Validating Azure Defender for Resource Manager Alerts

by Contributed | Mar 22, 2021 | Technology

This article is contributed. See the original author and article here.

As announced at Ignite 2021, Azure Defender for Resource Manager is available in Public Preview. This new Azure Defender plan provides threat detection against malicious usage of Azure Resource Management Layer (Portal, Rest, API, PowerShell). To learn more about Azure Defender for ARM, read our official documentation.

During the public preview time you can enable Azure Defender for Resource Manager without any additional charge, just go to Price & settings, select the subscription, change the plan to ON (as shown below) and click Save to commit the change.

Now that you have this plan set to ON, you can use the steps below to validate this threat detection:

1. Provision a new VM and keep the default TCP/IP configuration.


2. Connect to this machine using RDP.


3. Create a file on this machine called runtime-disable-enabe.ps1 and paste the content below in this file:

Param([switch] $Force)

# Check if PowerShellGet exists

if (Get-Module -ListAvailable -Name PowerShellGet) {

    Write-Host “PowerShellGet Module exists”

}

else {

    if ($PSBoundParameters.ContainsKey(‘Force’)) {

        Install-Module -Name PowerShellGet -Force

    }

    else {

        Write-Warning -Message (‘PowerShellGet Not Found. Please use the -force flag to install PowerShellGet and Azure Powershell’)

        Exit

    }

}

# Install Azure Powershell

if ($PSVersionTable.PSEdition -eq ‘Desktop’ -and (Get-Module -Name AzureRM -ListAvailable)) {

    Write-Warning -Message (‘Az module not installed. Having both the AzureRM and ‘ +

      ‘Az modules installed at the same time is not supported. Use the -force flag to install the necessary modules.’)

    Exit

} elseif($PSBoundParameters.ContainsKey(‘Force’)) {

    Install-Module -Name Az -AllowClobber -Scope CurrentUser

} elseif (!(Get-Module -Name Az.Compute -ListAvailable)) {

    Write-Warning -Message (‘Azure Powershell Not Found. Please use the -force flag to install Azure Powershell’)

    Exit

}

# Login User

Connect-AzAccount

# Select Subscription

$Subscription = Get-Az bscription | out-gridview -Title “Select a subscription” -PassThru

Select-AzSubscription $Subscription

# Settings to exclude a binary

$SettingsDisable = ‘{“AntimalwareEnabled” : “true”, “Exclusions” : {“Extensions” : “”, “Paths” : “”, “Processes” : “”},

          “RealtimeProtectionEnabled” : “false”, “ScheduledScanSettings” : {“isEnabled”: “true”, “scanType” : “Quick”, “day” : “7”, “time” : “100” }}’

# Settings to remove the exclusion

$SettingsEnable = ‘{“AntimalwareEnabled” : “true”, “Exclusions” : {“Extensions” : “”, “Paths” : “”, “Processes” : “”},

          “RealtimeProtectionEnabled” : “true”, “ScheduledScanSettings” : {“isEnabled”: “true”, “scanType” : “Quick”, “day” : “7”, “time” : “100” }}’

# Provide VM info

$VMObject = Get-AzVM | out-gridview -Title “Select a VM” -PassThru

$VMName = $VMObject.Name

$Loc = $VMObject.Location

$ResourceGroup = $VMObject.ResourceGroupName

Write-Host “Disable Runtime …”

# Exclude the binary

Set-AzVMExtension -ResourceGroupName $ResourceGroup -VMName $VMName -Name “IaasAntimalware” -Location $Loc -Publisher “Microsoft.Azure.Security” -Type “IaasAntimalware” -TypeHandlerVersion “1.3” -SettingString $SettingsDisable

Write-Host “Enable Runtime …”

# Remove the exclusion

Set-AzVMExtension -ResourceGroupName $ResourceGroup -VMName $VMName -Name “IaasAntimalware” -Location $Loc -Publisher “Microsoft.Azure.Security” -Type “IaasAntimalware” -TypeHandlerVersion “1.3” -SettingString $SettingsEnable

4. Save this file


5. Execute runtime-disable-enabe.ps1

After some minutes you should see Azure Defender for Resource Manager alert showing up on your dashboard, like the one below:

Is important to emphasize that these operations (disable AM runtime) are done over built-in capabilities of Azure, in this case VM extensions. Using VM extension one doesn’t need to log-in into the affected VM (no node-level credentials are required!). For a deeper discussion on a use case scenario for this threat detection, read the article Azure LoLBins: Protecting against the dual use of virtual machine extensions.

Reviewers

Tal Rosler, Program Manager

Ram Pliskin, Senior Security Research Manager

Script by Johnathan Simon, Security Researcher

Change broker property of Azure Service Bus message using azure-spring-cloud-stream-binder Library

by Contributed | Mar 22, 2021 | Technology

This article is contributed. See the original author and article here.

Azure Service bus ||change broker property of Azure Service Bus message using azure-spring-cloud-stream-binder-servicebus Library

Use Case:

To change broker property of Azure Service Bus message using spring-cloud-stream-binder-servicebus library.

Pre-Requisites:

• Azure Service bus Namespace


• Azure Service bus SAS connection string


• Console Application to change the messageID of the service bus using spring-cloud-stream library.

Scenarios:

• Set the custom MessageID of the Service bus message using the Spring-cloud-stream library.

Steps to follow:

At present azure-spring-cloud-stream-binder-servicebus library do not support setting the messageID.

MessageID/Broker properties are auto-generated from spring-cloud library and doesn’t use the properties from Service bus Message. 

Here we are trying to set the MessageID of the Service bus broker message as ‘ce095552-b466-4d03-ac41-430ec9286806’, however post receiving the same message and checking the messageID, it will be different ‘c0491323-a39b-3d19-a983-1157b055fdcf’ as this is auto-generated by the spring-cloud library as shown below:

Code trying to set the MessageID of the broker message:

MessageID of the message set with above code:

Refer the workaround, in following code, you can provide a subclass of ServiceBusTopicTemplate, and override the logic of how the message id is defined.

So, in the example below, you can set the header when building spring integration message.

