This article is contributed. See the original author and article here.
We continue to expand the Azure Marketplace ecosystem. For this volume, 87 new offers successfully met the onboarding criteria and went live. See details of the new offers below: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This article is contributed. See the original author and article here.
To provide a unified and streamlined customer experience, the Azure Information Protection labeling and policy management in the Azure Portal, and the AIP classic client, will be deprecated on March 31st, 2021as announced in our previous blog.
We highly recommend customers on classic AIP labeling to migrate to unified labeling before this sunset timeline for a seamless transition to unified labeling.
Note: This deprecation does not apply in the following scenarios:
The deprecation does not affect the Azure Information Protection areas in the Azure portal related to the on-premises scanner and analytics. AIP analytics is still available in the Azure Portal, but we encourage customers to start using the Microsoft 365 Compliance center Activity Explorer.
After deprecation, editing labels and policies in the Azure portal will no longer be available. The only admin action that will still be available after deprecation is to activate unified labeling. Classic client will continue to function as configured; however, no further support is provided, and maintenance versions will no longer be released for the classic client.
This blog lists key admin components that will be deprecated and describes how this impacts the admin. For details on migration, see the previous communications on UL migration steps.
Fig 1: Home > Azure Information Protection > Labels
Fig 2: Home > Azure Information Protection > Labels > Label Name
Fig 3a: Home > Azure Information Protection > Labels > Label Name > Configure Condition
Fig 3b: Home > Azure Information Protection > Labels > Label Name > Configure Condition
Fig 4: Home > Azure Information Protection > Policies > Policy
Fig 5: Home > Azure Information Protection > Policies > Policy
Fig 6a: Home > Azure Information Protection > Policies > Policy >
Fig 6b: Home > Azure Information Protection > Policies > Policy > Select which users or groups get this policy.
Fig 7: Home > Azure Information Protection > Policies > Policy > Advanced Settings
Fig 8: Home > Azure Information Protection > Protection Activation
For customers that are working with protection templates instead of labels, Admins could manage the protection templates from the portal. Moving forward:
Fig 9: Home > Azure Information Protection > Labels
Fig 10: Home > Azure Information Protection > Labels > Label Name > Protection Settings
Fig 11: Home > Azure Information Protection > Languages
Fig 12a: Home > Azure Information Protection > Unified Labeling > Activate
Fig 12b: Home > Azure Information Protection > Unified Labeling >
Fig 14a: Microsoft 365 compliance > Solutions > Information Protection > Labels >
After you activate and migrate to unified labeling, your labels will be available in the Microsoft 365 Compliance center.
Fig 14b: Microsoft 365 compliance > Solutions > Information Protection > Label policies >
# | Admin | Not Impacted | Impacted |
1 | Admin tries to add a new label.
| — | Admin will not be able to add a new label. Admin will not have the shortcuts or any right-click options. |
2 | Admin tries to edit a label | Admin will be able to view a label in read-only mode.
| Admin will not be able to edit or delete label content and settings |
3 | Admin tries to edit label conditions | Admin will be able to view conditions in read-only mode. | Admin will not be able to edit conditions |
4 | Admin tries to edit policy | Admin will be able to only view policy | Admin will not be able to save or delete a policy. |
5 | Admin tries to edit policies (export, advance settings) | Admin will be able to select the ellipsis and right-click options to manage each policy. Admins will be able to select Export and Advanced settings buttons. | Admin will not be able to add new policy. In the shortcut, the link will not have move up/down or delete options. |
6 | Admin tries to add user | Admin will be able to view users | Admin will not be able to add a user or remove a user |
7 | Admin tries to edit advanced settings | Admin will be able to view settings in read-only mode. | Admin will not be able to add new settings or remove settings |
8 | Admin tries to activate protection | Admin will be able to see the status (activated / deactivated) | Admin will not be able to activate / or deactivate |
9 | Admin tries to edit protection templates in the AIP portal | Admins will be able to view protection templates in read-only mode. Admins can use AIP PowerShell cmdlets to edit protection.
| Admins will not be able to edit / change protection settings in the AIP Portal. Admin will not be able to convert templates to labels using the portal but can still use PowerShell command |
10 | Admin tries to edit protection | Admin will be able to view protection in read-only mode. | Admin will not be able to edit protection |
11 | Admin tries to add, import, delete language | Admin will be able to only export | Admin will not be able to add, import, delete |
12 | Admin tries to activate unified labeling | Admin will be able to activate and copy the policy | Admin will not be able to publish labels in the AIP portal |
13 | End users using classic client | Users will be able to apply labels and protection and to consume protected files | AIP classic is out of support. Maintenance versions will not be released. |
14 | AIP labels in Microsoft Cloud App Security | — | AIP labels will not be supported. Only unified labels will be supported. |
This article is contributed. See the original author and article here.
