Windows 10 roaming settings for remote work scenarios

Windows 10 roaming settings for remote work scenarios

by | Jul 24, 2020 | Uncategorized

This article is contributed. See the original author and article here.

In today’s post, I want to discuss how to move away from using legacy user profile technologies and leverage more cloud-friendly, time-tested solutions for Windows 10 roaming settings.

Over the past few months, IT pros around the world have been increasingly tasked with managing devices while end users are working remotely. Early priorities focused on securing corporate devices, securing application access, and ensuring the continuity of ongoing manageability. With these pillars now in place, we have seen many organizations shift greater focus towards user experience and productivity.

In addition, many organizations have realized that ensuring business continuity moving forward will require both user and device flexibility. Some users may continue to work remotely on a mix of portable/mobile devices and remote corporate workstations. Others may return to the office, including those returning on a part-time basis and working in a hybrid scenario where devices may be on-premises at times and remotely connected at others.

Securing access to corporate applications and data is paramount in ensuring that users remain productive throughout this transition. In addition to managing application and data access, ensuring the preservation and roaming of user state data, specifically application preferences and shell settings, is critically important as it is often very personalized and tailored to individual users. In some cases, some of these settings might also be mandated by policy.

Avoid roaming for full user profile data

There has never been a better opportunity to stop traditional Windows user profile management than now. Profile bloat is not something to be desired. IT pros need to avoid profile/settings traffic traveling over any connection, even VPN connections, as much of that data is not pertinent to the majority of the user’s work. Even then, important state data is not needed until an application tied to that data is used. When connectivity is limited and coupled with potential app growth, downloading and uploading full user profile data results in longer logons and logoffs, and the potential for wholesale profile corruption increases, generating more problems that are then further complicated for help desks to remediate without potential state data loss.

Microsoft has two technologies available for offering both more granular user and application state roaming of settings and preferences that can take advantage of the cloud for settings storage and roaming: Enterprise State Roaming and User Experience Virtualization (UE-V.) If you have an Azure AD Premium License or Enterprise Mobility + Security (EMS) license, you can already leverage Enterprise State Roaming. If you have Windows 10 Enterprise or Education, you already have UE-V available to you as well. Both Enterprise State Roaming and UE-V have been around for quite a while and have matured into feature complete solutions. Note that both solutions (designed to roam different types of shell and app settings) can leverage the cloud to roam settings storage.

Modern roaming settings for Windows

Many of our enterprise customers are leveraging Enterprise State Roaming with Azure AD Premium today to roam user state data. In this scenario, settings and data are roamed via your cloud tenant and in a much more granular and streamlined way. Data is processed on demand through specific triggers. You do not have to manage the storage or files as Azure AD and the cloud will take care of that for you. For more information, see Windows 10 roaming settings reference.

To ensure that users can synchronize settings using the cloud across Windows 10 devices in your organization, you will need to:

  1. Sign in to Azure AD admin center.
  2. Select Azure Active Directory > Devices > Enterprise State Roaming.
  3. Select Users may sync settings and app data across devices. For more information, see how to configure device settings.

Enterprise State Roaming settings in Azure ADEnterprise State Roaming settings in Azure AD

For a Windows 10 device to use the Enterprise State Roaming service, the device must authenticate using an Azure AD identity. For devices that are joined to Azure AD, the primary sign-in identity for the user is their Azure AD identity, so no additional configuration is required. For devices that use on-premises Active Directory, you must first Configure hybrid Azure Active Directory joined devices.

Users can also enable synchronization of Windows 10 settings by selecting the Start button, then selecting Settings > Accounts > Sync your settings. When Sync settings is turned on, Windows syncs the settings you choose across all your Windows 10 devices that you have signed in to with your Azure AD account. If you need to enable specific policies for Enterprise State Roaming, you can do so using Group Policy (although you will find it likely that this might not be needed.) You can also control use via security groups and monitor device sync status per user in the portal.