@Bean
public ServiceBusTopicOperation topicOperation(ServiceBusTopicClientFactory factory) {
    return new CustomizeMessageIdServiceBusTopicTemplate(factory);
}

public static class CustomizeMessageIdServiceBusTopicTemplate extends ServiceBusTopicTemplate {

    public CustomizeMessageIdServiceBusTopicTemplate(
        ServiceBusTopicClientFactory clientFactory) {
        super(clientFactory);
        this.messageConverter = new ServiceBusMessageConverter(){
            @Override
            protected void setCustomHeaders(MessageHeaders headers, IMessage serviceBusMessage) {
                super.setCustomHeaders(headers, serviceBusMessage);
                if(headers.containsKey(“customer-message-id”)){
                    serviceBusMessage.setMessageId(headers.get(“customer-message-id”,String.class));
                }
            }
        };
    }
}

Message<String> build = MessageBuilder.withPayload(message).setHeader(“customer-message-id”, WATH_EVER_VALUE_WANT_TO_BE_USED_AS_MESSAGE_ID).build();

Running the above sample code, you should be able to set the MessageID of the Azure service bus using azure-spring-cloud-stream-binder-servicebus library.

Hope this helps!

The impact of conflicting Azure Policies

by Contributed | Mar 22, 2021 | Technology

This article is contributed. See the original author and article here.

Azure Policy lets you assess resources against certain criteria at different levels in your environment – from the top level management groups containing multiple subscriptions down to resource groups. So what happens if the policies at one level are different from the policies at another level in your environment hierarchy? Sonia explores some scenarios!

How Azure Policy assignments work

When you apply an Azure Policy at a certain level (known as assigning it to a scope), that assignment will be inherited by all the child resources under that scope. If I add a policy at the subscription level for example, all of the resources groups under that subscription will also be impacted by that policy. However, existing resources will not be modified by a Deny policy – they will be marked as non-compliant.

Azure Policy is an “explicit deny” system. This means that if any policy assignment in the hierarchy would deny a resource configuration, then it will be denied. To manage exceptions (say you want one resource group to be allowed resources of a larger size that aren’t allowed anywhere else in the subscription), you can exclude the resource group from the policy that is denying those resource sizes (known as SKUs), and you can assign a different allowed sizes policy to that resource group.

Scenarios with the Allowed virtual machine SKUs policy

My test environment started with the following:

Subscription level: No policy assignments

Resource group level: Allowed virtual machine SKUs set to standard_dc2s, standard_dc2s_v2, standard_dc4s, standard_dc4s_v2, standard_dc8_v2 

VM in the resource group: Size Standard_DS1_v2

How can there be a VM in that resource group with a size that’s not listed in the allowed VM SKUs policy?

The policy is set to Deny, so that tells me that the policy was assigned to the resource group AFTER the VM had been created. Azure Policy is showing that there are some non-compliant resources in this resource group. Assigning a deny policy won’t modify existing resources, but it will show them as non-compliant. It will prevent existing resources from being resized to a SKU that’s not listed, and it will prevent new resources from being created with a SKU that’s not explicitly allowed.

So, what happens if I go and add an Azure Policy at the subscription level to allow the Standard_DS1_v2 SKU being used by that VM?

Once assigned and assessed, my VM is showing as compliant with the subscription-level policy but still non-compliant with the resource group level policy assignment.

Policy compliance and non-compliance at different assignment scopes

What happens if I now add a completely new resource group?  

The new resource group will inherit the subscription level policy, which allows Standard_DS1_v2.

But if I then go and add an allow SKU policy at the resource group level, list Standard_D4s_v3 and try to create a new VM in that resource group with the D4s_v3 SKU – the creation of the VM will fail as it does not meet the more restrictive subscription-level policy.

Adding exclusions

If I really want to enable a resource group to allow a SKU that’s not listed in the subscription level policy assignment, I can add the resource group to the exclusions at that subscription level. Then I can set a more permissive list of SKUs when I assign the policy at the resource group level. This will allow the creation of new resources that match the SKUS listed at the resource group level.

Exclude a resource group from an Azure Policy assignment

If I have existing resources in a resource group that I want keep at that size, but I don’t want any new resources to be created (or existing resources to be resized) to that SKU, I can exempt single resources from a policy assignment, at any level. This will prevent the resource from being evaluated against that policy. Exclusions are also useful if the resource is in a temporary state of non-compliance, or the policy condition is mitigated by some other method (for example, another vendor’s security product). 

Scenario with the Allowed locations

My test environment is configured with:

Subscription level: Allowed location Australia East

Resource group level: Allowed location East US 2

If I try to add a VM to the resource group and set its location to East US 2, the creation will fail due to that location not being listed in the subscription level’s policy assignment. Again, I’d need to add this resource group to the exclusion at the subscription level.

VM creation warning on location not meeting Azure Policy assignment

Triggering an Azure Policy compliance scan

Did you know that right in the Azure Portal you can trigger a compliance scan, using Cloud Shell (the first icon)?

Azure portal – CloudShell 

There’s a PowerShell command for this, but it can take a little while to run on larger environments. So we don’t have to wait for it to finish before we get our CloudShell prompt back, we can run it as a job:

$job = Start-AzPolicyComplianceScan -AsJob

 And to check the progress, we run $job

AZPolicyComplianceScan job status

Custom non-compliance messages

One of my favorite Azure Policy enhancements is the ability to add a custom message to be displayed when a resource change or creation is denied due to non-compliance against a policy assignment. You can use this to give more clarity to exactly which policy assignment is saying no (such as “Allowed SKUs in SVM-RG-09 are D series only”) or to direct people to who to contact for more information or an exemption (such as “Email SKUPolicyOwner@yourcompany.com  for more info”) 

Do you have any other scenarios?

These are just two little examples – do you have any other suggestions for scenarios where you may have a conflict with your Azure Policy assignments? Let us know if there’s anything you’d like to model through or discuss.

Learn more:

Overview of Azure Policy

Azure Policy Evaluation Triggers

Understand Azure Policy effects

Evaluate the impact of a new Azure Policy definition

Azure Policy exemption structure

Part Three: Water Positive, Zero Waste, and Ecosystems

by Contributed | Mar 19, 2021 | Technology

This article is contributed. See the original author and article here.

On January 28, 2021 Microsoft released its first Environmental Sustainability Report “A Year of Action” documenting progress the company made since announcing its 2020 commitments to become a carbon negative, water positive, zero waste company that protects more land than it uses by 2030. See a summary of the overall report in Part One of this blog series and learn more about the carbon negative commitment in Part Two. This third and final post will close out with a deeper look at the water positive, zero waste and ecosystems commitments, including the mysterious Planetary Computer.