Running complex aggregations and analytical functions on real-time operational databases is a powerful capability in Azure SQL. In the last part of this three-part series with Silvano Coriani, we will see how Window Functions can be a great tool to express analytical calculations on real-time data sets.
More episodes in this Operational Analytics Series:
How Azure SQL Enables Real-time Operational Analytics (HTAP) – Part 1
How to Optimize Existing Databases & Applications with Operational Analytics in Azure SQL – Part 2
Resources:
Get started with Columnstore for real-time operational analytics
Sample performance with Operational Analytics in WideWorldImporters
T-SQL Window Functions: For data analysis and beyond, 2nd Edition
Real-Time Operational Analytics:
Memory-Optimized Tables and Columnstore Index
DML operations and nonclustered columnstore index (NCCI) in SQL Server 2016
Filtered nonclustered columnstore index (NCCI)
This article is contributed. See the original author and article here.
In this blog post we learn how we can display a table in an Adaptive Card, pull data from a SharePoint list and use Power Automate to do that in one flow.
When I read in the documentation, that tables and headers are not supported, it was somehow a BUMMER :face_with_rolling_eyes:, but then I asked the worlds laziest developer Hugo Bernier, if there was really now way to do it.
Our first idea was, to templatize an Adaptive Card, and then pass data into that template; but very unfortunately, this isn’t supported in Power Automate. Our second idea resolved the whole problem: We would build the JSON for our Adaptive Card like different LEGO bricks and then out them together.
We would need
{ and [ with } and ]To make things a bit more approachable, here is our little
We want to display items of a SharePoint list in an Adaptive Card as a table. The result should look like this:
Purpose is to notify the Team each Monday about all Unicorns with a unicornibility index of less than 85 so that the team can take care of them. We do not only want to display 1 single item of our list with a factsheet but display as many items as match our query (unicornibility lt 85). We don’t want to hard-code any value in here to keep things flexible.
We start with a Recurrence trigger, set the interval to 1 and the Frequency to Week.
Next action is getting the items from our SharePoint list. Set Filter Query to unicornibility lt 85 to only get those items, that match our query – this will ensure a better performance than first pulling all list items and then working with conditions later. You can also limit how many items you want to retrieve.
We want to get a table into an Adaptive Card, which is not supported natively, so we need to do a little trick. We will use variables to build the different pieces of the Adaptive Card JSON, that we will later need. The Code in total would look like this:
{
“$schema”: “http://adaptivecards.io/schemas/adaptive-card.json”,
“type”: “AdaptiveCard”,
“version”: “1.2”,
“body”: [
{
“type”: “TextBlock”,
“text”: “Hey Team- watch out! ? need some extra ?”,
“wrap”: true,
“weight”: “Bolder”
},
{
“type”: “ColumnSet”,
“columns”: [
{
“type”: “Column”,
“items”: [
{
“type”: “TextBlock”,
“weight”: “bolder”,
“text”: “Name”
},
{
“type”: “TextBlock”,
“separator”: true,
“text”: “UNICORN1”
},
{
“type”: “TextBlock”,
“separator”: true,
“text”: “UNICORN2”
}
],
“width”: “stretch”
},
{
“type”: “Column”,
“items”: [
{
“type”: “TextBlock”,
“weight”: “bolder”,
“text”: “Unicornibility”
},
{
“type”: “TextBlock”,
“separator”: true,
“text”: “VALUE1”
},
{
“type”: “TextBlock”,
“separator”: true,
“text”: “VALUE2”
}
],
“width”: “auto”
},
{
“type”: “Column”,
“items”: [
{
“type”: “TextBlock”,
“weight”: “Bolder”,
“text”: “Party Readiness”
},
{
“type”: “TextBlock”,
“separator”: true,
“text”: “PValue1”
},
{
“type”: “TextBlock”,
“separator”: true,
“text”: “PValue2”
}
],
“width”: “stretch”
}
]
},
{
“type”: “ActionSet”,
“actions”: [
{
“type”: “Action.OpenUrl”,
“title”: “open here and care ?”
