatically raises the authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. This occurs if the authentication level is below Packet Integrity.
It addresses a DCOM issue that affects the Remote Procedure Call Service (rpcss.exe). It raises the authentication level to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY instead of RPC_C_AUTHN_LEVEL_CONNECT if RPC_C_AUTHN_LEVEL_NONE is specified.
It addresses an issue that affects the Microsoft Azure Active Directory (AAD) Application Proxy connector. It cannot retrieve a Kerberos ticket on behalf of the user. The error message is:

The handle specified is invalid (0x80090301)

It improves Active Directory replication performance in large environments.
It addresses an issue that affects the Forest Trust creation process. It fails to place the domain name system (DNS) name suffixes in the trust attributes. This issue occurs on devices that install January 11, 2022 or later updates.
It addresses an issue that affects certificate mapping. When it fails, lsass.exe might stop working in schannel.dll.

Posted on November 2, 2022 by Sander Berkouwer in Microsoft Windows Server 2016, Microsoft Windows Server 2019, Microsoft Windows Server 2022, What's New

Explained: Veeam Communities

Veeam Legends Vanguards and VeeaMVPs

Like every IT vendor, Veeam has a community that advocates their products and services. Currently, within this Veeam community, there are three roles. I’m a Veeam Vanguard, but there’s also Veeam Legends and Veeam MVPs. All three roles are commonly referred to as the ‘Veeam 100’.

So how do you keep them apart?

Veeam Vanguards

Veeam Vanguards are top influencers in their own external identities and properties. The Veeam Vanguard program was conceived in 2015 and some of the inaugural Veeam Vanguards are still Veeam Vanguards.

Veeam Legends

Veeam Legends are top engagers on Veeam properties, like the R&D Forums, the Veeam Community Hub and Veeam User Groups. The Veeam Legends program started in 2020. Some Veeam Vanguards are also Veeam Legends.

Veeam MVPs

Veeam MVPs, or ‘VeeaMVPs’, are top Veeam employees with a customer-facing technical role who are sharing and engaging when it is not part of their job. The Veeam MVP program kicked off during Veeam’s internal TechExpo in Amsterdam in 2021.

Posted on October 26, 2022 by Sander Berkouwer in Veeam, Veeam Vanguard

What’s New in Group Policy in the Windows 11 2022 Update (22H2, build 22621)

Windows 11

Microsoft introduced its first update to Windows 11 on September 20th, 2022. As part of this release, new features have been released and previously optional products have been integrated. Some of these actions have lead to new Group Policy settings, as detailed by Microsoft in the Group Policy Settings Reference Spreadsheet for Windows 11 2022 Update (22H2).

Let’s see what’s new:

Control Panel

For the Control Panel, one new Group Policy setting was introduced with the Windows 11 2022 Update in the context of Computer Configuration\Policies\Administrative Templates\System:

Hide messages when Windows system requirements are not met

This policy controls messages which are shown when Windows is running on a device that does not meet the minimum system requirements for the installed Operating System (OS) version. If you enable this policy setting, these messages will never appear on desktop or in the Settings app. If you disable or do not configure this policy setting, these messages will appear on desktop and in the Settings app when Windows is running on a device that does not meet the minimum system requirements.

Desktop App Installer (WinGet)

For the desktop, new Group Policy settings were introduced for the Desktop App Installer, Previously known as the Windows Package Manager (WinGet.exe) in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Desktop App Installer:

Enable App Installer

This policy controls whether the Windows Package Manager can be used by users. If you enable or do not configure this setting, users will be able to use the Windows Package Manager. If you disable this setting, users will not be able to use the Windows Package Manager.

Enable App Installer Settings

This policy controls whether users can change their settings. If you enable or do not configure this setting, users will be able to change settings for the Windows Package Manager. If you disable this setting, users will not be able to change settings for the Windows Package Manager.

Enable App Installer Experimental Features

This policy controls whether users can enable experimental features in the Windows Package Manager. If you enable or do not configure this setting, users will be able to enable experimental features for the Windows Package Manager. If you disable this setting, users will not be able to enable experimental features for the Windows Package Manager.

Enable App Installer Local Manifest Files

This policy controls whether users can install packages with local manifest files. If you enable or do not configure this setting, users will be able to install packages with local manifests using the Windows Package Manager. If you disable this setting, users will not be able to install packages with local manifests using the Windows Package Manager.

Enable App Installer Hash Override

This policy controls whether or not the Windows Package Manager can be configured to enable the ability override the SHA256 security validation in settings. If you enable or do not configure this policy, users will be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings. If you disable this policy, users will not be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings.

Enable App Installer Default Source

This policy controls the default source included with the Windows Package Manager. If you do not configure this setting, the default source for the Windows Package Manager will be available and can be removed. If you enable this setting, the default source for the Windows Package Manager will be available and cannot be removed. If you disable this setting the default source for the Windows Package Manager will not be available.

Enable App Installer Microsoft Store Source

This policy controls the Microsoft Store source included with the Windows Package Manager. If you do not configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed. If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available and cannot be removed. If you disable this setting the Microsoft Store source for the Windows Package Manager will not be available.

Set App Installer Source Auto Update Interval In Minutes

This policy controls the auto update interval for package-based sources. If you disable or do not configure this setting, the default interval or the value specified in settings will be used by the Windows Package Manager. If you enable this setting, the number of minutes specified will be used by the Windows Package Manager.

Enable App Installer Additional Sources

This policy controls additional sources provided by the enterprise IT administrator. If you do not configure this policy, no additional sources will be configured for the Windows Package Manager. If you enable this policy, the additional sources will be added to the Windows Package Manager and cannot be removed. The representation for each additional source can be obtained from installed sources using winget source export. If you disable this policy, no additional sources can be configured for the Windows Package Manager.

Enable App Installer Allowed Sources

This policy controls additional sources allowed by the enterprise IT administrator. If you do not configure this policy, users will be able to add or remove additional sources other than those configured by policy. If you enable this policy, only the sources specified can be added or removed from the Windows Package Manager. The representation for each allowed source can be obtained from installed sources using winget source export. If you disable this policy, no additional sources can be configured for the Windows Package Manager.

Enable App Installer ms-appinstaller protocol

This policy controls whether users can install packages from a website that is using the ms-appinstaller protocol. If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol. If you disable this setting, users will not be able to install packages from websites that use this protocol.