Sync settings options in Windows 10Sync settings options in Windows 10

You do not need to worry about server-side management of storage data, as that all happens automatically. Enterprise State Roaming data is hosted in one or more Azure regions that best align with the country/region value set in the Azure Active Directory instance. Enterprise State Roaming data is partitioned based on three major geographic regions: North America, EMEA (Europe, Middle East, and Africa), and APAC (Asia-Pacific.)

Roaming settings for Modern UWP apps

In addition to key Windows 10 browser and shell components, Enterprise State Roaming can facilitate roaming settings for modern Universal Windows Platform (UWP) applications as well including system, inbox, and Store apps. To view a more comprehensive listing of system and inbox apps, see Understand the different apps included in Windows 10.

Both Universal Windows applications and packaged desktop line-of-business (LoB) applications in MSIX can write settings data to a roaming folder and any data written to this folder will automatically be synced. Your experience may vary, as it is up to the individual developer to design an application to take advantage of this capability. Likewise, for desktop applications repackaged into MSIX packages, this data may not natively write to this folder, and a Package Support Framework (PSF) fixup may be required. For more information about how to develop a Universal Windows app that uses roaming, see the AppData Storage API and the AppData Roaming Developer Guidance.

Roaming settings for classic Win32 applications

Most LOB applications in the enterprise running on Windows are still running predominantly as traditional Win32 applications. Since there may be a lot of variance and non-standard approaches to user preference management, you can still use the UE-V Template Generator to capture those settings and designate for roam in an XML template those file and registry settings that will need to be stored as user state for that application.

UE-V can be enabled via PowerShell (the Enable-UEV cmdlet,) through Group Policy, and through Microsoft Endpoint Configuration Manager. You can also use any of the options to enable the inbox templates, which are, by default, located at C:ProgramDataMicrosoftUEVInboxTemplates) and register custom templates either using a custom path or leveraging the default (C:ProgramDataMicrosoftUEVTemplates.

In order to roam settings for custom applications, you first need to download the Windows 10 ADK and install the UE-V Template Generator. From there, run the template generator to capture the settings and preferences available for each application. For guidance around capturing settings and preferences and generating custom templates for your applications, see Working with custom UE-V templates and the UE-V template generator.

User Experience Virtualization (UE-V) template generatorUser Experience Virtualization (UE-V) template generator

You can then leverage group policy or the register-uevtemplate cmdlet to register the custom template.

UE-V and roaming for additional legacy shell Items

In addition to roaming registered templates that might be customized for your LOB Win32 applications, UE-V can roam other legacy shell items that are still supported in Windows 10. For a list of items UE-V roams by default via its inbox templates, please see User Experience Virtualization (UE-V) for Windows 10 overview.

Note: Some of these items might not be directly applicable in mobile scenarios; however, items such as credential roaming, and legacy explorer preferences may be useful.

Roaming UE-V settings storage in the cloud

Traditionally, many enterprises over the years used UE-V to roam settings using an on-premises file share option. UE-V can also be configured to use an external sync source such as OneDrive. Additional enhancements over the past couple of years to OneDrive, such as Files On-Demand, means you can have your settings available during first-time launch of the application.

UE-V has a few sync methods, but for cloud scenarios, including OneDrive, you will want to select the “External” option. This configuration method specifies that if UE-V settings are written to a local folder on the user computer, then any external sync engine (such as OneDrive for Business, Work Folders, SharePoint, or Dropbox) can be used to apply these settings to the different computers that users access. If you were configuring this via policy, you can assign the %USERNAME% variable when assigning the local folder (i.e. C:Users%USERNAME%OneDriveSettings.)

Configuring UE-V sync using Group PolicyConfiguring UE-V sync using Group Policy

Putting it all together

Combining Enterprise State Roaming with UE-V gives your organization the capability to provide more user flexibility and portability across multiple devices, and allows those settings to travel with your end users wherever they might be working. We recommend that you take advantage of these two solutions to roam settings if you have Windows 10 Enterprise and have also enabled OneDrive and Azure Active Directory. The chart below is a quick reference to help understand and manage the differences between roaming options.