}
]
}
]
}
Let’s break this into pieces:
In case you wonder why we needed to somehow unclean cut the JSON – this is a bug in Power Automate. Although we defined our variables as string, Power Automate asked us to provide valid JSON. We could not provide valid JSON though, because we needed to cut the JSON into pieces. We needed therefore to find a way to make Power Automate believe, that we are not storing JSON in a string variable, and apparently a { at the beginning was a trigger for Power Automate to check if JSON was valid (which was not, but on purpose!).
Our Code would look color coded like this:
And if we now lay the color-code blocks over the Adaptive Card:
You may choose if you want to send the Post as the Flow bot or as a user or if you want to send this into a 1:1 chat or into a Channel. The Adaptive Card is our card variable.
Although not natively supported, we can actually display a (faux) table in Adaptive Cards and bind this to a datasource. Potentially issues could occure here, as our columns are independent from each other. The Adaptive Cards renders columns, bnit not rows, which means that if we have different heights, it could be problematic to make them look good and even. What’s next? Find the limit how many rows we can display and what else we could do with Cards :’) What would you like to figure out? I am curious, please reply below!
This article was originally posted by the FTC. See the original article here.
The pandemic has caused financial distress because of lost jobs, income, and homes, and emotional distress because of social isolation. This week, during National Consumer Protection Week (NCPW), we want your help to reach people who might be a bit cut off from their social network. The FTC knows that people who talk about scams are less likely to fall for them, and we hope to spark discussions by offering conversation-starting ideas. To close out NCPW, here are a few ideas to help you and the people you care about spot and avoid a “free prize” con.
Prize and lottery scams can start many ways, but they often begin with an unexpected phone call. The scammers may claim to be from the government. Or an official-sounding organization. They make wild claims about big winnings, and demand payment up front. If you get a call like this, hang up. You probably already know that. But you may know someone who doesn’t. So give a call to someone who might be a bit isolated, who could use a reminder about these scams. Chances are, they would like to hear from you, and have a chance to talk about how things are going and what’s on their mind.
Here are a few tips you can share about prize and lottery scams when you chat:
Legitimate contests don’t ask you to pay a fee, or give your bank account or credit card number to get your prize.
Never send money by wire transfer, gift card, or cryptocurrency. Anyone who asks you to pay for things that way is a scammer.
Don’t trust caller ID. Scammers can make it look like they’re calling from anywhere.
After you talk, invite your friend or relative to call you back if they have questions, or if they get a surprise phone call. If they say they already spotted a scam or sent money, please ask them to report to ReportFraud.ftc.gov. You’re welcome to file report for someone, if they ask for help.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
This article was originally posted by the FTC. See the original article here.
Lots of people are having trouble sleeping, thanks to the pandemic and all the parts of our lives it’s affecting. And it doesn’t help when you get a call saying you owe the government money. Oh, and, they add, you’ll go to jail if you don’t pay up immediately. That’s a scam, and nothing to lose sleep over. For those who are a little more cut off from people than usual, these calls might feel more real and worrying than they are. If you know someone might be cut off from others right now, reach out to them to make sure they know these calls are scams.
Here are some things you might share with them about government imposters.
First, plenty of people have spotted calls, texts, and emails from bogus government officials. In 2020, people reported losing more than $174 million to government imposter scams, with a median loss of $1,250.
Second, you can share a few ways to spot these scammers in the act:
Sharing these tips might just help someone you care about sleep a little more soundly. And, of course, if you spot a scammer, talk about it, and then tell the FTC at ReportFraud.ftc.gov. Each report helps protect your community.
This blog post was updated on March 5th, 2021.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
This article is contributed. See the original author and article here.
An Introduction to the SharePoint Admin Center
Norm Young is an Office Apps & Services MVP working as the Director of Collaborative Analytics at UnlimitedViz, the makers of tyGraph. He is focused on SharePoint and the Power Platform and shares his passion through his blog and speaking at conferences. Norm is also an active community contributor and helps to organize the Citizen Developers User Group. Follow him on Twitter @stormin_30 and visit his blog.
Dataverse for Business Applications
Oscar Garcia is a Principal Software Architect who resides in South Florida. He is a Developer Technologies MVP and certified solutions developer with many years of experience building software solutions. He specializes in building cloud solutions using technologies like AWS, Azure, ASP.NET, NodeJS, AngularJS as well as BI projects for data visualization using tools like Power BI, Tableau and JMP. You can follow Oscar on Twitter @ozkary or his blog at ozkary.com
C#.NET CORE: IMPORT/EXPORT CSV LIBRARY
Asma Khalid is an Entrepreneur, ISV, Product Manager, Full Stack .Net Expert, Community Speaker, Contributor, and Aspiring YouTuber. Asma counts more than 7 years of hands-on experience in Leading, Developing & Managing IT related projects and products as an IT industry professional. Asma is the first woman from Pakistan to receive the MVP award three times, and the first to receive C-sharp corner online developer community MVP award four times. See her blog here.