DNS Client

For the Domain Name System (DNS) client in the Windows 11 2022 Update, two new Group Policy settings were introduced in the context of Computer Configuration\Policies\Administrative Templates\Network\DNS Client:

Configure Discovery of Designated Resolvers (DDR) protocol

Specifies if the DNS client would use the DDR protocol. The Discovery of Designated Resolvers (DDR) protocol allows Windows to move from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known. If you enable this policy, the DNS client will use the DDR protocol. If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings.

Configure NetBIOS settings

Specifies if the DNS client will perform name resolution over NetBIOS. By default, the DNS client will disable NetBIOS name resolution on public networks for security reasons. To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:

Disable NetBIOS name resolution
Never allow NetBIOS name resolution.

Allow NetBIOS name resolution
Always allow NetBIOS name resolution.

Disable NetBIOS name resolution on public networks
Only allow NetBIOS name resolution on network adapters which are not connected to public networks.

NetBIOS learning mode
Always allow NetBIOS name resolution and use it as a fallback after mDNS/LLMNR queries fail.

If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings.

File Explorer

For File Explorer in the Windows 11 2022 Update, one new Group Policy settings was introduced in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer:

Turn off files from Office.com in Quick access view

Turning off files from Office.com will prevent File Explorer from requesting recent cloud file metadata and displaying it in the Quick access view.

Internet Explorer

For Internet Explorer and in Internet Explorer mode, four new Group Policy settings were introduced with the Windows 11 2022 Update in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer and in the context of User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer:

Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects

This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box.

Enable global window list in Internet Explorer mode

This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications. The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. If you enable this policy, Internet Explorer mode will use the global window list. If you disable or don’t configure this policy, Internet Explorer mode will continue to maintain a separate window list.

Reset zoom to default for HTML dialogs in Internet Explorer mode

This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode. If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page. If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page.

Disable HTML Application

This policy setting specifies if running HTML Applications (HTA files) is blocked or allowed. If you enable this policy setting, running an HTML Application (HTA file) will be blocked. If you disable or do not configure this policy setting, running an HTML Application (HTA file) is allowed.

Authentication

In terms of Kerberos and the Kerberos Key Distribution Center (KDC), the Windows 11 2022 Update offers three new Group Policy settings, scattered between Computer Configuration\Policies\Administrative Templates\System\KDC and Computer Configuration\Policies\Administrative Templates\System\Kerberos:

Configure hash algorithms for certificate logon

This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication. If you enable this policy, you will be able to configure one of four states for each algorithm:

Default
This setting sets the algorithm to the recommended state.

Supported
This setting enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.

Audited
This setting enables usage of the algorithm and reports an event (ID 309) every time it is used. This state is intended to verify that the algorithm is not being used and can be safely disabled.

Not Supported
This setting disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.

If you disable or do not configure this policy, each algorithm will assume the Default state.

Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon

This policy setting allows retrieving the Azure AD Kerberos Ticket Granting Ticket (TGT) during logon. If you disable or do not configure this policy setting, the Azure AD Kerberos TGT is not retrieved during logon. If you enable this policy setting, the Azure AD Kerberos TGT is retrieved during logon.

The Local Security Authority Subsystem Service (LSASS) also received updates in the Windows 11 2022 Update, resulting in two new Group Policy settings in the context of Computer Configuration\Policies\Administrative Templates\System\Local Security Authority:

Allow Custom SSPs and APs to be loaded into LSASS

This policy controls the configuration under which LSASS loads custom security support packages (SSPs) and authentication packages (APs). If you enable this setting or do not configure it, LSA allows custom SSPs and APs to be loaded. If you disable this setting, LSA does not load custom SSPs and APs.

Configures LSASS to run as a protected process

This policy controls the configuration under which LSASS is run. If you do not configure this policy and there is no current setting in the registry, LSA will run as protected process for cleanly installed, HVCI capable, client SKUs that are domain-joined or Azure AD-joined devices. This configuration is not UEFI locked. This setting can be overridden if the policy is configured:

If you configure and set this policy setting to Disabled, LSA will not run as a protected process.

If you configure and set this policy setting to EnabledWithUEFILock, LSA will run as a protected process and this configuration is UEFI locked.

If you configure and set this policy setting to EnabledWithoutUEFILock, LSA will run as a protected process and this configuration is not UEFI locked.

The Microsoft Account (MSA) sign-in assistant features one new Group Policy setting in the Windows 11 2022 Update in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft account:

Only allow device authentication for the Microsoft Account Sign-In Assistant

This setting determines whether to only allow enterprise device authentication for the Microsoft Account Sign-in Assistant service (wlidsvc). By default, this setting is disabled and allows both user and device authentication. When the value is set to 1, the Microsoft Account Sign-in Assistant service only allows device authentication, and blocks user authentication.

For Windows Hello for Business, one new Group Policy setting is available in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Hello for Business:

Enable ESS with Supported Peripherals

Enhanced Sign-in Security (ESS) isolates Windows Hello biometric (face and fingerprint) template data and matching operations to trusted hardware or specified memory regions, meaning the rest of the operating system cannot access or tamper with them. Because the channel of communication between the sensors and the algorithm is also secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine. While this policy is enabled on Windows 11 devices, external biometric authentication with Windows Hello will be blocked. Any non-authentication operational functionalities such as camera usage will be unaffected.

If you enable this policy then it can have following possible values:

0
With this value, ESS is disabled (not recommended). ESS will be disabled on all systems, enabling the use of external biometric authentication. If a user has enrolled in Windows Hello with ESS enabled, when the feature gets disabled, they will lose their enrollment and must reset PIN. At that point they will have the option to re-enroll in biometrics. OS will not attempt to start secure components, even if the secure hardware and software components are present.

1
With this value, ESS is enabled (default and recommended for highest security). ESS will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any biometric device that ESS does not support, including that of peripheral devices, will be blocked and not available for Windows Hello.

If you disable or not configure this policy then ESS is preferred on the device.

SMB

Server Message Block (SMB) in the Windows 11 2022 Update received two new Group Policy settings, distributed between Computer Configuration\Policies\Administrative Templates\System\Lanman Server and Computer Configuration\Policies\Administrative Templates\System\Lanman Client:

Request traffic compression for all shares (Server)

This policy controls whether the SMB server requests SMB client to use traffic compression for all SMB shares. If you enable this policy setting, the SMB server will by default request the SMB client to compress traffic when SMB compression is enabled. If you disable or do not configure this policy setting, the SMB server will not by default request the SMB client to compress traffic. However traffic compression may be requested by other means.

Note:
If this policy is disabled, traffic compression may be requested by server-side per-share properties or by the SMB Client. If this is undesired, and one wishes to completely disable compression, configure the accompanying Disable SMB compression policy below.

