by Scott Muniz | Aug 11, 2020 | Uncategorized
This article is contributed. See the original author and article here.
Microsoft Office is made for the Modern Workplace delivering cutting edge productivity capabilities that are updated, and added to, on a regular basis. Not a customer meeting goes by where I show some of the new features and hear “I didn’t know it could do that!”
In this HLS Show Me How I walk through a number of gems in Microsoft Word that everyone should take a look at. These include:
- Add Files From
- Researcher
- Ink to Shape
- Dictate
- Inspect Doc
- Check Accessibility
- Transform
- Translate
- Read Aloud
These gems only scratch the surface and make clear that this isn’t the Word of days gone by. After watching the video check out the resources below to get additional insight, and training, on leveraging the power of Microsoft Word.
Resources:
Thanks for visiting – Michael Gannotti LinkedIn | Twitter | Facebook | Instagram
Michael Gannotti
by Scott Muniz | Aug 11, 2020 | Uncategorized
This article is contributed. See the original author and article here.
We are living through an extraordinary period in our history where we need to re-evaluate many aspects of our lives, including how we can safely co-exist within common workspaces. There are many technological innovations appearing from Microsoft and others to assist in these adjustments to our daily lives.
The Microsoft Visio desktop app, which includes Visio Plan 2, has templates for creating office and workplace diagrams to scale, and has the ability to embed CAD diagrams too (see Create a Floor Plan for more information, and Featured Visio templates and diagrams). Indeed, many Visio users have been doing this for many years, but now the world faces the challenge of preparing these workplaces for a new normal where social distancing is required. Most countries in the world have implemented guidelines and laws about social distancing in order to prevent the spread of communicable disease, such as COVID-19, through society. These guidelines may vary on the distance and units used (metres or feet), and so Microsoft have now released a new stencil of symbols, fill and line patterns to assist with the re-planning of workplaces easier, or simply checking if the existing layouts are compliant.
There are possibly two main approaches to providing social distancing in the workplaces:
- Re-plan the workstation layout
- Reduce the occupancy by blocking off alternate, or so, workstations
It will probably require that a one-way system being denoted to walk around the workplace, and this may include designating lifts for access only, and staircases for egress. It may also be necessary to place screens between or alongside workstations to provide greater isolation. Additionally, it may be necessary to restrict entry to restrooms, and to reduce their capacity accordingly. There will also be a need to provide multiple stations where hand sanitizer is available.
Working shifts could be introduced to reduce occupancy, and staggered start and finish times to reduce the flow at entrances and exits. It will be necessary to add signage and floor markings to remind staff of the safe distances to keep to and the direction to walk in.
Microsoft Visio is a perfect application for planning workplaces, and the new Workplace Social Distancing stencils makes it easy to analyze, review and plan for the new guidelines.
The Visio diagrams, that are stored in OneDrive or SharePoint Online, can then be viewed within a web page, using the Microsoft Online Viewer (See any Visio Diagram for free), or within a Power BI report (see Org Chart and Floor Plan ). In the case of the viewer, there is also a JavaScript API that can be utilized to enhance the experience.
The Visio desktop app has a layering feature that enables shapes on layers to have a color assigned to them, and one great use of this is to reduce most of the diagram to gray-scale so that the important features are easier to understand.
|
 Desk layout in color
|
 Gray-scale applied to most layers
|
This feature is particularly useful when using Power BI to color code visual elements automatically, such as the shift times for each workstation.
Display workplaces and shifts in Power BI
The layer settings in Visio can be manipulated manually each time a new view is required, or they can be automated with a third-party add-in such as LayerManager from bVisual.
Managing layers in Visio desktop
The Workplace Social Distancing Stencils
There are two almost identical stencils with the same title, Workplace Social Distancing, so that users of either US Units or Metric Units are accommodated:
They should be placed into the My Shapes folder directly, or within a sub-folder, and preferably renamed tf45259688.vssx to WRKSOCDIST_U.vssx, and tf45492185.vssx to WRKSOCDIST_M.vssx. (Oh, the wonders of the web!)
The stencils contain a number of Masters, a Fill Pattern and Line Patterns to assist with the task of re-planning workplaces to satisfy social distancing guidelines. The scaled Line Patterns are provided in three different size because various countries and states have different distance requirements.
|
 The Masters
|
 US Units Fill Pattern and Line Patterns |
 Metric Fill Pattern and Line Patterns |
Masters
Dimensions
Both of these shapes are on the Social Distancing Dimensions layer by default, and they can be formatted to suit.