Item

Solution

Settings Storage

Common Windows 10 Items

Enterprise State Roaming

Automatically roamed via Azure AD

Modern Shell Items

Windows 10 Inbox and UWP Apps

Packaged Apps via MSIX

Legacy Shell items

UE-V

 

Recommendation is to configure an external cloud sync host (OneDrive)

Win32 Apps

 

Learn with Creators: Excel Highlights

by | Jul 24, 2020 | Uncategorized

This article is contributed. See the original author and article here.

This week, Caripros HR Analytics shared a great tip on using a date picker add-in with forms, MrExcel.com showed you how to use the TODAY function with charts to illustrate current data, and Creative Venus brought in some top-notch design skills to deliver a sleek, modern table, complete with space for including your own branding. If you find these helpful, be sure to check out their channels!

 

Learn more about the Microsoft Creators Program.

 

See more from Caripros HR Analytics

 

See more from MrExcel.com

 

See more from Creative Venus

Enrich Azure Sentinel security incidents with the RiskIQ Intelligence Connector

Enrich Azure Sentinel security incidents with the RiskIQ Intelligence Connector

by | Jul 24, 2020 | Alerts, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

As discussed in my two previous posts, Azure Sentinel provides a variety of methods for importing threat intelligence directly into the ThreatIntelligenceIndicator Logs table where it can be used to power Analytics, Workbooks, Hunting, and other experiences.

 

 

However, Azure Sentinel also allows you to leverage massive repositories of external intelligence data as enrichment sources to enhance the triage and investigation experience of security incidents. Using the built-in automation capabilities of Azure Sentinel you can take any incident created through Azure Sentinel analytics rules, and retrieve additional context about the entities from third party sources, and make this context readily available to your security operations personnel to aid triage and investigation.

 

Today, we are announcing the availability of the RiskIQ Intelligence Connector for Azure Sentinel which allows you to tap into petabytes of external threat intelligence from RiskIQ’s Internet Intelligence Graph. Incidents can be enriched automatically using Azure Sentinel Playbooks, saving time and resources for your security responders. This blog will walk you through the setup, configuration, and show you how the rich context from the new RiskIQ Intelligence Connector playbooks is surfaced in Azure Sentinel security incidents.

 

Installation

Each RiskIQ enrichment playbook leverages one or more RiskIQ Security Intelligence Service APIs to provide up to the minute threat and contextual information. To learn more about the service and request a trial key, see the API documentation.

 

The set of RiskIQ Intelligence Connector playbooks are located in the Azure Sentinel GitHub repository.

 

In this blog we’ll use the Enrich-SentinelIncident-RiskIQ-IP-Passive-DNS playbook as an example.

 

  1. Select the Deploy to Azure button on the playbook page in GitHub                                                                                                   DeployToAzure.jpg
  2. This will bring you to the Azure portal, Custom Deployment page. Input the Subscription and Resource Group values corresponding to your Azure Sentinel instance, and select the terms and conditions check box                       DeployTemplate.jpg
  3. Select the Purchase button at the bottom of the page
  4. You will receive an Azure notification when the deployment has completed                                                               DeploymentSucceeded.jpg

 

Configuration

Once the playbook has been imported into your Azure Sentinel instance your will need to edit the playbook to configure the connections. Certain playbook actions require additional connection information to function, most commonly these are in the form of credentials for actions that require connecting to APIs. In this example, the playbook requires two connections, one for Azure Sentinel to read security alerts and the second for RiskIQ APIs to query for enrichment context for entities found in alerts.

 

  1. In the Azure portal, navigate to your Azure Sentinel workspace where you imported the playbook
  2. Select Playbooks from the Azure Sentinel navigation menu
  3. Select the Recent-IP-Passive-DNS playbook by selecting the playbook name
  4. Select Edit from the top menu of the playbook
  5. There are four steps in this playbook requiring you to configure connections                                 ConfigureConnections.jpg
  6. Select a Connection from one of the steps requiring configuration and configure a new connection. For the connections to Azure Sentinel the user specified when establishing the connection must have sufficient permissions in the Azure Sentinel workspace to read the security alerts. For the RiskIQ connection, enter your RiskIQ API token and secret obtained from RiskIQ.
  7. Select Save from the top menu of the playbook to save the playbook

 

Use the RiskIQ playbook to enrich security incidents

Now that the Recent-IP-Passive-DNS playbook is installed and configured you can use it with the built-in Azure Sentinel automation framework in your analytics rules. Let’s take a look at how to associate this playbook with an analytic rule to enrich security incidents and give your security responders additional context for triage and investigation.