Note:
Traffic compression can only be used when both the SMB client and SMB server support and enable traffic compression.

Disable SMB compression (Server)

This policy controls whether the SMB server will disable and completely prevent traffic compression. If you enable this policy setting, the SMB server will never compress data, irrespective of other policies or share properties. If you disable or do not configure this policy setting, the SMB server may compress traffic.

Use SMB compression by default (Client)

This policy controls whether the SMB client uses traffic compression by default. If you enable this policy setting, the SMB client will attempt to compress traffic by default when SMB compression is enabled. If you disable or do not configure this policy setting, the SMB client will not by default attempt to compress traffic.

Disable SMB Compression (Client)

This policy controls whether the SMB client will disable (completely prevent) traffic compression. If you enable this policy setting, the SMB client will never compress data, irrespective of other policies. If you disable or do not configure this policy setting, the SMB client may compress traffic.

Edge Spartan

Edge Spartan was deprecated on March 9, 2021, but some organizations have a need to remain using this legacy technology. For these organizations, the Windows 11 2022 Update has a new Group Policy setting in the context of both Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Edge and User Configuration\Policies\Administrative Templates\Windows Components\Microsoft Edge:

Suppress the display of Edge Deprecation Notification

You can configure Microsoft Edge to suppress the display of the notification that informs users that support of Microsoft Edge Spartan ended. If enabled, the notification will not show. If disabled or not configured, the notification will show every time Edge Spartan is launched.

Printing

For people not working in paperless offices, the Windows 11 2022 Update features 9 new Group Policy settings in the context of Computer Configuration\Policies\Administrative Templates\Printers:

Limits print driver installation to Administrators

Determines whether users that aren't Administrators can install print drivers on this computer. By default, users that aren't Administrators can't install print drivers on this computer. If you enable this setting or do not configure it, the system will limit installation of print drivers to Administrators of this computer. If you disable this setting, the system won't limit installation of print drivers to this computer.

Manage processing of Queue-specific files

Manages how Queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client that connects to the print server. You can enable this setting to change the default behavior involving queue-specific files.

To use this setting, select one of the options below from the Manage processing of Queue-specific files field:

Do not allow Queue-specific files
This setting specifies that no queue-specific files will be allowed/processed during print queue/printer connection installation.

Limit Queue-specific files to Color profiles
This setting specifies that only queue-specific files that adhere to the standard color profile scheme will be allowed. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value.

Allow all Queue-specific files
This setting specifies that all queue-specific files will be allowed/processed during print queue/printer connection installation.

If you disable or do not configure this policy setting, the default behavior is Limit Queue-specific files to Color profiles.

Manage Print Driver signature validation

This policy setting controls the print driver signature validation mechanism. This policy controls the type of digital signature that is required for a print driver to be considered valid and installed on the system. As part of this validation the catalog/embedded signature is verified and all files in the driver must be a part of the catalog or have their own embedded signature that can be used for validation. You can enable this setting to change the default signature validation method.

To use this setting, select one of the options below from the Select the driver signature mechanism for this computer field:

Require inbox signed drivers
This setting specifies only drivers that are shipped as part of a Windows image are allowed on this computer.

Allow inbox and Print Drivers Trusted Store signed drivers
This setting specifies only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the PrintDrivers certificate store are allowed on this computer.

Allow inbox, Print Drivers Trusted Store, and WHQL signed drivers
This setting specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the PrintDrivers certificate store, or signed by the Windows Hardware Quality Lab (WHQL).

Allow inbox, Print Drivers Trusted Store, WHQL, and Trusted Publishers Store signed drivers
This setting specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the PrintDrivers certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the Trusted Publishers certificate store.

Allow all validly signed drivers
This setting specifies that any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer. The PrintDrivers certificate store needs to be created by an administrator under the local machine store location. The Trusted Publishers certificate store can contain certificates from sources that are not related to print drivers.

If you disable or do not configure this policy setting, the default method is Allow all validly signed drivers.

Manage Print Driver exclusion list

This policy setting controls the print driver exclusion list. The exclusion list allows an administrator to curate a list of printer drivers that are not allowed to be installed on the system. This checks outranks the signature check and allows drivers that have a valid signature level for the Print Driver signature validation policy to be excluded. Entries in the exclusion list consist of a SHA256 hash of the *.inf file and/or main driver *.dll file of the driver and the name of the file. If you disable or do not configure this policy setting, the registry key and values associated with this policy setting will be deleted, if currently set to a value.

Configure RPC listener settings

This policy setting controls which protocols incoming RPC connections to the print spooler are allowed to use. By default, RPC over TCP is enabled and Negotiate is used for the authentication protocol. Choose between the following Protocols to allow for incoming RPC connections:

RPC over named pipes
Incoming RPC connections are only allowed over named pipes

RPC over TCP
Incoming RPC connections are only allowed over TCP (the default option)

RPC over named pipes and TCP
Incoming RPC connections will be allowed over TCP and named pipes

Then, select an Authentication protocol to use for incoming RPC connections:

Negotiate
Use the Negotiate authentication protocol (the default option)

Kerberos
Use the Kerberos authentication protocol

If you disable or do not configure this policy setting, Negotiate will be used.

Configure RPC connection settings

This policy setting controls which protocol and protocol settings to use for outgoing RPC connections to a remote print spooler. By default, RPC over TCP is used and authentication is always enabled. For RPC over named pipes, authentication is always enabled for domain joined machines but disabled for non domain joined machines. Choose between the following Protocol to use for outgoing RPC connections:

RPC over TCP
Use RPC over TCP for outgoing RPC connections to a remote print spooler

RPC over named pipes
Use RPC over named pipes for outgoing RPC connections to a remote print spooler

Then, select an option to Use authentication for outgoing RPC over named pipes connections:

Default
By default, domain joined computers enable RPC authentication for RPC over named pipes while non domain joined computers disable RPC authentication for RPC over named pipes

Authentication enabled
RPC authentication will be used for outgoing RPC over named pipes connections

Authentication disabled
RPC authentication will not be used for outgoing RPC over named pipes connections

If you disable or do not configure this policy setting, domain joined computers enable RPC authentication for RPC over named pipes while non domain joined computers disable RPC authentication for RPC over named pipes.

Configure RPC over TCP port

This policy setting controls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing connections to remote print spoolers. By default dynamic TCP ports are used. When enabled, the RPC over TCP port needs to be set. A value of 0 is the default and indicates that dynamic TCP ports will be used If you disable or do not configure this policy setting, dynamic TCP ports are used.