Distancing Circle
The Distancing Circle shape can be dragged and dropped to the center of the position to check the exclusion zone. The shape can then be re-sized manually or by typing a value in the Width or Height row of the Size & Position window. The aspect ratio of the shape is locked so it does not matter which row the value is entered into, because the other will be kept synchronized.
|
Position centered over target position
|
 Distancing Circle Step 1
|
|
Set the diameter, optionally Lock Size and Hide Text using the Shape Data window or right-mouse action menu.
|
 Distancing Circle Step 2
|
|
Edit Dash Type to suit, duplicate as required, and Send to Back.
|
 Distancing Circle Step 3
|
Distancing Arrow
The Distancing Arrow shape can be dragged and dropped to show the distance between items. The shape can then be re-sized manually or by typing a value in the Length row of the Size & Position window.
|
Drag and drop, and set the Length
|
|
|
Rotate and edit Fill Color as required, and optionally Lock Size using the Shape Data window or right-mouse action menu.
|
|
Barrier Screens
These shapes are on the Furniture and Non-Moveable Furnishings layers, and are used to provide a physical barrier where the full specified social distance is not possible.
Screen
This a simple straight barrier, which could be solid or transparent.
|
Use Screen shapes to be installed specify where extra barriers should be positioned
|
 Add screens as a barrier
|
Curved Screen
Similar to Screen but curved.
Symbols
These shapes are on the Social Distancing layer by default, and can be formatted to suit requirements.
The Fill Foreground, Fill Background and Line Color of these symbols can all be modified with the Format Shape panel.
|
Use Format Shape panel rather than Ribbon buttons
|
 Formatted symbols
|
- Direction Arrow
- Feet Stop
- Feet Walk
- Keep Apart
- Sanitizer Station
- Escape Route
- Disposal Station
- Wear Glove
|
The symbols are placed, re-sized, rotated and colored to suit.
|
Formatted symbols
|
Pattern Help
This shape contains some instructions for using the custom fill and line patterns.
Fill Patterns
Use Format Shape to select the Diagonal Stripe Pattern fill, then edit the Foreground and Background colors to suit.
|
Diagonal Stripes provides wider striping than the built in patterns.
|
|
Line Patterns
There are both unscaled and scaled custom Line Patterns to assist in demarking social distancing markings and instructions.
Unscaled
These patterns provide two-colored Banded or Striped lines.
- [Blue | Cyan | Green | Magenta | Red | Yellow] Banded Line
- [Blue | Cyan | Green | Magenta | Red | Yellow] Striped Line
|
Use Format Shape / Solid Line to select a colored Banded or Striped Line Dash Type, then Line / Color to select the second color.
|
|
Scaled
These Line Patterns can be used to mark out the spacing, and the direction in two cases, of movement. These patterns work best with straight lines, and with lines that are an exact multiple of the spacing.
- Keep [3’/1m | 4’6”/1.5m | 6’/2m] Apart Arrows
- Keep [3’/1m | 4’6”/1.5m | 6’/2m] Apart Feet
- Keep [3’/1m | 4’6”/1.5m | 6’/2m] Apart Lines
|
Use Format Shape / Solid Line to select a Keep x Apart Arrows, Feet or Lines Dash Type, then Line / Color to select the color.
|
|
Example
Master shapes line Arc – graphical on the Drawing Tool Shapes stencil can be useful to define floor markings that need to be taped, using the appropriate unscaled custom colored line pattern. The scaled custom line patterns define the spacing of floor taping or mats to be added. The appropriately colored symbol shapes define where stickers, mats, posters or similar need to be placed.
The Layer Properties dialog can be used to recede the shapes on the Social Distancing Dimensions layer, or to make them invisible.
|
 Social Distancing Dimensions receded
|
|
 Adjusted layout with social distancing markings
|
There are two almost identical templates with the same title, Workplace Planning with Social Distancing, so that users of either US Units or Metric Units are accommodated:
They should be placed into the Custom Office Templates folder, or similar, and preferably renamed tf33393545.vstx to Workplace Planning with Social Distancing (US Units).vstx, and tf12087500.vstx to Workplace Planning with Social Distancing (Metric).vssx. (Still, the wonders of the web!)