Teams Real Simple with Pictures: Managing User Feedback to Microsoft with Powershell
Chris Hoard is a Microsoft Certified Trainer Regional Lead (MCT RL), Educator (MCEd) and Teams MVP. With over 10 years of cloud computing experience, he is currently building an education practice for Vuzion (Tier 2 UK CSP). His focus areas are Microsoft Teams, Microsoft 365 and entry-level Azure. Follow Chris on Twitter at @Microsoft365Pro and check out his blog here.
Running #Dapr in WSL2 Ubuntu 20-04 distro in #WindowsInsider Build 21277 RS and #VSCode
James van den Berg has been working in ICT with Microsoft Technology since 1987. He works for the largest educational institution in the Netherlands as an ICT Specialist, managing datacenters for students. He’s proud to have been a Cloud and Datacenter Management since 2011, and a Microsoft Azure Advisor for the community since February this year. In July 2013, James started his own ICT consultancy firm called HybridCloud4You, which is all about transforming datacenters with Microsoft Hybrid Cloud, Azure, AzureStack, Containers, and Analytics like Microsoft OMS Hybrid IT Management. Follow him on Twitter @JamesvandenBerg and on his blog here.
This article was originally posted by the FTC. See the original article here.
If you used MoneyGram to send money to a scammer between January 1, 2013 and December 31, 2017, you may get a prefilled claim form in the mail soon. The claim forms, from claims administrator Gilardi & Co. LLC, are the first step in distributing money from the $125 million settlement with the FTC in 2018. In that case, the FTC and US Department of Justice (DOJ) charged that MoneyGram failed to meet agreements to crack down on consumer fraud involving money transfers.
You must return the claim form within 90 days
from the date on the form to be eligible for a refund.
These prefilled claim forms show eligible dollar loss amounts that are based on fraud reports people filed with MoneyGram and law enforcement. If you get a form and agree with the dollar loss amount shown:
If you get a form but don’t agree with the dollar loss amount shown:
The claim form requires you to give your Social Security number (SSN). That’s because the federal Treasury Offset Program must find out whether you owe money to the US government before you can get a payment. It needs your SSN to do that.
You don’t have to pay to file your claim. You don’t need a lawyer to file a claim. Don’t pay anyone who contacts you and says they’ll help you file, or help you get your money back.
On June 1, 2021, people who didn’t get a prefilled form can start filing claims online at moneygramremission.com. When you file a claim online, you have to give a MoneyGram MTCN. Or, you will be able to print the claim form and mail it in with copies of MoneyGram receipts, “send” forms, and transaction history reports. If you plan to file in June, you can start to collect — and make copies of — your receipts and other paperwork now. Once that process opens, the deadline to file a claim is August 31, 2021.
For more information about eligibility, the claims process, and other topics, go to ftc.gov/moneygram and moneygramremission.com.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
This article is contributed. See the original author and article here.
Dear IT Pros,
Today, we would discuss all things about USB flash drives management including access protection, Bitlocker encryption, AV security, and troubleshooting.
Firstly, we should not reinvent the wheel, so we start with Paul Bergson’s excellent Tech blog article “Manage USB Devices on Windows Hosts”, based on the document, you could use GPO, MEM Configuration Profiles Admx (Administrative Template) for controlling access to USB drives on windows 10 devices.
I high light the following capabilities of them:
Managing USB disk drive access by GPO:
During OS plug and play enumeration process, the vendor ID, product ID, and revision number values are obtained from the USB device descriptor and record to Windows Registry. In the vvvvpppprrrrr key,
Example:
TIP : To prevent typo error due to the long name with a lot of underscore characters, you could use registry key instead ComputerHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR
You could do the same restriction using Microsoft Endpoint Manager (MEM)– Configuration Profile Administrative Template (admx)
– Sign in to the Microsoft Endpoint Manager admin center.
– Devices > Configuration profiles > Create profile.
– Select Windows 10 and later in Platform, select Administrative Templates in Profile,
– Create.
In Basics, enter a descriptive name for the profile in Name. For example, Restrict USB devices. Enter a description for the profile in Description (this setting is optional). Next.
– In Computer Configuration System Device Installation Device Installation Restriction, configure the following settings:
– In Assignments, select the device groups that will receive the profile, and then select Next.
– In Review + create, review your settings.