Always send job page count information for IPP printers

Determines whether to always send page count information for accounting purposes for printers using the Microsoft IPP Class Driver. By default, pages are sent to the printer as soon as they are rendered and page count information is not sent to the printer unless pages must be reordered. If you enable this setting the system will render all print job pages up front and send the printer the total page count for the print job. If you disable this setting or do not configure it, pages are printed as soon as they are rendered and page counts are only sent when page reordering is required to process the job.

Configure Redirection Guard

Determines whether Redirection Guard is enabled for the print spooler. You can enable this setting to configure the Redirection Guard policy being applied to spooler. If you disable or do not configure this policy setting, Redirection Guard will default to being Enabled. If you enable this setting you may select the following options:

Redirection Guard Enabled
Redirection Guard will prevent any file redirections from being followed

Redirection Guard Disabled
Redirection Guard will not be enabled and file redirections may be used within the spooler process

Redirection Guard Audit Only
Redirection Guard will log events as though it were enabled but will not actually prevent file redirections from being used within the spooler.

Search

For search, two new Group Policy settings were introduced with the Windows 11 2022 Update in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Search:

Fully disable Search UI

If you enable this policy, the Search UI will be disabled along with all its entry points, such as keyboard shortcuts, touchpad gestures, and type-to-search in the Start menu. The Start menu's search box and Search Taskbar button will also be hidden. If you disable or don't configure this policy setting, the user will be able to open the Search UI and its different entry points will be shown.

Allow search highlights

Disabling this setting turns off search highlights in the start menu search box and in search home. Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home.

Sensors

In terms of sensors, the Windows 11 2022 Update offers one new Group Policy setting in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Human Presence:

Force Instant Dim

This setting determines whether Attention Based Display Dimming is forced on/off by the MDM policy. When this setting is enabled, the user will not be able to change this setting and the toggle in the user interface (UI) will be greyed out.

Settings synchronization

For synchronization of settings, the Windows 11 2022 Update offers one new Group Policy setting in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Sync your settings:

Do not sync accessibility settings

This policy setting prevents the accessibility group of settings from syncing to and from this PC. This turns off and disables the accessibility group on the Windows backup settings page in PC settings. If you enable this policy setting, the accessibility, group will not be synchronized. Use the option Allow users to turn accessibility syncing on so that syncing is turned off by default but not disabled. If you do not set or disable this setting, syncing of the accessibility group is on by default and configurable by the user.

Start menu and Taskbar

Windows 11 22H2 (the Windows 11 2022 Update) introduces 7 new Group Policy settings to manage the Start menu and Taskbar. These settings are located in Computer Configuration\Policies\Administrative Templates\Start Menu and Taskbar:

Remove Run menu from Start Menu

This policy setting allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. If you enable this setting, the following changes occur:

The Run command is removed from the Start menu.

The New Task (Run) command is removed from Task Manager.

The user will be blocked from entering the following into the Internet Explorer Address Bar:

A UNC path: \\<server>\<share>

Accessing local drives: e.g., C:

Accessing local folders: e.g., \temp>

Also, users with extended keyboards will no longer be able to display the Run dialog box by pressing Win + R.

If you disable or do not configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer Address Bar.

Note:
This setting affects the specified interfaces only. It does not prevent users from using other methods to run programs.

Note:
It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting.

Prevent changes to Taskbar and Start Menu Settings

This policy setting allows you to prevent changes to Taskbar and Start Menu Settings. If you enable this policy setting, the user will be prevented from opening the Taskbar Properties dialog box. If the user right-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action. If you disable or do not configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu.

Remove access to the context menus for the taskbar

This policy setting allows you to remove access to the context menus for the taskbar. If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons. If you disable or do not configure this policy setting, the context menus for the taskbar are available. This policy setting does not prevent users from using other methods to issue the commands that appear on these menus.

Prevent users from uninstalling applications from Start

If you enable this setting, users cannot uninstall apps from Start. If you disable this setting or do not configure it, users can access the uninstall command from Start.

Remove Recommended section from Start Menu

This policy setting allows you to prevent the Start Menu from displaying a list of recommended applications and files. If you enable this policy setting, the Start Menu will no longer show the section containing a list of recommended files and apps.

Simplify Quick Settings Layout

If you enable this policy, Quick Settings will be reduced to only having the WiFi, Bluetooth, Accessibility, and VPN buttons; the brightness and volume sliders; and battery indicator and link to the Settings app. If you disable or don't configure this policy setting, the regular Quick Settings layout will appear whenever Quick Settings is invoked.

Disable Editing Quick Settings

If you enable this policy setting, the user will be unable to modify Quick Settings. If you disable or don't configure this policy setting, the user will be able to edit Quick Settings, such as pinning or unpinning buttons.

Remove pinned programs from the Taskbar

This policy setting allows you to remove pinned programs from the taskbar. If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar. If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar.

Hide the TaskView button

This policy setting allows you to hide the TaskView button. If you enable this policy setting, the TaskView button will be hidden and the Settings toggle will be disabled.

In the context of User Configuration\Policies\Administrative Templates\Start Menu and Taskbar, one additional Group Policy settings is introduced, whereas the Remove Recommended section from Start Menu and Hide the TaskView button settings are also applicable in this context:

Remove Quick Settings

This policy setting removes Quick Settings from the bottom right area on the taskbar. The quick settings area is located at the left of the clock in the taskbar and includes icons for current network and volume. If this setting is enabled, Quick Settings is not displayed in the quick settings area. A reboot is required for this policy setting to take effect.

Remote Desktop

For Remote Desktop connections, two new Group Policy settings were introduced with the Windows 11 2022 Update in the context of Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services:

Do not allow WebAuthn redirection

This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator, e.g., Windows Hello for Business, security key, or other. By default, Remote Desktop allows redirection of WebAuthn requests. If you enable this policy setting, users can't use their local authenticator inside the Remote Desktop session. If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session.

Disable Cloud Clipboard integration for server-to-client data transfer

This policy setting lets you control whether data transferred from the remote session to the client using clipboard redirection is added to the client-side Cloud Clipboard. By default, Remote Desktop disables integration with the client-side Cloud Clipboard for data transfered from the remote session using clipboard redirection. If you enable or do not configure this policy setting, data copied in the remote session and pasted on the client, will not be added to the client-side Cloud Clipboard. If you disable this policy setting, data copied in the remote session and pasted on the client, will be added to the client-side Cloud Clipboard (if enabled).