 

  1. Navigate to your Azure Sentinel Analytics page and select an existing analytics rule or template item you wish to add the playbook automation. Select Edit for an existing rule or Create rule for a new rule.
  2. The Recent-IP-Passive-DNS playbook works with analytics rules which map IP address entities so make sure you are working with such a rule. For simple testing of the playbook automation you can use rule logic as shown below to force an alert creation with a specific IP address. 
    AzureActivity
| take 1
| extend IPCustomEntity = "144.91.119.160"​
  3. Navigate to the Automated response tab and place a check mark in the box for the Recent-IP-Passive-DNS playbook which will enable the playbook to run each time the analytic rule generates security alerts
  4. Select Save to finish and return to the Analytics page

 

The Recent-IP-Passive-DNS playbook queries the RiskIQ passive DNS database and retrieves any domains from the last 30 days associated with the IP address found in the security alert. It then adds this enrichment information to the resulting security incident so your security responders can easily access this additional context with triaging the incident. Let’s take a look at this experience for your security responders.

 

  1. Navigate to your Azure Sentinel Incidents page
  2. Locate the incident generated from the analytic rule configured to run the Recent-IP-Passive-DNS playbook automation and select Full details from the information pane
  3. Select the Comments tab to see the enrichment added by the Recent-IP-Passive-DNS playbook automation. You can also view the information in the RiskIQ portal by following the link provided at the bottom of the comment                                                                                                            incident.jpg

Summary

 

In this post you learned how to obtain, configure, and associate the RiskIQ Intelligence Connector playbooks with analytics rules to enrich security incidents with additional context. Azure Sentinel, when combined with RiskIQ, has the potential to reshape how security teams operate, seamlessly integrating the most comprehensive external visibility with the advanced threat detection, AI, and orchestration found in Azure Sentinel.

Windows 10, version 20H2 release (WHCP)

by | Jul 24, 2020 | Uncategorized

This article is contributed. See the original author and article here.

Windows 10, version 20H2 release will not bring updates to the Windows Hardware Compatibility Program and follow the same pattern as 19H2. Given below are more details with respect to all related WHCP activities.

Windows Hardware Compatibility program(WHCP) activities:

  • WHCP requirements – No change. Windows 10, version 2004 requirements remain applicable for Windows 10, version 20H2 release.
  • Hardware Lab kit – No change. Since WHCP requirements will persist in Windows 10, version 20H2, HLK will also remain the same. There will not be new HLK release in Windows 10, version 20H2. While both Windows 10, version 2004 and 20H2 OS can be used for Windows 10, version 2004 qualification, they will be recognized as meeting the Windows 10, version 2004 qualification.
  • Errata – No change. All Windows 10, version 2004 errata will continue to be valid for Windows 10, version 20H2 release.
  • HLK playlist – No change. HLK version 2004 playlist can be used for both Windows 10, version 2004 and 20H2 release.
  • Driver signature – No change. Drivers meeting all the applicable Windows 10, version 2004 requirements, will be digitally signed with same signature attributes.
  • Submission – No change. Both Windows 10, version 2004 and 20H2 OS can be used for WHCP submission.
  • WHCP qualification – Windows 10, version 2004
  • Required OS version – Either Windows 10, version 2004 or 20H2
  • HLK version – HLK version 2004
Azure Sentinel: Ensuring Internet-blocked Azure VMs Can Still Connect

Azure Sentinel: Ensuring Internet-blocked Azure VMs Can Still Connect

by | Jul 24, 2020 | Alerts, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

Hi, all! Rod Trent here. I am a Cybersecurity CE/Consultant at Microsoft and work with Azure Sentinel literally every waking hour, so I see and hear a lot of unique and interesting things in relation to this fantastic product. I also blog for our Secure Infrastructure Blog and have quite a few Azure Sentinel articles posted there already.