We’d love to hear back from you! Leave a comment below with your experiences, questions, or suggestions. You can also submit ideas for future feature releases on our UserVoice site. Email us at tellvisio@microsoft.com for more detailed questions, and follow us on Facebook and Twitter to stay current on the latest releases.
Written by David Parker, a Visio developer since 1996, and an MVP for the past 16 years, and writer of a Visio blog at blog.bvisual.net. In a prior life, he was an architect and space planner.
by Scott Muniz | Aug 11, 2020 | Azure, Microsoft, Technology, Uncategorized
This article is contributed. See the original author and article here.
This installment is part of a broader series to keep you up to date with the latest enhancements to the Azure Sentinel Devops template.
This blog is a collaboration between @Cristhofer Munoz & @Matt_Lowe.
Introduction
Threats are evolving just as quickly as data-volume growth, with bad actors exploiting every possibility and technique to gain access to the corporate network. At the same time, the risk surface has widened as companies shift to hybrid-cloud environments, adopt DevOps and Internet of Things (IoT) technologies, and expand their remote workforces.
Amid this landscape, organizations require a bird’s-eye view of security posture across the enterprise, hence a security information and event management (SIEM) system is a critical element.
Frankly, deploying a SIEM is not a trivial task. Organizations struggle with the number of tasks to adopt a SIEM due to the lack of an agile methodology to plan, execute, and validate its initial success and deploy into production.
To help alleviate this challenge, we’ve developed an Azure Sentinel DevOps Board Template which serves as a blueprint to understand the tasks and activities to deploy Azure Sentinel following recommended practices. By leveraging the Azure Sentinel DevOps Boards one can quickly start tracking user stories, backlog items, task, features, and bugs associated with your Azure Sentinel deployment. The Azure Sentinel DevOps Board is not a static template, it can be modified to reflect your distinctive needs. You will have the ability to quickly add and update the status of work using the Kanban board. You can also assign work to team members and tag with labels to support queries and filtering.
For additional information on Azure Boards, please refer the public documentation.
In this template we provide prescriptive guidance for the following Azure Sentinel use cases:
- Define Use Cases
- Get Started with Azure Sentinel | Tutorials
- Onboard Azure Sentinel | Prerequisites
- Azure Sentinel Architecture
- Setup Azure Sentinel
- Data Collection
- Visualize your security data with Workbooks
- Enabling Analytics
- Respond to threats
- Proactive threat hunting
- Advanced Topics
Getting Access | Azure DevOps Generator
The purpose of this initiative is to simplify the process and provide tactical guidance to deploy Azure Sentinel by providing an Azure Sentinel DevOps board template that provides the prescriptive guidance you need to get going with your deployment. To populate the Azure Sentinel board, we utilized the Azure DevOps Demo generator service to create pre-populated content.
To get started:
1. Browse to the Azure DevOps Demo Generator site by selecting the link, or copy https://azuredevopsdemogenerator.azurewebsites.net/ into your browser’s URL field.
2. Click Sign In and provide the Microsoft or Azure AD account credentials associated with an organization in Azure DevOps Services. If you don’t have an organization, click on Get Started for Free to create one and then log in with your credentials.
3. After signing in, you will arrive at the “Create New Project” page.
4. Provide a name for your project (such as “AzSentinelDeployment”) that you and other contributors can use to identify the project.
5. Next, Select the organization you will use to host the project created by the Azure DevOps Demo Generator. (You may have multiple accounts of which you are a member, and which are associated with your login, so choose carefully.)
6. Lastly, select the demo project template you want to provision by clicking … (Choose Template) button.
7. A new pane will populate providing you the ability to select a pre-populated template. Click on the Azure Community tab, there you will find the Azure Sentinel Devops template.
8. Select the Azure Sentinel Devops template and create the project. Your project may take a couple of minutes for the Demo Generator to provision. When it completes, you will be provided with a link to the demo project.
9. Select the link to go to the new demo Azure DevOps Services project and confirm it was successfully provisioned. You should arrive at the following page:
10. To access the Azure Sentinel backlog where you will find the features, user stories, and tasks to deploy Azure Sentinel, hover over Boards, and select Backlogs. Make sure that you are viewing the Features hierarchy. The backlog page will be the main page you will visit to consume the recommended practices and detailed steps to deploy Azure Sentinel.