Defender

Microsoft Defender got a nice update in the Windows 11 2022 Update. 14 new Group Policy settings accompany it in the context of Computer Configuration\Policies\Administrative Templates\Windows Defender SmartScreen and Computer Configuration\Policies\Administrative Templates\Microsoft Defender Antivirus:

Service Enabled

This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen is in audit mode or off. Users do not see notifications for any protection scenarios when Enhanced Phishing Protection in Microsoft Defender is in audit mode. Audit mode captures unsafe password entry events and sends telemetry through Microsoft Defender. If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is enabled in audit mode and your users are unable to turn it off. If you disable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is off and it will not capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on. If you don’t configure this setting, users can decide whether or not they will enable Enhanced Phishing Protection in Microsoft Defender SmartScreen.

Notify Malicious

This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a Microsoft login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a Microsoft login URL with an invalid certificate. If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password. If you disable or don’t configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn your users if they type their work or school password into one of the malicious scenarios described above.

Notify Password Reuse

This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they reuse their work or school password. If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns users if they reuse their work or school password and encourages them to change it. If you disable or don’t configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn users if they reuse their work or school password.

Notify Unsafe App

This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school passwords in Notepad, Wordpad or Microsoft 365 Office apps like OneNote, Word, Excel, etc. If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they store their password in text editor apps. If you disable or don’t configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn users if they store their password in text editor apps.

Device Control

This policy setting allows you to enable or disable Defender Device Control on this device.

Note:
You must be enrolled as E3 or E5 in order for Device Control to be enabled.

Select Device Control Default Enforcement Policy

This policy setting allows for three settings:

Default Allow
Choosing this default enforcement, will Allow any operations to occur on the attached devices if no policy rules are found to match.

Default Deny
Choosing this default enforcement, will Deny any operations to occur on the attached devices if no policy rules are found to match.

Default Enforcement will establish what decision should be made during the Device Control access checks when none of the policy rules match.

Define Device Control evidence data remote location

This policy setting defines the evidence file remote location, where Device Control service will move evidence data captured.

Control whether or not exclusions are visible to Local Admins

This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that are not Local Admins) exclusions are not visible, whether or not this setting is enabled. If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App or via PowerShell. If you enable this setting, Local Admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.

Note:
Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in the Get-MpPreference PowerShell cmdlet.

Select the channel for Microsoft Defender monthly platform updates

Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. Then select one of the channels:

Beta Channel
Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.

Current Channel (Preview)
Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.

Current Channel (Staged)
Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).

Current Channel (Broad)
Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).

Critical – Time delay
Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.

If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. This is suitable for most devices.

Select the channel for Microsoft Defender monthly engine updates

Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. Then select one of the channels:

Beta Channel
Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.

Current Channel (Preview)
Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.

Current Channel (Staged)
Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).

Current Channel (Broad)
Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).

Critical – Time delay
Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.

If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. This is suitable for most devices.

Select the channel for Microsoft Defender daily security intelligence updates

Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. Then select one of the channels:

Current Channel (Staged)
Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).

Current Channel (Broad)
Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).

Critical – Time delay
Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.

If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. This is suitable for most devices.

Configure time interval for service health reports

This policy setting configures the time interval (in minutes) for the service health reports to be sent from endpoints. If you disable or do not configure this setting, the default value will be applied. The default value is set at 60 minutes (1 hour). If you configure this setting to 0, no service health reports will be sent. The maximum value allowed to be set is 14400 minutes (10 days).

CPU throttling type

This policy setting determines whether the maximum percentage CPU utilization permitted during a scan applies only to scheduled scans, or to both scheduled and custom scans (but not real-time protection). The maximum CPU utilization limit is also referred to as CPU throttling, or a CPU usage limit. The default value for this policy setting is True, which means CPU throttling is applied only to scheduled scans. If you either enable or do not configure this setting, CPU throttling will apply only to scheduled scans. If you disable this setting, CPU throttling will apply to scheduled and custom scans.

Disable gradual rollout of Microsoft Defender updates

Enable this policy to disable gradual rollout of Defender updates. When enabled, the device will use the Current Channel (Broad). Devices set to this channel will be offered updates last during the gradual release cycle. Best for datacenter machines that only receive limited updates.

If you disable or do not configure this policy, the device will remain in Current Channel (Default), unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. This is suitable for most devices.

Note:
This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates.

Posted on October 20, 2022 by Sander Berkouwer in Group Policy, Microsoft Windows 11, What's New

What’s New for Microsoft Entra at Microsoft Ignite 2022

Microsoft Ignite 2022 was held from October 12th to October 14th, 2022 in the Washington State Convention Center in Seattle.

At the event, the Microsoft Entra product teams have announced their completion of the following features:

Identity Governance Public Preview

Microsoft Entra Identity Governance helps organizations ensure that the right people have the right access to the right resources at the right time. This release delivers a comprehensive identity governance product for both on-premises and cloud-based user directories. Microsoft Entra Identity Governance helps organizations simplify operations, support regulatory compliance and consolidate multiple identity point solutions.

The newly released capabilities include lifecycle workflows to automate repetitive tasks, a connection to on-premises to enable consistent policies for all users and separation of duties (SoD) in entitlements management to help safeguard against compliance issues. These features complement existing Microsoft Entra Identity Governance features, including Access Reviews, access certification, entitlements management and Privileged Identity Management (PIM).

Workload Identity management Soon

Microsoft Entra Workload Identities is an identity and access management solution that manages and secures identities for digital workloads, such as apps and services and controls access to cloud resources. It will be generally available in November 2022.

Organizations can create risk-based policies with Conditional Access, detect and respond to compromised workload identities with Identity Protection and perform Access Reviews to enforce least-privileged access to workload identities more securely.

Certificate-based Authentication Public Preview

Certificate-based Authentication (CBA) is a key multi-factor authentication method that meets the U.S. Executive Order on Cybersecurity. It enables organizations to adopt easily deployable phishing-resistant authentication with an improved user experience for identifying certificate authentication factors.

Conditional Access Authentication Strengths Public Preview

Conditional Access Authentication Strengths allows admins to require specific authentication methods based on the user, application, service, location and device health. With Authentication Strengths, admins can use the right multi-factor authentication for the right purpose, like phishing-resistant MFA for the most critical resources.

Single Sign-on to Azure Arc-enabled SQL Server Generally Available

Azure Arc-enabled SQL Server now offers a single sign-on experience that integrates with Azure Active Directory (Azure AD) in general availability. This feature allows organizations to take advantage of a cloud-like experience. Organizations can sign in and manage all Azure resources and their SQL environments through the same portal in one integrated step.