Water Positive

Microsoft’s water positive commitments at a glance

A company is water positive when it puts more water back into the environment than it consumes. Microsoft will accomplish this through a combination of reduction and replenishment (physically putting water back into the environment, like recharging groundwater aquifers).

Why is a tech company like Microsoft focused on water? The UN predicts that by 2030, the world may face a 40% shortfall in available freshwater. Climate change, pollution, industrialized animal agriculture and increased demand could reduce water availability in major cities more than 66% by 2050, and as we all know from Standing Rock, “Mni Wiconi” (water is life). But it’s not just freshwater: the oceans are in trouble too. The World Economic Forum estimates that there will be more plastic waste in the oceans than fish (by weight) by 2050 unless we take drastic action to stem the tide of pollution. Microsoft spent much of its 2020 attempting to standardize and digitize water data (where it exists at all), an unglamorous but extremely important baseline for improving the situation. And true to form, Microsoft examined the unique role that technological solutions like Artificial Intelligence (AI) can provide for better water management.

While not as flashy or headline grabbing as carbon reduction, water commitments are no less important. There are few things that all people, and most of life on Earth require, but access to water is one of them. This issue is deeply intertwined with human rights, especially Indigenous rights. Environmental racism means that black, brown and poor people around the world will often face the worst and most immediate effects of the climate crisis: at the top of that list is lack of access to reliable, clean drinking water. Becoming water positive, while working with a growing number of partner organizations including the United Nations Water Resilience Coalition, means making progress on all these front and addressing systemic inequity while improving the underlying environment we all depend on.

“Microsoft is taking responsibility for our own water use and developing technology to help others do the same.” –  President Brad Smith

Zero Waste

Each year, humanity creates 11 billion tons of waste including plastics, e-waste and harmful chemicals that pollute our land, clog our waterways, deplete scarce natural resources and contaminate the air we breathe. Inefficiencies associated with a wasteful society also create a lot of unnecessary carbon emissions.

Zero waste is a set of principles focused on waste prevention that encourages the redesign of resource life cycles to reduce or eliminate waste generation. The goal is for no trash to be sent to landfills, incinerators or the ocean. In practice, for most individuals and companies, 100% waste diversion or elimination is simply not achievable, so the goal is 90% diversion from landfill to achieve TRUE Zero Waste certification. Microsoft has committed to becoming a zero waste company by 2030 and will eliminate single use plastics from its packaging by 2025. 

The company spent much of 2020 working to accelerate the development of a circular economy, a system in which economic activity is decoupled from the consumption of scarce resources, waste is designed out and there is an emphasis on repair, disassembly and reuse. Waste data has many of the same challenges as water data: where it exists at all, it is often fragmented, unstructured, and hard to use. Here too the company made strides in the standardization and digitization of waste data (a necessary precursor for leveraging the power of AI).

On a personal note, I was surprised and delighted to see page 54 of the report: it referenced my Plastic Free Oceans Hackathon project! A small army of Microsoft volunteers created a scalable way to automate the recognition of plastic pollution in rivers using AI, which resulted in a multi-year partnership with The Ocean Cleanup. This is one of my proudest accomplishments at Microsoft and a clear example of the role technology (and technology companies) can play in creating solutions for the world’s most pressing environmental challenges.

“Waste is almost purely synonymous with opportunity.” – Microsoft Chief Environmental Officer Lucas Joppa

Ecosystems

Microsoft’s ecosystems goals at a glance

And last but certainly not least, ecosystems. This is perhaps the least obvious of the company’s four sustainability commitments: what does a tech company have to do with protecting ecosystems and biodiversity? A lot as it turns out!

We often know more about the rate of decline than we know about the overall health and wellness of a single species or the many species that comprise an ecosystem. Technologies like Artificial Intelligence and Machine Learning can help accelerate the collection and synthesis of large data sets, letting conservation researchers spend less time digging through data, and more time planning conservation with actionable insights. But why does protecting ecosystems and biodiversity matter?

Nature, and the benefits that it provides, are the foundation of our society, cultures and the global economy. We depend on healthy and intact ecosystems for clean air, water, food, medicine, energy and resources. Simply put, there is no human civilization if we continue to destroy the complex web of life that supports us. For its part, Microsoft has committed to protecting more land than it uses by 2025 (which is 11k acres or 44,515 square meters), putting resources and technology in the hands of scientists and nonprofits working on conservation, and curiously, developing a Planetary Computer.

The Planetary Computer

Of all the things packed into the Year of Action report, none piqued my curiosity like the Planetary Computer. What is it? The report calls it “a platform that provides access to the world’s critical environmental datasets.” Think of it less as some kind of enormous supercomputer and more like open-source access to very large datasets and powerful computing resources for the environmental science community (you know, the people writing all the reports telling us how bad things are). According to Microsoft Chief Environmental Officer Lucas Joppa, the end goal is an answer to the most complex environmental science question of all “how do we manage Earth΄s natural resources to ensure a climate-stable future?”

Microsoft is a technology company, so it makes sense that technology solutions are the most meaningful contribution it can make to combatting the climate crisis, the degradation of Earth’s ecosystems and frightening loss of biodiversity we are currently experiencing. The goal is to better monitor, model and manage the world’s ecosystems. But don’t take it from me, this is the brainchild of Lucas Joppa who sits at the intersection of computer and environmental science.

“This won’t be built as a crystal ball. Instead, it will be a global portfolio of applications connecting trillions of data points to computing power and machine learning capable of converting that all into contextualized information.”

Conclusion 

If we step back, zoom out and look at the moment in history we are in, it is precarious. Too many carbon emissions in our atmosphere are warming the planet and changing the climate in unpredictable and destabilizing ways; freshwater sources and oceans around the world have been degraded and filled with pollution; consumption of scarce resources continues to accelerate while waste piles up and contaminates the environment; and the living things that prop up our entire way of life, from soil microbes to whales, are going extinct faster than we can identify them.

Humans have fundamentally transformed the entire planet in just 250 years with the explosion of growth and technology ushered in by the first Industrial Revolution. But that progress has come at a cost, and we are now paying the price. Unless we drastically change the ways we power our civilizations, grow and transport our food and design and consume our products, we face a climate catastrophe. But it’s not too late to make meaningful change, and while not a cure all, technology has an important role to play.