.
Adding Team Members
1. Open your project, and then select Project settings > Teams. Then, select your project.
2. Select Add to invite members to your project.
3. Add users or groups, and then choose Save.
Enter the email addresses of the new users, separated by semicolons, or enter the display names of existing users. Add them one at a time or all at once.
How to Use
The template is comprised of features, user stories, and tasks providing guidance and recommended practices for your Azure Sentinel deployment. The template should help your team to discuss, agree on acceptance criteria, delegate ownership, create iterations, track the progress and efficiently deploy Azure Sentinel.
Note: Please remember that the template is not static, it can be modified to your reflect distinctive needs. You have the ability to add your own features, user stories, and tasks to reflect your custom use cases.
In this template we provide prescriptive guidance for the following Azure Sentinel use cases:
- Define Use Cases
- Get Started with Azure Sentinel | Tutorials
- Onboard Azure Sentinel | Prerequisites
- Azure Sentinel Architecture
- Setup Azure Sentinel
- Data Collection
- Visualize your security data with Workbooks
- Enabling Analytics
- Respond to threats
- Proactive threat hunting
- Advanced Topics
The use cases above are listed as Features, comprised of user stories and tasks providing detailed steps to satisfy the use case. The user stories and tasks are nested within each feature. Each task under the user stories includes important information such as links to public documentation, blogs, and webinars that provide you the necessary information complete the task.
In total, there are 11 features that have been listed above. Features 1 through 4 cover any initial steps and pre-requisites for preparing your Azure Sentinel deployment. Features 5 through 11 cover the actual steps for setting up and exploring features with Azure Sentinel.
Feature 1: Define Use Cases
Defining use cases is the most important step for this entire process. There must be a need and use when pursuing the deployment of a product. To provide some ideas or guidance, Gartner has created an article that covers how to determine and build great use cases when deploying a SIEM.
Feature 2: Get Started with Azure Sentinel | Tutorials
To help introduce and prepare you for the deployment of Azure Sentinel, this feature includes the well put together Azure Sentinel Ninja Training with additional Kusto training to assist. This training is to help introduce the concepts and features of the product with materials to help educate and prepare your users for day to day usage of Azure Sentinel.
Feature 3: Onboard Azure Sentinel | Prerequisites
It is important to identify and understand what the prerequisites are for deploying and using Azure Sentinel. To assist with this, this feature in the template provides a list of prerequisites as well as any associated documents that provide additional information that will help with addressed them.
Feature 4: Azure Sentinel Architecture
The design of a SIEM is as important as the SIEM itself. When deploying, it is essential to anticipate design, architecture, and best practices. To provide some guidance and advice, a blog that covers the best practices for implementing Azure Sentinel and Azure Security Center is included.
Along with the best practices for implementing Azure Sentinel, it is essential to understand the costs associated with using the product. Azure Sentinel as a service is mostly free but it is important to understand where the costs are coming from and how you can project costs when reviewing data ingestion options and volume. The Azure Calculator is an invaluable tool that assists with this process and can provide insight into how much it will cost to ingest data that is not free.
Feature 5: Setup Azure Sentinel
The use cases have been determined. The learning material has been reviewed. The prerequisites are understood. The architecture is set and the costs are projected. It is time to begin to take action and deploy the resources to set up Azure Sentinel. As covered in the Ninja training, Azure Sentinel is built on top of the Azure Log Analytics service. This service will serve as the main point for ingestion and log retention. The Azure Log Analytics is where one will collect, process, and store data at cloud scale. For reference, documentation for creating a new workspace is listed in this feature. Once the workspace is ready to go, it is time to onboard it to Azure Sentinel. The documentation for onboarding the workspace is also included in the feature.
Once the service is set up, it is time to determine the permissions that are needed for the users that will be using it. Azure Sentinel has 3 different roles backed by Azure role-based access control (Azure RBAC) to provide built-in roles that can be assigned to users, groups, and services in Azure. The document with the roles is listed in the feature. Additionally, permissions can be assigned on the table level for data in order to prevent users from seeing certain data types if desired.
Feature 6: Data Collection
Data ingestion is the oxygen of Azure Sentinel. Azure Sentinel improves the ability to collect and use data from a variety of sources to unblock customer deployments and unlock full
SIEM value.