Windows Update for Business reports as Azure AD Workbooks Soon

Update Compliance provides detailed deployment monitoring for Windows client features and quality updates. Update Compliance is migrating the reports to Azure Active Directory (Azure AD) Workbooks to make them more modular and customizable. The new solution, Windows Update for Business reports, aligns with the Windows Update for Business brand to make it clear the reports are for Windows updates and servicing.

This change, available in November, will provide a simpler and more consistent product, while also creating a framework that allows users to tailor experiences to their unique business needs. Using Azure AD, these new reports will provide more consistent data that seamlessly integrates with the Microsoft 365 ecosystem and other solutions like Microsoft Intune.

Delegated admins for universal print management Soon

Universal Print, Microsoft’s secure cloud printing solution, introduces delegation to help make print management easier. Delegated admins lets IT teams in branch offices manage the printers at just their locations. This will enable these teams to quickly register new printers with Azure Active Directory (Azure AD) and support employees without relying on the central IT team. Delegated admin support will be available in preview by the first week of November.

Posted on October 17, 2022 by Sander Berkouwer in Azure Active Directory, What's New

Pictures of AppManagEvent 2022

Last week, Raymond and I presented at AppManagEvent 2022. This event takes place in the Jaarbeurs in the middle of Utrecht in the Netherlands.

Raymond and I both drove to Utrecht and met at the parking lot. We walked in together to this great location.

We inspected the room we were presenting in and then enjoyed Paula Januszkiewicz's keynote on the hacker’s perspective on new risks. Then, Raymond and I presented a 45-minute session on Increasing the security of on-premises Active Directory with Entra and Defender technologies:

After our session, we walked the exhibition floor and talked to several people. After lunch, we enjoyed Sami’s session on implementing Privileged Access Workstations (PAWs) and Mikael Nyström’s session on Operating System (OS) deployment from the cloud with no local infrastructure.

With a nice present under our arms, we headed home to get some rest before flying to the US for Microsoft Ignite…

Thank you!

Thank you to Professional Development Systems BV (PDS) for organizing yet another successful AppManagEvent and inviting Raymond and me as a speaker, to all my community friends and, of course, to all the people attending, sitting in on our session and, of course, the people with whom I had interesting discussions.

Posted on October 12, 2022 by Sander Berkouwer in Community, Microsoft MVP, Personal

Pictures of Experts Live Netherlands 2022

Two weeks ago, Raymond and I presented at Experts Live Netherlands in Den Bosch.

Whereas Raymond opted to have diner with the other speakers on Thursday night and stay in a hotel in the vicinity of the event location, I flew back from NTK in Slovenia to get there in time… It was a beautiful ride.

When I arrived at the parking lot, I came across Mikko Hypponen, who drove from Amsterdam Schiphol airport to get to the location all the way from Finland.

We got our badges. I went to the speaker room to pick up my speaker shirt and preparing for our post-keynote session.

Speaker shirts are available for any speaker who wants to wear it

After the keynote, Raymond and I presented our '50-minute ‘Properly securing Azure AD Connect and Azure AD Connect Cloud Sync’ session in room Limousin 3:

After the session, we used the podcast room to record some podcasts. Of course, we already recorded the weekly podcast before the event. Unfortunately, we needed to record another podcast because of the Exchange Server zero-day vulnerabilities. Having Dave Stork on-site as a friend of the show allowed us to record an interim episode of the IT Bro’s podcast. We also recorded with the Workplace Dudes and Jeroen Jansen.

Experts Live Expo Hall (picture by Experts Live organization)

In between we had some time to grab lunch. Raymond even had time to get a picture with one of his biggest fans.

Thank you!

Thank you to the Experts Live organization for organizing yet another successful event and inviting Raymond and me as a speaker, to all my community friends and, of course, to all the people attending, sitting in on our session and, of course, the people with whom I had interesting discussions.

Posted on October 11, 2022 by Sander Berkouwer in Community, Microsoft MVP, Personal

Identity-related Sessions at Microsoft Ignite 2022

Microsoft’s 2022 Ignite event kicks off on Tuesday October 12, 2022 and runs until Friday October 14, 2022 in some time zones.

After several virtual Microsoft Ignite events, Microsoft Ignite 2022 is the first Microsoft Ignite event Microsoft is bringing back as a hybrid yet cloud-first event. The in-person event takes place at the Washington State Convention Center in Seattle, a mere 30 minutes from the Microsoft campus in Redmond.

As Identity geeks, we encourage you to attend the following Identity-related sessions at Microsoft Ignite 2022:

Breakout Sessions

BRK50 Zero Trust as Business Driver: 3 Discrete Scenarios

Speakers: Nitika Gupta, Alicia Sanchez Teixeira and Mark Simos
Date and time: Thursday October 13 7PM – 7:25PM CEST
Delivery: Digital

Adopting a Zero Trust approach requires buy-in across the C-suite. As the threat landscape expands, and critical attacks become more common, business leaders across functional areas are increasingly concerned with the cybersecurity approach their organization's take. During this session, Microsoft discusses 5 key business scenarios where implementing a Zero Trust architecture is not only a security priority, but a driver of business results.

BRK53 Secure access and improve efficiency with Microsoft Entra innovations that span Azure AD, Permissions Management, and more

Speakers: Joy Chik, Kaitlin Murphy, Vimala Ranganathan and Kristina Smith
Date and time: Wednesday October 12 9PM – 9:35PM CEST
Delivery: Digital

Economic uncertainty. Escalating cyberthreats. Multi-cloud environments that enlarge the attack surface. As a security professional, you’re on the frontlines of it all, plus being asked to “do more with less.” So… how can you strengthen security while reducing costs? Microsoft shares proactive strategies and demos how you can implement them with new and existing solutions in the Microsoft Entra product family, which includes Azure AD identity and access management.

BRK216 Identity Journey from On-Premises to the Cloud

Speakers: Adwoa Boateng-Kwakye and Ramiro Calderon
Date and time: Thursday, October 13 9 PM – 9:45 PM
Delivery: Digital and in-person

Organizations are trying to reduce their on-premises footprint, eventually turning off Active Directory, and move completely to the cloud. Many struggle with how to make this a reality. Join the Microsoft Identity Engineering team as they discuss strategies and an overall approach to this transition. By the end of this session, you’ll know how to break down this transformational journey into manageable pieces: what you can do today, what other customers are doing on this journey, and things to consider for the future.

Product Roundtable Sessions

PRT041 Improving your DevOps/PowerShell experience with Azure AD

Speakers: Adam Edwards, Ian Farr and Merill Fernando
Date and time: Thursday, October 13 7PM – 8PM CEST
Delivery: Digital

Learn more about how Microsoft is improving the Graph PowerShell experience with Azure AD. Share your DevOps experience and let Microsoft know how they can improve this experience for you.