Committing to become a carbon negative, water positive, zero waste company by 2030 is remarkable. There aren’t many organizations doing this, and none the size of Microsoft. But if these goals seem overly ambitious, consider that every organization on the planet will need to do the same thing, and sooner rather than later. As large as Microsoft is, it is barely a drop in the ocean when it comes to climate change. Its strategy – its moonshot – is that the rest of the world will want to do the same when they see it can be done, and along the way, the company will develop solutions it will sell to those organizations to become the world’s leading environmental technology solutions provider.

At the heart of these commitments is something more: a desire to do something, anything, to avert a climate catastrophe and a willingness to bring the full resources of a trillion-dollar tech company to bear to make it happen faster. These commitments, and the progress made to date, are a proportional and appropriate response to what the best available science is telling us needs to happen. Let’s hope it spurs companies and governments around the world to respond in kind, because ultimately, that is what’s required to make a meaningful difference.  

See a summary of the overall report in Part One of this blog series and learn more about the carbon negative commitment in Part Two.

Comments, questions and feedback welcome below! 

-Drew

Office Channels Webinar

by Contributed | Mar 19, 2021 | Technology

This article is contributed. See the original author and article here.

This webinar provides an overview of the Microsoft 365 Apps upgrade and the new management strategy, as well as servicing channel best practices and Microsoft Information Protection.

Resources:

What’s new in the Microsoft 365 admin center? – Microsoft 365 admin | Microsoft Docs

About the Microsoft 365 admin center

What’s new in Office deployment for IT Pros – Deploy Office | Microsoft Docs

This webinar was presented on February 24, 2021, and the recording can be found here.

Attached to this post are:

1. The FAQ document that summarizes the questions and answers that came up over the course of both Webinars.


2. A PDF copy of the presentation.

Thanks to those of you who participated during the two sessions and if you haven’t already, don’t forget to check out our resources available on the Tech Community.

Thanks!

@Robin_Baldwin on behalf of the MIP and Compliance CXE team

Troubleshooting BitLocker policies from the client side

by Contributed | Mar 19, 2021 | Technology

This article is contributed. See the original author and article here.

This is the third blog in our series on using BitLocker with Microsoft Endpoint Manager – Microsoft Intune. In the last post, we described how to effectively troubleshoot common scenarios using the Microsoft encryption report in the Microsoft Endpoint Manager admin center. Now we’ll look at common issues, the logs and data you need to collect, and the steps you can take to troubleshoot BitLocker encryption on the client side.

BitLocker encryption process

The following steps describe the flow of events that should result in a successful encryption of a Windows 10 device that has not been previously encrypted with BitLocker:

1. An administrator configures a BitLocker policy configured through Endpoint security > Disk encryption with the desired settings and targets a user group or device group.


2. The policy is saved to a tenant in the Intune service.


3. A Windows 10 Mobile Device Management (MDM) client syncs with the Intune service and processes the BitLocker policy settings. 


4. The BitLocker MDM policy Refresh scheduled task runs on the device that replicates the BitLocker policy settings to full volume encryption (FVE) registry key. 


5. BitLocker encryption is initiated on the drives.

The encryption report identifies common troubleshooting scenarios that are documented in the BitLocker configuration service provider (CSP) status node. However, some status scenarios might not be reported and you will need access to the device to investigate further. 

There is already extensive documentation available for troubleshooting BitLocker encryption policies. You can check out Intune troubleshooting tips or follow guidelines from a Windows perspective to help isolate issues when enabling BitLocker using Intune.

Gathering data from Windows 10 devices

If you determine that there is no actionable information in the encryption report to understand why BitLocker was not enabled, the next step is to access an affected device and gather the required data to complete the investigation. 

If a device is accessible, you can initiate a sync with the Intune service manually from your Windows device by selecting Settings > Accounts> Access work or school > Connect <tenant> Azure AD > Info before collecting the data.

Event logs

Mobile device management (MDM) agent event log

The MDM event log is useful to determine if there’s been an issue processing the policy sent from Intune. The OMA DM agent will connect to the Intune service and attempt to process the policies targeted at the user or device. Success and failures processing Intune policies will be found in this log.

Once the sync is complete, collect or review the following information:

LOG > DeviceManagement-Enterprise-Diagnostics-Provider admin  

• Location: Right-click on Start Menu > Event Viewer > Applications and Service Logs > Microsoft > Windows > Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider > Admin 


• File system location: C:WindowsSystem32winevtLogsMicrosoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx

To filter this log, right–click the event log and select Filter Current Log > Critical/Error/Warning. Then search through the filtered logs for BitLocker (press F3 and enter the text).

Errors in BitLocker settings will follow the format of the BitLocker CSP, so you will see entries like this: 

./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption 

or 

./Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation

Note
You can also enable debug logging for this event log using the Event Viewer for troubleshooting.

BitLocker-API management event log

This is the main event log for BitLocker. If the policy has been processed by the MDM agent and there are no errors in the DeviceManagement-Enterprise-Diagnostics-Provider admin event log, this is the next log to investigate.

LOG > BitLocker-API management

• Location: Right-click on Start Menu > Event Viewer > Applications and Service Logs > Microsoft > Windows > BitLocker-API


• File system location: C:WindowsSystem32winevtLogsMicrosoft-Windows-BitLocker%4BitLocker Management.evtx

Usually, errors are logged here if there are hardware or software prerequisites missing that the policy requires such as Trusted Platform Module (TPM) or Windows Recovery Environment (WinRE).  As you can see in the following example, conflicting policy settings that cannot be implemented during silent encryption and manifest as group policy conflicts are also logged:

Failed to enable Silent Encryption. 

Error: BitLocker Encryption cannot be applied to this drive because of conflicting Group Policy settings. When write access to drives not protected by BitLocker is denied, the use of a USB startup key cannot be required. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker. 

Resolution: Configuring the compatible TPM startup PIN to Blocked will resolve conflicting Group Policy settings when using silent encryption.

• 
  

  Configuring the TPM startup PIN and startup key to Allowed and other startup key and PIN setting to Blocked for user interaction and will result in a conflicting Group Policy error in BitLocker-AP event log.