Setting up data collection begins not only the data ingestion, but also the machine learning capabilities of Azure Sentinel. When exploring the dozens of connectors that are available out of the box, we recommend to enable the Microsoft security data connectors first. Once first part connectors are chosen, it is time to explore the 3rd party connectors. Each connector listed in this feature includes a description and a reference to the associated document.
Feature 7: Visualize your security data with Workbooks
Once data begins to be ingested, it is time to visualize the data to monitor trends, identify anomalies, and present useful information within Azure Workbooks. Out of the box, there are dozens of built-in Workbooks to choose from as well as several from the Azure Sentinel GitHub community page. Within the feature for Workbooks are a few sample Workbooks to consider. Not every data source or connector will have a Workbook but there are quite a few that can be useful.
Feature 8: Enabling Analytics
One of the main features of Sentinel is its ability to detect malicious or suspicious behaviors based on the MITRE attack framework. Out of the box, there are over 100 different detections built in that were made by Microsoft Security Professionals. These are simple to deploy and the feature in the template provides documentation for deploying the template detection rules, as well as the document for creating your own custom detection rules.
Feature 9: Respond to threats
To compliment its SIEM capabilities, Azure Sentinel also has SOAR capabilities. This feature contains helpful documents for setting up Playbooks for automated response, deploying Playbooks from the GitHub repository, and how to integrate ticket managing services via Playbooks.
Feature 10: Proactive threat hunting
To go along with the reactive features, Azure Sentinel also provides proactive capabilities that provide you the ability to proactively search, review, and respond to undetected or potentially malicious activities that may indicate a sign of intrusion/compromise. Azure Sentinel offers dozens out of the box hunting queries that identify potentially exploitable or exploited areas and activities within your environment. This feature within the template provides links and information to ignite your proactive threat hunting journey with out the box threat hunting queries, bookmarks, Azure Notebooks, and livestream.
Feature 11: Advanced Topics
If desired, Azure Sentinel can be deployed and managed as code. To help provide context and guidance, this feature within the template includes a blog post that covers how one can deploy and managed Azure Sentinel as code.
Assign work items to a team member
You can only assign a work item to one person at a time. The Assigned To field is a person-name field designed to hold an user identity recognizable by the system. Within the work item form, choose the Assigned To field to select a project member. Or, you can begin typing the name of a project member to quickly focus your search to a select few.
Tracking Progress with Boards
Azure DevOps utilizes a progress tracking approach that is similar to Agile project management. Boards lists each task, the state of progress, and the individuals that are assigned to the tasks. As the tasks are worked on, they will move within the Board until they are closed. The tasks can also be clicked and dragged around the Board as desired. This will provide you the blueprint understanding the completed and outstanding tasks for your Azure Sentinel deployment.
What’s Next
The current version of the Azure Devops Board template provides you the blueprint to understand the tasks and recommended practices to onboard to Azure Sentinel. The next iteration will incorporate a CI/CD pipeline that will enhance and automate the tasks/phases covered in the Azure Devops Board template. The CI/CD pipeline will automate your Azure Sentinel deployment so you spend less time with the nuts and bolts and more time securing your environment.
Get started today!
Supercharge your cloud SIEM today!
We encourage you to leverage the Azure Sentinel Devops Board template to accelerate your Azure Sentinel deployment following recommended practices.
Try it out, and let us know what you think!
by Scott Muniz | Aug 11, 2020 | Uncategorized
This article is contributed. See the original author and article here.
By: Chris Urban | PM- Intune for Education, Ele Ocholi | PM- Intune for Education & Scott Breen | PM- Intune for Education
Hi, it’s Chris Urban (Atlanta, USA), Ele Ocholi (London, UK) and Scott Breen (Brisbane, Australia) from the Intune for Education team. Thanks for joining us on our series of posts about preparing for Back-to-School! Since we’re on a team which works with school districts and institutions around the world, we’d like to share a few frequently asked questions and answers our customers have about device management in an educational setting as well as a few of the lessons learned as we all navigate Back-to-School 2020.
Preparing for a new school year is always a lot of work. For most of you, one of your tasks involves readying devices, whether they be new or existing as well as one-to-one or shared. With COVID-19, this year brings a significant set of new challenges. Some schools will return to in-person classes, others must embrace complete remote learning, and some are combining both approaches. We’ve learnt the best approach to these scenarios is flexibility and having a solution that allows you to pivot as your circumstances change.