– When you select Create, your changes are saved and the profile is assigned.
– You could restrict all USB devices by type with class IDs:
+ Select Allow installation of devices using drivers that match these device setup classes, and then select Enabled.
+ Add the GUID of device classes that you want to allow. In the following example, Keyboard, Mouse, and Multimedia classes are allowed.
USB Flash Drive Security
– To protect USB drive by Microsoft Defender Antivirus:
You could use the Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
An example of MEM policy for USB removable drive:
– To prevent malicious process to be launched from the USB drive:
You could protect USB drive using Windows Defender Exploit Guard Policy by GPO, MECM (SCCM) or MEM to block untrusted process launched from USB drive in case of the malware file resided in USB drive.
Choose the action : block or audit only (allow the process to be launched but report its activities to Microsoft Defender for Endpoint)
Windows 10 Pro, version 1709 or later
Windows 10 Enterprise, version 1709 or later
Windows Server, version 1803 (Semi-Annual Channel) or later
Windows Server 2019
Supposed that you have 2 security group of users, the “USB Read only Users” and the “USB Read and Write Users” created in Azure AD. An User will have Read or Write access depended on the related group membership.
– To prevent users from writing to the USB drive (Preventing “Copy and paste” of Corporate data from other source to USB drives):
– Creating an Endpoint Manager Custom configuration profile for Windows 10 or later
Type: Custom,
OMA-URI: .Uservendormsftpolicy[config|result]Storage/RemovableDiskDenyWriteAccess
– Assign the policy to include group: “USB Read only Users”
Exclude group: “USB Read and Write Users”
More information: Policy CSP – Storage – Windows Client Management | Microsoft Docs
– If the “Removable Disks: Deny write access” group policy setting is enabled this policy (Deny write access to removable drives not protected by BitLocker) setting will be ignored.
You should use the Bitlocker Deny Write Policy Setting instead.
Create an Admx configuration profile :
Testing on Client Workstation, Windows 10:
When you plug the USB drive into system and the drive was not encrypted by bitlocker before, you will be prompt to encrypt it first before you could use the USB drive.
Then, you have to enter your secret password to protect the USB from being used by others. USB will be encrypted and ready for use.
Next time, when you plug the Bitlocker USB drive into system, you will need to unlock the drive by your secret password above.
Enter password previously setup during bitlocker configuration time:
Monitoring and Audit USB Access:
You could use the M365 Security Center and run the device control report. Records may have a 12-hour delay from the time a media connection occurs to the time the event is reflected in the report card.
In the Microsoft 365 security center by going to Reports > Device protection.
The View details button shows more media usage data in the device control report page.
Hunting USB PnP Device Events:
In SecurityCenter.windows.com, select the Advanced hunting icon
Run query for Device Events related to USB Device (plug and play – PNP device) with extended attributes:
DeviceEvents
| where ActionType == “PnpDeviceConnected“
| extend ParsedFields=parse_json(AdditionalFields)
|project ClassName=tostring(ParsedFields.ClassName), DeviceDescription=tostring(ParsedFields.DeviceDescription),
DeviceId=tostring(ParsedFields.DeviceId), VendorIds=tostring(ParsedFields.VendorIds), DeviceName
Hunting for USB drive and the USB manufacturer is NOT scandisk :
DeviceEvents
| where ActionType == “UsbDriveMount“
| where tolower(tostring(todynamic(AdditionalFields).Manufacturer)) != “scandisk”
| project USBMountTime = Timestamp, DeviceId,DeviceName , DriveLetter = tolower(tostring(todynamic(AdditionalFields).DriveLetter)), ProductName = tolower(tostring(todynamic(AdditionalFields).ProductName)),Manufacturer = tolower(tostring(todynamic(AdditionalFields).Manufacturer)), SerialNumber = tolower(tostring(todynamic(AdditionalFields).SerialNumber)), AdditionalFields, Timestamp
– To do Advanced Hunting for USB drives’ activities by MDE
DeviceEvents
| where Timestamp > ago(1d)
| where ActionType == "UsbDriveMount"
| project USBMountTime = Timestamp, DeviceId, AdditionalFields
| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
| join (
DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == "FileCreated"
| where FileName endswith ".docx" or FileName endswith ".pptx"
| parse FolderPath with DriveLetter '' *
| extend DriveLetter = tostring(DriveLetter)
)
on DeviceId, DriveLetter
| where (Timestamp - USBMountTime) between (0min .. 15min)
| summarize DistinctFilesCopied = dcount(SHA1), Events=makeset(pack("AccountName", InitiatingProcessAccountName, "Timestamp", Timestamp, "ReportId", ReportId, "FileName", FileName, "AdditionalDriveProperties", AdditionalFields)) by DeviceId, bin(Timestamp, 15m)
| where DistinctFilesCopied > 1
| mv-expand Events
| extend Timestamp = todatetime(Events.Timestamp), FileName = Events.FileName, AccountName = Events.AccountName, ReportId = tolong(Events.ReportId), AdditionalDriveProperties = Events.AdditionalDrivePropertiesAgain, you could use the “Query for Mounted Storage that isn’t approved” of Paul Bergson.