PRT042 Azure AD Recoverability Futures

Speakers: Tim Springston and Charles Prakash Dasari
Date and time: Tuesday, October 13 4PM – 5PM CEST
Delivery: Digital

Collaborate with the engineering team to shape the future of Azure AD Recoverability! If you are interested in the ability to put Azure AD back in a working state after accidental or malicious changes then this is the session for you. In this roundtable Microsoft shares plans and ideas on expanding recovery capabilities in Azure AD and asks for your take on them. Join this session to participate in a deep dive discussion with Microsoft engineering and your peers, and influence future recoverability.

PRT043 Structuring and scaling your Azure AD app registrations throughout their lifecycle using templates

Speakers: Sai Bandaru, Ari Crowe, Saurabh Madan and Ari Schorr
Date and time: Thursday October 13 10PM – 11PM
Delivery: Digital

Do you want the application registration experience to be structured in your organization? Do you have a need to establish guardrails that enforce app registrations to must contain a minimum set of properties or values during creation and updates? Help improve the app registration experience and help establish guardrails. Join Microsoft to discuss and provide feedback on their proposal to create a templated approach for app management operations and help shape the future of Azure AD app registrations.

PRT044 Bring into Azure AD more sources of user identity with the new Provisioning API and upload capabilities

Speakers: Chetan Desai, Tee Earls
Date and time: Wednesday, October 12 11PM – 12AM CEST
Delivery: Digital

With the new MS Graph Provisioning API, partners, system integrators (SIs), and other organizations can bring into Azure AD more identities from their trusted systems. Come hear and discuss the scenarios this API will enable, including the ability for HR partners to directly integrate the HR solutions with Azure AD, SIs to offer value-added services built around the capability, and for all organizations to import periodic data dumps from their HR systems of record via CSV automated file uploads.

PRT045 Protect apps and services and secure their access to resources with Microsoft Entra Workload Identities

Speakers: Etan Basseri, Ilana Smith
Date and time: Thursday, October 13 8PM – 9PM CEST
Delivery: Digital

Introducing Microsoft Entra Workload identities, an identity and access management solution that manages and secure access of apps and services to cloud resources. In this session, Microsoft discusses and wants to learn how you can secure your apps with adaptive policies, detect compromised workload identities, and manage their lifecycle.

PRT046 Automate your complex user lifecycle processes with Azure AD Lifecycle Workflows and its extensibility capabilities to integrate custom logic and external systems

Speakers: Alexander Filipin and Kristina Smith
Date and time: Thursday October 13 5PM – 6M CEST
Delivery: Digital

Today, organizations, partners, and system integrators (SIs) use various solutions to manage aspects of their users’ lifecycle, this may be a mixture of Azure AD Identity Governance features, legacy and 3rd party IGA tools, as well as custom stand-alone solutions to solve complex use cases. Come share your experiences to help influence Microsoft’s next steps and hear about the newest Azure AD Identity Governance building block, Lifecycle Workflows, and its powerful built-in automation.

PRT047 Addressing challenges for multi-tenant organizations

Speaker: Vince Smith
Date and time: Thursday, October 13 12AM – 1AM CEST
Delivery: Digital

Come join Microsoft in a roundtable discussion on the challenges faced by multi-tenant organizations. This is an opportunity to influence the roadmap of Azure Active Directory capabilities being built specifically for multi-tenant organizations.

PRT048 Go Passwordless and embrace the future of Zero Trust for your External Identities

Speakers: Namrate Kedia, Anand Yadav
Date and time: Wednesday October 12 10PM – 11PM CEST
Delivery: Digital

Passwordless authentication methods – Microsoft Authenticator, FIDO2 security keys, Windows Hello for Business – are more convenient and secure as compared to the traditional password. Couple that with how Zero Trust architecture is dramatically changing the landscape of secure access and ease of use. Come talk to Microsoft about your Zero Trust strategy for External identities and thoughts around going passwordless.

PRT049 Improving the security posture of your end users

Speakers: Caroleen Burroughs, Rajat Luthra, Pramila Padmanabhan and Mayur Santani
Date and time: Thursday, October 13 9PM – 10PM CEST
Delivery: Digital

Organizations are always looking for highly secure and easy to use credentials that they can innovate on, configure, and quickly deploy in a cost-effective way. Over the last few years, Microsoft Authenticator has emerged as the most popular method for Azure AD customers to perform strong authentication. In this session, Microsoft goes over recently added capabilities. Join this roundtable to provide your feedback on these features.

PRT05PRT050 Take control of monitoring your Azure AD environment using Scenario Health Monitoring & Guidance

Speaker: Omesh Desai
Date and time: Thursday October 13 11PM – 12AM CEST
Delivery: Digital

Microsoft is working on enabling customers to observe the health of core Identity scenarios in their tenant in near real time, detect problems, and mitigate them with minimal business disruption. Microsoft will present their per-tenant scenario-based monitoring, alerting and diagnostics solution. Microsoft would like to understand your Azure AD monitoring challenges, requirements and how this solution can help address those.

Ask the Experts Sessions

CATE53H Secure access and improve efficiency with Microsoft Entra innovations that span Azure AD, Permissions Management, and more

Speakers: Irina Nechaeva, Vimala Ranganathan, Kristina Smith and Alexander Weinert
Date and time: Wednesday October 12 11PM – 11:30PM CEST
Thursday October 13 11PM – 11:30PM CEST
Delivery: Digital and in-person

WACEM18 Expert Meet-up: Identity and Access Management

Speakers: Ramiro Calderon, Oana Enache, Nasos Kladakis, Matthijs Hoekstra, others
Date and time: Thursday, October 13 12AM – 1:30AM CEST
Delivery: In-person

Join Microsoft experts at any time during these 90 minutes to get your questions answered on Microsoft Entra and Azure AD. Discover how you can strengthen your security and reduce costs by exploring the top identity strategies.

Hands-on Labs

WACSL128 Enable Azure AD Multi Factor Authentication and Deploy Self-Service Password Reset

Speakers: Ed Gale, Bill Hughes and Robert Stewart
Date and time: Thursday October 13 11PM – 11:45PM CEST
Friday October 14 12AM – 12:45 AM CEST
Delivery: In-person

One of the most important tools in fighting phishing attacks and other security breach is the usage of multi-factor authentication. In this lab you will explore and configure multi-factor authentication for your Azure solutions, and require all your users to protect themselves. Then you enable and test self-service password reset to make sure your users are always able to connect.