  
  


• 
  

  Also, if you configure TPM startup PIN or startup key to require user interaction, it will cause silent encryption to fail. You must set the PIN and TPM startup key to Blocked if silent encryption is required.
  
  

  
  

Configuring any of the compatible TPM settings to Required will cause silent encryption to fail.

Microsoft Endpoint Manager – BitLocker | OS Drive Settings

TPM not available

Another common error in the BitLocker-API log is that the TPM is not available. The following example shows that TPM is a requirement for silent encryption:

Failed to enable Silent Encryption. TPM is not available 

Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer.

Resolution: Ensure there is a TPM available on the device and if it is present check the status via TPM.msc or the PowerShell cmdlet get-tpm.

Un-Allowed DMA capable bus 

If the BitLocker-API log displays the status: Un-Allowed DMA capable bus/device(s) detected, it means that Windows has detected an attached Direct memory access (DMA)-capable device that might expose a DMA threat.

Resolution: To remediate this issue, first verify that the device has no external DMA ports with the original equipment manufacturer (OEM). Then follow these steps to add the device to the allowed list. Note: Only add a DMA device to the allowed list if it is an internal DMA interface/bus.

System event log

If you’re having hardware–related issues—such as problems with the TPM—errors will appear in the system event log for TPM from the TPMProvisioningService or TPM-WMI source.

LOG > System event

• Location: Right-click on Start Menu > Event Viewer > Windows Logs > System


• File system location: C:WindowsSystem32winevtLogsSystem.evtx

Filtering properties for the System event log

Resolution: Filter on these event sources to help identify any hardware-related issues that the device may be experiencing with the TPM and check with the OEM manufacturer whether there are any firmware updates available.

Task scheduler operational event log

The task scheduler operational event log is useful for troubleshooting scenarios where the policy has been received from Intune, but BitLocker encryption has not successfully initiated. BitLocker MDM policy refresh is a scheduled task that should run successfully when the MDM agent syncs with the Intune service.

The log is worth investigating when:

• 
  

  The BitLocker policy appears in the DeviceManagement-Enterprise-Diagnostics-Provider admin event log, in MDM diagnostics, and the registry.  

  
  


• 
  

  There are no errors (i.e., the policy has been picked up successfully from Intune).  

  
  


• 
  

  Nothing is logged in the BitLocker-API event log to show that encryption was even attempted.

  
  

LOG > Task scheduler operational event 

• Location: Event Viewer > Applications and Service Logs > Microsoft > Windows > TaskScheduler 


• File system location: C:WindowsSystem32winevtLogsMicrosoft-Windows-TaskScheduler%4Operational.evtx

Important 
You must manually enable this event log before logging anything because the log will identify any problems running the BitLocker MDM policy Refresh scheduled task.

1. To enable this log, Right-click on Start Menu > Event Viewer> Applications and Services > Microsoft > Windows > TaskScheduler > Operational.
   
   Screenshot of the TaskScheduler – Operational Logs
   
   


2. Then enter task scheduler in the Windows search box, select Task Scheduler > Microsoft > Windows > BitLocker. Right-click on BitLocker MDM policy Refresh and choose Run.

When the run is complete, inspect the Last Run Result column for any error codes and examine the task schedule event log for errors.

Example screenshot of BitLocker tasks in Task Scheduler

In the example above, 0x0 has run successfully. The error 0x41303 this means the task has never previously run.

Note
Check out this article for more information about Task Scheduler error messages.

Checking BitLocker settings

MDM Diagnostics Report

You can create a report of MDM logs to diagnose enrollment or device management issues in Windows 10 devices managed by Intune. The MDM Diagnostic Report contains useful information about an Intune enrolled device and the policies deployed to it.

• 
  

  Location: YouTube video: How to create an Intune MDM diagnostic report on Windows devices. This video describes how to create a report. 

  
  


• 
  

  Filesystemlocation: C:UsersPublicDocumentsMDMDiagnostics

  
  

The operating system (OS) build and edition in encryption failures: It’s important to investigate the OS build and edition because some CSPs were introduced on specific versions of Windows and will only work on a certain edition. For example, the bulk of BitLocker CSP settings were introduced in Windows 10, version 1703 but these settings weren’t supported on Windows 10 Pro until Windows 10, version 1809.

Additionally, there are settings such as AllowStandardUserEncryption (added in version 1809), ConfigureRecoveryPasswordRotation (added in version 1909), RotateRecoveryPasswords (added in version 1909), and Status (added in version 1903).

Checking if your Windows version and edition supports the settings configured in your policy is the first step in understanding why they are not applying correctly.

Investigating with the EntDMID: This is a unique device ID for Intune enrollment. You can use the EntDMID to search through the All Devices view in the Microsoft Endpoint Manager admin center to identify a specific device. It is also a crucial piece of information for Microsoft support to enable further troubleshooting on the service side if a support case is required.

You can also use the MDM Diagnostic Report to identify whether a policy has been successfully sent to the device with the settings the administrator configured. By using the BitLocker CSP as a reference, you can decipher which settings have been picked up when syncing with the Intune service. This article discusses this topic in more detail. You can use the report to determine if the policy is targeting the device and identify what settings have been configured using the BitLocker CSP documentation.

MSINFO32

MSINFO32 is an information tool that contains device data you can use to determine if a device satisfies BitLocker prerequisites. The required prerequisites will depend on BitLocker policy settings and the required outcome. For example, silent encryption for TPM 2.0 requires a TPM and Unified Extensible Firmware Interface (UEFI).

• Location: In the Search box, enter msinfo32, right-click System Information in the search results and select Run as administrator.


• File system location: C:WindowsSystem32Msinfo32.exe.

However, if this item doesn’t meet the prerequisites, it doesn’t necessarily mean that you can’t encrypt the device using an Intune policy.

• 
  

  If you have configured the BitLocker policy to encrypt silently and the device is using TPM 2.0, it is important to verify that BIOS mode is UEFI. If the TPM is 1.2, then having the BIOS mode in UEFI is not a requirement. 

  
  


• 
  

  Secure boot, DMA protection, and PCR7 configuration are not required for silent encryption but might be highlighted in Device Encryption Support. This is to ensure support for automatic encryption. 

  
  


• 
  

  BitLocker policies that are configured to not require a TPM and have user interaction rather than encrypt silently will also not have prerequisites to check in MSINFO32.