To view another report example, please refer to the Techblog article Advanced hunting updates: USB events, machine-level actions, and schema changes – Microsoft Tech Community written by Daniel Naim.
USB Control for Mac OS:
According to the Program Team of Microsoft, MEM Endpoint Protection configuration profile to manage USB drive on Mac OS will be available in the future, “It’s in the roadmap. “
Troubleshooting
You may find that USB devices that match the allowed device classes are incorrectly blocked. For example, a camera is blocked although the Multimedia class GUID {4d36e96c-e325-11ce-bfc1-08002be10318} was specified in the Allow installation of devices using drivers that match these device setup classes setting.
To fix this issue, follow these steps:
– On the Windows 10 device, open the %windir%infsetupapi.dev.log file.
– Look for Restricted installation of devices not described by policy in the file,
– Locate a line that reads Class GUID of device changed to: {GUID} within the same device install section.
In the following example, locate the line that reads Class GUID of device changed to: {36fc9e60-c465-11cf-8056-444553540000}.
– In the device configuration profile, add the class GUID to the Allow installation of devices using drivers that match these device setup classes setting.
– If the issue persists, repeat steps 1 to 3 to add the additional class GUIDs until the device can be installed.
In the example, the following class GUIDs have to be added to the device profile:
– {36fc9e60-c465-11cf-8056-444553540000}: USB Bus devices (hubs and host controllers)
– {745a17a0-74d3-11d0-b6fe-00a0c90f57da}: Human Interface Devices (HID)
– {ca3e7ab9-b4c3-4ae6-8251-579ef933890f}: Camera devices
– {6bdd1fc6-810f-11d0-bec7-08002be2092f}: Imaging devices
Once Bitlocker Encrypted the drive and you want to reuse the drive for different purpose without knowing the protected password or the bitlocker recovery password, you have to firstly, clear the write protected attribute using diskpart command as shown here:
Then, you could format USB as usual.
In some situation, diskpart command could not clear the attribute, you will get the following warning when you clean the drive:
If you try to format the USB drive by GUI in File explorer, you still get the warning:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlStorageDevicePolicies >
WriteProtect. (DWORD),
Value: 0 (disabled)
Bitlocker Policy error and solutions
Open Event Viewer and review the following logs under Applications and Services logsMicrosoftWindows:
More detail: Guidelines for troubleshooting BitLocker – Microsoft 365 Security | Microsoft Docs
Problem | Solution |
Event ID 846, 778, and 851: Error 0x80072f9a when User encrypts drives on windows 10 version 1809
| install the May 21, 2019 update |
Error message: Conflicting Group Policy settings for recovery options
| Review your BitLocker policy configuration. |
Access denied when User try to encrypt USB drive | Run BDE Svc command to reset security descriptor of the BitLocker Drive Encryption service (BDESvc)
|
Thanks for reading.
Until next time.
Reference
Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
This article is contributed. See the original author and article here.
Dear IT Pros,
Today, we would discuss all things about USB flash drives management including access protection, Bitlocker encryption, AV security, and troubleshooting.
We should not reinvent the wheel, so we start with Paul Bergson’s excellent Tech blog article “Manage USB Devices on Windows Hosts”. Based on the related document, you could use GPO, MEM Configuration Profiles Admx (Administrative Template) to control access to USB drives for windows 10 devices. I high light the following capabilities of them:
Managing USB disk drive access by GPO:
During OS plug and play enumeration process, the vendor ID, product ID, and revision number values are obtained from the USB device descriptor and record to Windows Registry. In the vvvvpppprrrrr key,
Example:
TIP : To prevent typo error due to the long name with a lot of underscore characters, you could use registry key instead ComputerHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR
You could do the same restriction using Microsoft Endpoint Manager (MEM)– Configuration Profile Administrative Template (admx)
To Setup Configuration Profile admx for USB device:
– Sign in to the Microsoft Endpoint Manager admin center.
– Devices > Configuration profiles > Create profile.