Posted on October 10, 2022 by Sander Berkouwer in Community

Azure AD Connect v2.1.18.0 makes it easier for organizations to upgrade to Azure AD Connect v2.x

Azure AD Connect

The official support deadline for people to upgrade their Azure AD Connect version 1.x installations may have passed,(August 31st, 2022), but many organizations are still in the process of migrating to Azure AD Connect v2.x.

What’s New

Microsoft addressed two issues:

Loop during upgrade from v1.6.x

Microsoft addressed an issue where the upgrade from version 1.6.x to version 2.1.x got stuck in a loop due to IsMemberOfLocalGroup enumeration.

Validation of Enterprise Admin credentials

Microsoft addressed an issue where the Azure AD Connect Configuration Wizard was sending incorrect credentials (username format) while validating if the user account is a member of the Enterprise Admins group in Active Directory.

Version information

Version 2.1.18.0 of Azure AD Connect was made available for download as a 144 MB weighing AzureADConnect.msi on October 5th, 2022.

You can download the latest version of Azure AD Connect here.

Posted on October 7, 2022 by Sander Berkouwer in Azure AD Connect, What's New

What's New in Azure Active Directory for September 2022

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for September 2022:

What’s New

Self-Service Password Reset writeback for disconnected forests with Azure AD Connect Cloud Sync General Availability

Service category: Azure AD Connect Cloud Sync
Product capability: Identity Lifecycle Management

Azure AD Connect Cloud Sync Password writeback now provides organizations the ability to synchronize Azure AD password changes made in the cloud to an on-premises directory in real time. This can be accomplished using the lightweight Azure AD cloud provisioning agent.

This is the first writeback functionality that is made available through Azure AD Connect Cloud Sync.

Device-based conditional access on Linux devices General Availability

Service category: Conditional Access
Product capability: Single Sign-on (SSO)

This feature empowers users on Linux clients to register their devices with Azure AD, enroll into Intune management, and satisfy device-based Conditional Access policies when accessing corporate resources.

Users can register their Linux devices with Azure AD.
Users can enroll in Mobile Device Management (Intune), which can be used to provide compliance decisions, based upon policy definitions to allow device-based Conditional Access on Linux devices.
If compliant, users can use Edge Browser to satisfy device-based Conditional Access policies and enable Single Sign-on (SSO) to Microsoft 365, Azure and other Azure AD-integrated apps, services and systems .

Azure AD SCIM Validator General Availability

Service category: Provisioning
Product capability: Outbound to SaaS Applications

Independent Software Vendors (ISVs) and developers can self-test their System for Cross-domain Identity Management (SCIM) endpoints for compatibility: Microsoft has made it easier for ISVs to validate that their endpoints are compatible with the SCIM-based Azure AD provisioning services.

Prevent accidental deletions General Availability

Service category: Provisioning
Product capability: Outbound to SaaS Applications

Accidental deletion of users in any system could be disastrous. Microsoft is excited to announce the general availability of the accidental deletions prevention capability as part of the Azure AD provisioning service.

When the number of deletions to be processed in a single provisioning cycle spikes above the organization-defined threshold, the Azure AD provisioning service will pause, provide visibility into the potential deletions, and allow admins to accept or reject the deletions.

This functionality has historically been available for Azure AD Connect, and Azure AD Connect Cloud Sync. It's now available across the various provisioning flows, including both HR-driven provisioning and application provisioning.

Identity Protection Anonymous and Malicious IP for ADFS on-premises sign-ins General Availability

Service category: Identity Protection
Product capability: Identity Security and Protection

Identity Protection expands its anonymous and malicious IP detections to protect Active Directory Federation Services (AD FS) sign-ins.

This will automatically apply to all organizations who have AD Connect Health for AD FS deployed and enabled, and will show up as the existing Anonymous IP or Malicious IP detections with a token issuer type of AD Federation Services.

New Federated Apps available in the Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In September 2022, Microsoft added the following new applications in the Azure AD App gallery with Federation support:

Posted on October 6, 2022 by Sander Berkouwer in Azure Active Directory, What's New

a blog by Sander Berkouwer

What’s New

New security alert: Abnormal AD FS authentication using a suspicious certificate

Out of the box support for remediation actions

New health alert

IMPROVEMENTS AND BUG FIXES

Windows Server 2016

KB5018411 October 11, 2022

KB5010439 October 18, 2022 Out of Band

Windows Server 2019

KB5018419 October 11, 2022

KB5020438 October 17 Out of Band

Windows Server 2022

KB5018421 October 11, 2022

KB5020438 October 17 Out of Band

KB5018485 October 25 Preview

Veeam Vanguards

Veeam Legends

Veeam MVPs

Control Panel

Hide messages when Windows system requirements are not met

Desktop App Installer (WinGet)

Enable App Installer

Enable App Installer Settings

Enable App Installer Experimental Features

Enable App Installer Local Manifest Files

Enable App Installer Hash Override

Enable App Installer Default Source

Enable App Installer Microsoft Store Source

Set App Installer Source Auto Update Interval In Minutes

Enable App Installer Additional Sources

Enable App Installer Allowed Sources

Enable App Installer ms-appinstaller protocol

DNS Client

Configure Discovery of Designated Resolvers (DDR) protocol

Configure NetBIOS settings

File Explorer

Turn off files from Office.com in Quick access view

Internet Explorer

Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects

Enable global window list in Internet Explorer mode

Reset zoom to default for HTML dialogs in Internet Explorer mode

Disable HTML Application

Authentication

Configure hash algorithms for certificate logon

Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon

Allow Custom SSPs and APs to be loaded into LSASS

Configures LSASS to run as a protected process

Only allow device authentication for the Microsoft Account Sign-In Assistant

Enable ESS with Supported Peripherals

SMB

Request traffic compression for all shares (Server)

Disable SMB compression (Server)

Use SMB compression by default (Client)

Disable SMB Compression (Client)

Edge Spartan

Suppress the display of Edge Deprecation Notification

Printing

Limits print driver installation to Administrators

Manage processing of Queue-specific files

Manage Print Driver signature validation

Manage Print Driver exclusion list

Configure RPC listener settings

Configure RPC connection settings

Configure RPC over TCP port

Always send job page count information for IPP printers

Configure Redirection Guard

Search

Fully disable Search UI

Allow search highlights

Sensors

Force Instant Dim

Settings synchronization

Do not sync accessibility settings

Start menu and Taskbar

Remove Run menu from Start Menu

Prevent changes to Taskbar and Start Menu Settings

Remove access to the context menus for the taskbar

Prevent users from uninstalling applications from Start

Remove Recommended section from Start Menu