  
  

TPM.MSC file

TPM.msc is a Microsoft Management Console (MMC) Snap–in file. You can use TPM.msc to determine whether your device has a TPM, to identity the version, and whether it is ready for use.

• Location: In the Search box enter, tpm.msc, right-click and select Run as administrator.


• File system location: MMC Snap-in C:WindowsSystem32mmc.exe.

As we discussed in previous blogs, having a TPM is not a prerequisite for BitLocker but is highly recommended due to the increased security it provides.

Having a TPM is required for silent and automatic encryption. If you’re trying to encrypt silently with Intune and there are TPM errors in the BitLocker-API and system event logs, TPM.msc will help you understand the problem.

The following example shows a healthy TPM 2.0 status. Note the specification version 2.0 in the bottom right and that the status is ready for use.

Example screenshot of a healthy TPM 2.0 status in the Trusted Platform Module console

This example shows an unhealthy status when the TPM is disabled in the BIOS:

Example screenshot of an unhealthy TPM 2.0 status in the Trusted Platform Module console

Configuring a policy to require a TPM and expecting BitLocker to encrypt when the TPM is missing or unhealthy is one of the most common issues.

Get-Tpm cmdlet

A cmdlet is a lightweight command in the Windows PowerShell environment. In addition to running TPM.msc, you can verify the TPM using the Get-Tpm cmdlet. You will need to run this cmdlet with administrator rights.

• Location: In the Search box enter cmd, right-click and select Run as administrator > PowerShell > get-tpm.

Example screenshot of a present and active TPM in a PowerShell window

In the example above, you can see that the TPM is present and active in the PowerShell window. The values equal True. If the values were set to False, it would indicate a problem with the TPM. BitLocker will not be able to use the TPM until it is present, ready, enabled, activated, and owned.

Manage-bde command-line tool

Manage-bde is a BitLocker encryption command line tool included in Windows. It’s designed to help with administration after BitLocker is enabled.

• Location: In the Search box, enter cmd, right–click and select Run as administrator > enter manage–bde –status.


• File system location: C:WindowsSystem32manage-bde.exe.

Example screenshot of the manage-bde.exe command in a Command Prompt window

You can use manage-bde to discover the following information about a device:

• Is it encrypted? If reporting in the Microsoft Endpoint Manager admin center indicates a device is not encrypted, this command line tool can identify the encryption status.


• Which encryption method has been used? You can compare information from the tool to the encryption method in the policy to make sure they match. For example, if the Intune policy is configured to XTS-AES 256-bit and the device is encrypted using XTS-AES 128-bit, this will result in errors in Microsoft Endpoint Manager admin center policy reporting.


• What specific protectors are being used? There are several combination of protectors. Knowing which protector is used on a device will help you understand if the policy has been applied correctly.

In the following example, the device is not encrypted:

Example screenshot of a device not encrypted with BitLocker

BitLocker registry locations

This is the first place in the registry to look when you want to decipher the policy settings picked up by Intune.

• Location: Right click on Start > RUN > enter regedit to open the Registry Editor.  


• Default file system location:
  ComputerHKEY_LOCAL_MACHINESOFTWAREMicrosoftPolicyManagercurrentdeviceBitLocker

The MDM agent registry key will help you identify the Globally Unique Identifier (GUID) in the PolicyManager that contains the actual BitLocker policy settings.

BitLocker registry location in the Registry Editor

The GUID is highlighted in the above example. You can include the GUID (it will be different for each tenant) in the following registry subkey to troubleshoot BitLocker policy settings:

ComputerHKEY_LOCAL_MACHINESOFTWAREMicrosoftPolicyManagerProviders<GUID>defaultDeviceBitLocker

Screenshot of the Registry Editor displaying the BitLocker policy settings configured by the MDM agent

This report shows the BitLocker policy settings that have been picked up by the MDM agent (OMADM client). These are the same settings that you will see in the MDM Diagnostic report, so this is an alternative way of identifying settings that the client has picked up.

Example of EncryptionMethodByDriveType registry key:

<enabled/><data id="EncryptionMethodWithXtsOsDropDown_Name" value="6"/><data id="EncryptionMethodWithXtsFdvDropDown_Name" value="6"/><data id="EncryptionMethodWithXtsRdvDropDown_Name" value="3"/>

SystemDrivesRecoveryOptions:

<enabled/><data id="OSAllowDRA_Name" value="true"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="2"/><data id="OSRecoveryKeyUsageDropDown_Name" value="2"/><data id="OSHideRecoveryPage_Name" value="false"/><data id="OSActiveDirectoryBackup_Name" value="true"/><data id="OSActiveDirectoryBackupDropDown_Name" value="1"/><data id="OSRequireActiveDirectoryBackup_Name" value="true"/> 

BitLocker registry key

The settings in the policy provider registry key will be duplicated into the main BitLocker registry key. You can compare the settings to ensure they match what appears in the policy settings in the user interface (UI), MDM log, MDM diagnostics and the policy registry key.

This is an example of the FVE registry key: 

Registry key location: ComputerHKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftFVE

Screenshot of the BitLocker registry keys found in the Registry Editor

1. EncryptionMethodWithXtsOs, EncryptionMethodWithXtsFdv and EncryptionMethodWithXtsRdv have the following possible values:
   
   
   
   1. 3 = AES-CBC 128
   
   
   2. 4 = AES-CBC 256
   
   
   3. 6 = XTS-AES 128
   
   
   4. 7 = XTS-AES 256
   
   
   
   


2. UseTPM, UseTPMKey, UseTPMKeyPIN, USeTPMPIN are all set to 2,which means they are all set to allow.


3. Notice that most of the keys are divided into groups of settings for the operating system drive (OS), fixed drive (FDV) and removable drive (FDVR).


4. OSActiveDirectoryBackup has a value of 1 and is enabled.


5. OSHideRecoveryPage is equal to 0 and not enabled.

You can decode all of the setting names in the registry using the BitLocker CSP documentation.

REAgentC.exe command line tool

REAgentC.exe is a command line executable tool that you can use to configure the Windows Recovery Environment (Windows RE). WinRE is a prerequisite for enabling BitLocker in certain scenarios such as silent or automatic encryption.

• Location: Right-click on Start > Run > enter cmd > right–click cmd and select Run as administrator > reagnetc /info.


• File system location: C:WindowsSystem32ReAgentC.exe.