– Select Windows 10 and later in Platform, select Administrative Templates in Profile,
– Create.
In Basics, enter a descriptive name for the profile in Name. For example, Restrict USB devices. Enter a description for the profile in Description (this setting is optional). Next.
– In Computer Configuration System Device Installation Device Installation Restriction, configure the following settings:
– In Assignments, select the device groups that will receive the profile, and then select Next.
– In Review + create, review your settings.
– When you select Create, your changes are saved and the profile is assigned.
USB Flash Drive Security
– To protect USB drive by Microsoft Defender Antivirus:
You could use the Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
An example of MEM policy for USB removable drive:
– To do Advanced Hunting for USB drives’ activities
DeviceEvents
| where Timestamp > ago(1d)
| where ActionType == "UsbDriveMount"
| project USBMountTime = Timestamp, DeviceId, AdditionalFields
| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
| join (
DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == "FileCreated"
| where FileName endswith ".docx" or FileName endswith ".pptx"
| parse FolderPath with DriveLetter '' *
| extend DriveLetter = tostring(DriveLetter)
)
on DeviceId, DriveLetter
| where (Timestamp - USBMountTime) between (0min .. 15min)
| summarize DistinctFilesCopied = dcount(SHA1), Events=makeset(pack("AccountName", InitiatingProcessAccountName, "Timestamp", Timestamp, "ReportId", ReportId, "FileName", FileName, "AdditionalDriveProperties", AdditionalFields)) by DeviceId, bin(Timestamp, 15m)
| where DistinctFilesCopied > 1
| mv-expand Events
| extend Timestamp = todatetime(Events.Timestamp), FileName = Events.FileName, AccountName = Events.AccountName, ReportId = tolong(Events.ReportId), AdditionalDriveProperties = Events.AdditionalDriveProperties– To prevent malicious process originated from USB drive:
Choose the action : block or audit only (allow the process to be launched but report its activities to Microsoft Defender for Endpoint)
You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows:
Windows 10 Pro, version 1709 or later
Windows 10 Enterprise, version 1709 or later
Windows Server, version 1803 (Semi-Annual Channel) or later
Windows Server 2019
Supposed that you have 2 security group of users, the “USB Read only Users” and the “USB Read and Write Users” created in Azure AD. An User will have Read or Write access depended on the related group membership.
– To prevent users from writing to the USB drive (Preventing “Copy and paste” of Corporate data from other source to USB drives):
– Creating an Endpoint Manager Custom configuration profile for Windows 10 or later
Type: Custom,
OMA-URI: .Uservendormsftpolicy[config|result]Storage/RemovableDiskDenyWriteAccess
– Assign the policy to include group: “USB Read only Users”
Exclude group: “USB Read and Write Users”
More information: Policy CSP – Storage – Windows Client Management | Microsoft Docs
– If the “Removable Disks: Deny write access” group policy setting is enabled this policy (Deny write access to removable drives not protected by BitLocker) setting will be ignored.
You should use the Bitlocker Deny Write Policy Setting instead.
Create an Admx configuration profile :
Testing on Client Workstation, Windows 10:
When you plug the USB drive into system and the drive was not encrypted by bitlocker before, you will be prompt to encrypt it first before you could use the USB drive.
Then, you have to enter your secret password to protect the USB from being used by others. USB will be encrypted and ready for use.
Next time, when you plug the Bitlocker USB drive into system, you will need to unlock the drive by your secret password above.
Monitoring and Audit USB Access:
you could use the M365 Security Center and run the device control report. Records may have a 12-hour delay from the time a media connection occurs to the time the event is reflected in the report card.
In the Microsoft 365 security center by going to Reports > Device protection.
The View details button shows more media usage data in the device control report page.
Hunting USB PnP Device Events:
In SecurityCenter.windows.com, select the Advanced hunting icon
, run query for Device Events related to USB Device (plug and play – PNP device) with extended attributes:
DeviceEvents
| where ActionType == “PnpDeviceConnected“
| extend ParsedFields=parse_json(AdditionalFields)
| project ClassName=tostring(ParsedFields.ClassName), DeviceDescription=tostring(ParsedFields.DeviceDescription),
DeviceId=tostring(ParsedFields.DeviceId), VendorIds=tostring(ParsedFields.VendorIds), DeviceName
Hunting for USB drive
hunt for UsbDriveMount and the manufacturer is NOT scandisk :
DeviceEvents
| where ActionType == “UsbDriveMount“
| where tolower(tostring(todynamic(AdditionalFields).Manufacturer)) != “scandisk”
| project USBMountTime = Timestamp, DeviceId,DeviceName , DriveLetter = tolower(tostring(todynamic(AdditionalFields).DriveLetter)), ProductName = tolower(tostring(todynamic(AdditionalFields).ProductName)),Manufacturer = tolower(tostring(todynamic(AdditionalFields).Manufacturer)), SerialNumber = tolower(tostring(todynamic(AdditionalFields).SerialNumber)), AdditionalFields, Timestamp
Again, you could use the “Query for Mounted Storage that isn’t approved” of Paul Bergson.