 

Did you know that the Log Analytics agent requires an Internet connection no matter if it’s installed on an on-premises system or as an extension on a virtual machine stored in Azure? It may seem a bit quirky, but it’s true. Yes, even though an Azure VM has been spun up in the same cloud that the Log Analytics Workspace resides in, the agent still checks to see if there’s a valid Internet connection – well, actually it checks for a specific port (443) to be accessible, but the return error message is that an Internet connection is required.

 

As a security precaution, some customers spin up VMs in Azure and disable all outbound Internet access. This is done through an Outbound rule (VM => Networking => Outbound port rules => Deny Internet) similar to what is shown in the following image:

 

VM => Networking => Outbound port rules => Deny InternetVM => Networking => Outbound port rules => Deny Internet

 

However, the same customer may also want to monitor potential threats against these VMs using Azure Sentinel. Azure Sentinel, of course, requires a Log Analytics workspace which requires the Log Analytics agent extension to be installed which, yeah…you guessed it…requires the outbound Internet connection already discussed.

 

Even more interesting is that the Log Analytics agent extension will deploy perfectly. And, unless it’s monitored obsessively, all seems just fine. Well, that is, until it’s realized that the newly installed agent isn’t sending its data to Azure Sentinel’s Log Analytics Workspace.

 

Log Analytics Agent cannot connect due to a blocked portLog Analytics Agent cannot connect due to a blocked port

 

If it’s required that the Azure VM remains Internet disconnected, the solution is to create a new Outbound rule for the VM to provide the necessary port to trick the agent into thinking it has the required Internet connection. The new Outbound rule also needs to have a higher priority than the blocker, otherwise the port will never be exposed.

 

The new Outbound rule should look like the following:

 

Enable a new Outbound Rule specifically for AzureMonitorEnable a new Outbound Rule specifically for AzureMonitor

 

The details:

 

Create a new Outbound rule with a higher priority than the Deny Internet rule with the following information:

 

  • Source: VirtualNetwork
  • Secure port ranges: *
  • Destination: ServiceTag
  • Destination service tag: AzureMonitor
  • Destination port ranges: 443
  • Protocol: Any
  • Action: Allow
  • Priority: (set it higher than the Deny Internet rule)
  • Description: (I always recommend being very verbose when describing something you create – just in case you have a tendency to forget later on

 

 

Summary

This technique ensures that the Virtual Machine doesn’t have Internet access according to policy, and that security can still be managed and monitored through Azure Sentinel. Disabling full Internet access for each Virtual Machine may seem a rare occurrence, but as I noted in my opening statement, I regularly work with scenarios that are sometimes uncommon. And, if I see it once, it’s most likely going to happen again. Sharing makes us all smarter.

 

A use case example where this makes perfect sense is for Windows Virtual Desktops (WVD). Disabling the Internet completely for a compromised WVD, ensures that the device is effectively quarantined from the other VMs in the WVD pool while still maintaining the ability to kick-off a malware scan through an Azure Sentinel Playbook because the Azure Monitor port is still open.

 

NOTE: In the future, you can Use Azure Private Link to securely connect networks to Azure Monitor.

 

For additional knowledge in relation to Azure Sentinel-specific role access components, see the following:

 

Granting Access to Specific Azure Sentinel Playbooks for Specific Analysts: https://secureinfra.blog/2020/06/19/granting-access-to-specific-azure-sentinel-playbooks-for-specific-analysts/

 

Controlling access to Azure Sentinel Data: Resource RBAC:  https://techcommunity.microsoft.com/t5/azure-sentinel/controlling-access-to-azure-sentinel-data-resource-rbac/ba-p/1301463  

 

Table Level RBAC In Azure Sentinel: https://techcommunity.microsoft.com/t5/azure-sentinel/table-level-rbac-in-azure-sentinel/ba-p/965043 

 

Permissions in Azure Sentinel: https://docs.microsoft.com/en-us/azure/sentinel/roles

 

* Check out my other blog for more Azure Sentinel content: Rod Trent at the Secure Infrastructure Blog

 

* Follow me on Twitter: https://twitter.com/rodtrent