Tip

If you see error messages in the BitLocker-API about WinRe not being enabled, run the following command on the device to determine the WinRE status:

Output of the ReAgentC.exe command in Command Prompt

If the WinRE status is disabled, it is possible to enable it manually using the following command line as an administrator:

Example screenshot to enable ReAgentC.exe in Command Prompt

Conclusion

When BitLocker fails to enable on a Windows 10 device using an Intune policy, in most cases, the hardware or software prerequisites are not in place. Examining the BitLocker-API log will help you identify which prerequisite is not satisfied. The most common issues are:

• TPM is not present


• WinRE is not enabled


• UEFI BIOS is not enabled for TPM 2.0 devices

Policy misconfiguration can also cause encryption failures. Not all Windows devices can encrypt silently so think about the users and devices that you’re targeting.

Configuring a startup key or PIN for a policy intended for silent encryption will not work because of the user interaction required when enabling BitLocker. Keep this in mind when configuring the BitLocker policy in Intune.

It is useful to be able to verify whether the policy settings have been picked up by the device to determine whether the targeting has been successful.

It is possible to identify the policy settings using MDM diagnostics, registry keys and the device management enterprise event log to verify if the settings have been successfully applied. The BitLocker CSP documentation can help you decipher these settings to understand whether they match what has been configured in the policy.

There are multiple places to configure BitLocker settings in the Microsoft Endpoint Manager admin center – Security baselines, Endpoint security, and Configuration profiles. It’s not a good idea to have conflicting policies. The preferred and recommended approach is to use Endpoint security > Disk encryption.

Reference

Here’s an overview of the logs, diagnostic checks, and command-line tools discussed in this post:

Logs

• DeviceManagement-Enterprise-Diagnostics-Provider admin event log: Use this log for MDM policy processing and errors applying the CSP settings. 


• BitLocker-API and system event log: Investigate this log if the policy has been processed successfully and Windows is now attempting to implement the settings. 


• Task scheduler operational event log: Check this log if the policy has been processed in DeviceManagement-Enterprise but nothing has happened in BitLocker-API. 


• Collect diagnostics remote action: Use Intune to collect logs remotely without interrupting the user.

BitLocker settings checks

• MDM Diagnostics report: Use this report to verify if BitLocker settings have been applied and what they are configuring.


• Registry keys: Use to verify if the policy received from MDM provider has applied to Windows correctly.

Command line/Powershell tools

• Get-Tpm cmdlet: Check the TPM status of the device.


• Tpm.msc: Check the TPM status of the device.


• REAgentc.exe: Check WinRE status of the device.


• MSINFO32.exe: Check the hardware prerequisites for BitLocker.


• Manage-bde.exe: Check the BitLocker encryption status of the device.

More info and feedback

For further resources on this subject, please see the links below.

Enforcing BitLocker policies by using Intune known issues 

Diagnose MDM failures in Windows 10 – Windows Client Management 

BitLocker Management Recommendations for Enterprises (Windows 10)  

Guidelines for troubleshooting BitLocker – Microsoft 365 Security

The next post will cover the BitLocker Recovery Key. Stay tuned! Catch up on other posts in the series:

1. Enabling BitLocker with Microsoft Endpoint Manager – Microsoft Intune – Microsoft Tech Community


2. Troubleshooting BitLocker from the Microsoft Endpoint Manager admin center – Microsoft Tech Community

Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.

Troubleshooting Switch Misconfiguration

by Contributed | Mar 19, 2021 | Technology

This article is contributed. See the original author and article here.

It’s 5 PM on Friday evening – the weekend will soon be here. You do one last sweep of your inbox before signing off when your cellphone the bat phone rings. Someone didn’t get the memo about the unwritten operational rule of IT Administration: Never make changes on a Friday. The phone itself seems terrified with every ring. A panicked voice on the other end says, “I can’t ping my VM.” Pandemonium ensues…

Today we’re going to talk about a new, free, downloadable tool that can help.

Networks are complex. There are many different vendors, with many different configurations – Even your network team might be different than your Server/HCI team. In the revelry mentioned above, everything may look the same on your hosts, but it’s hard to know if the issue is caused by the host or the physical network without being able to see the physical network configuration.

If LLDP is enabled on your switchports, it can be an easy task to quickly validate some of the physical network settings. LLDP or Link Layer Discovery Protocol is an IEEE standard (802.1AB) that allows networked devices to advertise their configuration (among other things) to neighboring devices. To Windows and Azure Stack HCI, the neighboring device is the physical switchport that its connected (via the NIC). LLDP’s Wikipedia site has a nice intro where you can learn a bit more.

With LLDP, switchports can advertise the VLAN, MTU, and DCB configuration among others information which can be critical information for Azure Stack HCI systems. However, not all switches support advertisement of the same information. Without getting into the details (which you can read more about on the Wikipedia site linked above), the switch will determine how much information you can view.

Azure Stack HCI Network Switches

To improve Azure Stack HCI reliability where we have a purpose-built OS, we have begun to require that switches support LLDP. Most importantly, we require that they support some of the “organizationally specific Custom TLVs.” That is a fair amount of jargon, but it boils down to supporting capabilities like VLAN, MTU, etc. In the picture below, you can see the Organizationally Specific TLVs (type 127) along with the MTU and PFC configuration of the switchport this NIC is attached.

Note: We intend to grow the list of required TLVs over time as we work with network vendors. Check the Custom TLVs documentation link just above for updates.

Help! I need to buy a switch for Azure Stack HCI!

We document some Network Switches for Azure Stack HCI that the vendor has verified meet the requirements – the list will grow as we hear from the various switch vendors. Talk to your Network Vendor to see if your switch meets the requirements.

Having this information at your disposal can help you answer several critical questions particularly when you want to get started on your weekend:

• Did you misconfigure your host or is it the physical network?


• Did the network engineer add the necessary configuration to the correct switchport?


• Is the switchport configuration the same on each team member?


• Is the switchport configuration the same between each cluster node?

Help! My Network Admin says LLDP is insecure!

LLDP does not require credentials to receive information but that doesn’t mean it’s insecure. LLDP allows the administrator of the network device to choose which information (TLVs), if any, is sent to neighbors with the intention that this information can be used for diagnostic purposes.

Get Started

Back to our IT hero for a moment. How can you quickly determine whether the issue is on the switch or you missed some settings on your host?