To view another report example, please refer to the Techblog article Advanced hunting updates: USB events, machine-level actions, and schema changes – Microsoft Tech Community written by Daniel Naim.
USB Control for Mac OS:
According to the Program Team of Microsoft, MEM Endpoint Protection configuration profile to manage USB drive on Mac OS will be available in the future, “It’s in the roadmap. “
Troubleshooting
You may find that USB devices that match the allowed device classes are incorrectly blocked. For example, a camera is blocked although the Multimedia class GUID {4d36e96c-e325-11ce-bfc1-08002be10318} was specified in the Allow installation of devices using drivers that match these device setup classes setting.
To fix this issue, follow these steps:
In the following example, locate the line that reads Class GUID of device changed to: {36fc9e60-c465-11cf-8056-444553540000}.
>>> [Device Install (Hardware initiated) – USBVID_046D&PID_C5345&bd89ed7&0&2]
>>> Section start 2020/01/20 17:26:03.547
dvi: {Build Driver List} 17:26:03.597
…
dvi: {Build Driver List – exit(0x00000000)} 17:26:03.645
dvi: {DIF_SELECTBESTCOMPATDRV} 17:26:03.647
dvi: Default installer: Enter 17:26:03.647
dvi: {Select Best Driver}
dvi: Class GUID of device changed to: {36fc9e60-c465-11cf-8056-444553540000}.
dvi: Selected Driver:
dvi: Description – USB Composite Device
dvi: InfFile – c:windowssystem32driverstorefilerepositoryusb.inf_amd64_9646056539e4be37usb.inf
dvi: Section - Composite.Dev
dvi: {Select Best Driver – exit(0x00000000)}
dvi: Default installer: Exit
dvi: {DIF_SELECTBESTCOMPATDRV – exit(0x00000000)} 17:26:03.664
dvi: {Core Device Install} 17:26:03.666
dvi: {Install Device – USBVID_046D&PID_C5345&BD89ED7&0&2} 17:26:03.667
dvi: Device Status: 0x01806400, Problem: 0x1 (0xc0000361)
dvi: Parent device: USBROOT_HUB304&278ca476&0&0
!!! pol: The device is explicitly restricted by the following policy settings:
!!! pol: [-] Restricted installation of devices not described by policy
!!! pol: {Device installation policy check [USBVID_046D&PID_C5345&BD89ED7&0&2] exit(0xe0000248)}
!!! dvi: Installation of device is blocked by policy!
! dvi: Queueing up error report for device install failure.
dvi: {Install Device – exit(0xe0000248)} 17:26:03.692
dvi: {Core Device Install – exit(0xe0000248)} 17:26:03.694
<<< Section end 2020/01/20 17:26:03.697
<<< [Exit status: FAILURE(0xe0000248)]
In the example, the following class GUIDs have to be added to the device profile:
Once Bitlocker Encrypted the drive and you want to reuse the drive for different purpose without knowing the protected password or the bitlocker recovery password, you have to firstly, clear the write protected attribute using diskpart command as shown here:
Then, you could format USB as usual.
In some situation, diskpart command could not clear the attribute, you will get the following warning when you clean the drive:
If you try to format the USB drive by GUI in File explorer, you still get the warning:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlStorageDevicePolicies >
WriteProtect. (DWORD),
Value: 0 (disabled)
Open Event Viewer and review the following logs under Applications and Services logsMicrosoftWindows:
More detail: Guidelines for troubleshooting BitLocker – Microsoft 365 Security | Microsoft Docs
Problem | Solution |
Event ID 846, 778, and 851: Error 0x80072f9a when User encrypts drives on windows 10 version 1809
| install the May 21, 2019 update |
Error message: Conflicting Group Policy settings for recovery options
| Review your BitLocker policy configuration. |
Access denied when User try to encrypt USB drive | Run BDE Svc command to reset security descriptor of the BitLocker Drive Encryption service (BDESvc)
|
Thanks for reading.
Until next time.
Reference
Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
Recent Comments