An LLDP enabled switchport will periodically (typically every 30 seconds) send messages to its neighbors, including the juicy information you may want as an IT Administrator to determine whether your physical host configuration matches that of the physical network.

Retrieving this information is traditionally a bit of a challenge, however there is a tool to make this simple.

Note: If you’re not in control of your network switches, make sure you ask your network team to enable LLDP and any “organizationally specific TLVs” that the switch supports.

Install the Module

First install the DataCenterBridging module from the PowerShell gallery. This module contains a few goodies and has been updated to include the functions to parse the LLDP data from the switch.

There are four available commands at the time of writing:

Getting the Physical Switch Information

Let’s start off by trying to get the LLDP information using Get-FabricInfo. With each of the commands you can specify the SET Switch or individual Interface names (using the InterfaceName parameter). In this case, we are specifying the SET Switch that starts with the name Converged. The cmdlet finds all the physical NICs attached the switch and looks for available LLDP messages on each interface.

At first run, it probably will not find anything. The cmdlet tells you to run Test-FabricInfo to help identify the problem.

Running Test-FabricInfo identifies a few problems that we need to resolve.

You can use Enable-FabricInfo to resolve all the problems in one shot. This will install the feature and ensure that the LLDP agent is enabled on the underlying interfaces, etc.

Note: Want to know everything this is doing? Look at the code on GitHub!

Next, run Test-FabricInfo again to determine if all the requirements are met. You can see we got a little better. Only two remaining issues; we didn’t find any LLDP packets for the interfaces in the SET switch.

Wait about 30 seconds – the typical amount of time that a switchport will send LLDP packets – and try again. If you still fail after the messages above, contact your network administrator and ensure that LLDP is enabled on the switchports connected to your team members.

If LLDP is enabled on your physical switch, you will see the following below which indicates that Test-FabricInfo found an LLDP message from the physical switch for each member of the Converged team.

Now we are ready to run Get-FabricInfo. Make sure you put the output into a variable, so you can inspect it. In this case, we add everything to the $FabricInfo variable which has an object for every team member.

You can walk the individual team members to see information collected on the Windows or HCI host (under InterfaceDetails) or the physical switch (Fabric) to which the NICs are connected.

For example, here’s a look at the IP and Subnet information on pNIC01. We collect this so it’s easy to compare to the information collected from the switch. As you can see, we have the IP Address, Subnet, VLAN, etc.

In this case, we have a virtual switch on the host and as part of the storage configuration on this system, we have a team mapped host vNIC. The IP, Subnet, etc. are being displayed from that team-mapped host vNIC. If the team member isn’t part of a virtual switch, we’ll display the configuration on the physical NIC.

Now let’s take a look at what the switch sent us and what we can learn about the physical network (as mentioned before, the information will vary based on what the switch supports):

• NativeVLAN: 1133 – Untagged traffic will be sent over this vlan


• VLANID: Info Not Provided… This includes the trunked VLANs that can be carried on this switchport. The switch below did not include this information in the packet sent to the host.


• FrameSize: 9236 – The physical NIC and virtual NICs MTU configuration should not exceed the switches value or traffic will be segmented (or in some cases dropped).


• PFC is enabled on Priority3 – Data needing lossless communication (e.g. RoCE-based RDMA) should use Priority 3.

From this information, we can determine that VLAN 711 (on the storage vNIC) is not using the native vlan, and the switch is not showing the trunked VLANs in LLDP either. This leads to two conclusions:

• We should check the switch configuration or contact our network administrator if network connectivity is not available on pNIC01 because we could not confirm that traffic is available here.


• We should ask our network administrator to find us a switch that does advertise this information so that we can identify this problem ourselves (and without ruining their weekend).

Here’s the same view but from another switch. This switch did not send the PFC information, but it does show the VLAN IDs available to the host (1, 11, 12, and 40).

From here, we can tell that VLAN 711 is not available on the physical network which is at least one obvious reason why there may not be network connectivity on this link.

Some of the other problems on the physical network that you can easily identify:

• Missing VLANs


• Misconfigured Jumbo Frames


• Misconfigured PFC settings


• Topology problems e.g. cabled to the wrong switch (check ChassisGroups for this information)

Reminder: The information displayed is dependent on the switch’s capabilities. If the switch is unable to provide us with a certain TLV, we display the text “Information Not Provided By Switch.” If you see this message, you should work with your network administrator to identify if the information can be included.

Summary

Get-FabricInfo allows you to answer several questions about the physical network configuration that may come in handy when troubleshooting diagnostic issues. Is the physical network setup as I expected it? Is the configuration the same between cluster nodes? All of this and more can be answered if your switch supports LLDP and you’re running Windows or Azure Stack HCI.

Hopefully that Friday afternoon call isn’t quite so scary anymore!

Thanks for reading,

Dan “weekend warrior” Cuomo

Power Up Microsoft 365 with the Power Platform [M365 Meetup for Government]

by Contributed | Mar 19, 2021 | Technology

This article is contributed. See the original author and article here.

Microsoft 365’s greatest business impact can be achieved using the Power Platform family of technologies. PowerApps, Power Automate, and PowerBI are a core part of the Microsoft 365 experience and empower both citizen developers and IT to meet the mission needs of the organization.

Microsoft PowerApps allow organizations to efficiently and effectively drive toward a zero trust security model within their existing budget and M365 services scope. Because MS PowerApps are a low code development framework, included with your government Microsoft 365 (M365) subscription, existing M365 Engineers can quickly adjust service delivery methods without starting from scratch or purchasing additional costly development tools or specialized Subject Matter Development Experts. In this session, we will focus on transforming enterprise IT service administration leveraging MS PowerApps, which allows for low level IT administration without risk of high level access and permissions.

Event Link:

Sign up for the event here!

Session 1: Power Platform Introduction

Presenter:
Steve Winward, Microsoft Technical Specialist
https://www.linkedin.com/in/stevewinward/

Session 2: Utilizing Power Platform to achieve a Zero Trust

Vamonos IT LLC (link)

Presenters:

Chris Current – https://www.linkedin.com/in/chris-current-0972941b3/
Joe Tyner – https://www.linkedin.com/in/joetyner/
Jenny Bunch – https://www.linkedin.com/in/jenny-bunch/

Dave Harrison – David Harrison | LinkedIn