We’re all working with customers to support their management and distribution processes of devices. All in order to empower educators and to give students engaging ways to learn.
Our experience with customers pivoting to remote learning has taught us that some of the biggest challenges have been:
- Distributing devices safely and quickly
- Repurposing existing shared devices to distribute to students, shifting to a 1:1 model
- Lack of management when devices are disconnected from school network when using on-premises management
- Password mismatch on domain-joined devices after a password change when logging on with cached credentials
- Insufficient capacity for Virtual Private Network (VPN)
- Windows Activation for Windows 10 devices that rely on an on-premises Key Management Service (KMS)
- Connectivity to on-premises resources (without a VPN)
- Internet access
Your solutions to these problems may vary depending on your situation, but we thought we would start off with the Top 5 things you can do to prepare for device management for remote learning using Intune for Education and Microsoft Endpoint Manager:
1. Get your devices managed
- For new PCs or those moving to Azure Active Directory:
- For existing computers connected to Active Directory or Configuration Manager:
- For devices joined to Active Directory:
- Get your devices hybrid Azure AD joined.
- Enroll in Intune using Group Policy.
- For customers with Configuration Manager:
- Configure co-management so you can use Intune to manage devices while they aren’t connected to the school network, and/or;
- Configure a cloud management gateway so you can continue to approve software update, deploy software and retrieve inventory from devices that are not connected to the school network.
- For iPadOS devices, setup device management for Apple School Manager devices and enroll.
2. Re-purpose existing devices
A key scenario we’ve seen is schools repurposing devices previously used as shared devices for use in a 1:1 scenario. If you previously used Set Up School PCs, you might have configured the device for Shared PC mode which prevents the student from performing certain actions like configuring OneDrive or keeping files locally.
For these devices you could choose to:
- Reset the PC and use a new provisioning package that is catered more to 1:1 usage.
- Configure user-driven Autopilot, reset the PC and have the student log on during the Out-of-Box Experience.
- Leave the devices configured as a shared device and distribute to students.
3. Configure settings for the devices
Intune for Education allows a device administrator to manage features on devices and define how your users can work with their devices. These Windows and iOS/iPadOS settings can be assigned to a user and/or a device through the use of Azure Active Directory groups.
- When assigned to users in a group, the settings will follow the user no matter what device they are using.
- When assigned to devices in a group, the settings will apply to the device no matter who signs into the device.
Examples of settings which are common in school districts we’ve worked with include:
- Accounts and sign-in: Configure preferred Azure Active Directory tenant domain – targeting devices using this setting, students no longer need to type in “user@school.edu” but type in just “user”. This reduces keystrokes and mistakes, allowing students to log in quickly.
- Apps: for Windows devices, block access to administrative apps – when targeting non-administrator accounts, this will prevent users from running the Command Prompt, PowerShell and Registry Tools.
- Power and sleep: when targeting devices, this configures turning off device display, putting device to sleep, putting device in hibernation as well as blocking users from changing the administrative settings.
Intune for Education is a curated experience of the settings which have been requested from institutions around the world. It has Express configuration which is a quick way to enable the recommended common settings on a device. With that being said, the Microsoft Endpoint Manager admin center has additional built in settings, as well as the ability to create custom settings.
4. Deploy and Manage Apps, Microsoft Office, and Microsoft Edge
As outlined above, apps are deployed via group assignment. If an app is assigned to a user group, the app will not start the evaluation, downloading and installation until after the user logs in, so the app may not be available for a user to interact with immediately Depending on your needs, you may choose to target apps to device groups rather than user groups. Also consider the size of the app as well as potential connectivity the end user may or may not have. This will affect installation times. Another way to speed up deployments is to assign the core items that all users need to the “All devices” group.
Intune for Education supports deploying and managing these types of apps:
- Microsoft Office and Microsoft Edge desktop apps
- Microsoft Store apps
- Web apps
- Windows desktop apps (.msi)
- iOS VPP and Store apps
If you have additional app or platform needs, the Microsoft Endpoint Manager admin center includes Android store apps, managed Google Play apps, macOS, Microsoft Edge, Defender ATP (macOS) as well as Win32 apps (.exe). If there is a need to install apps in a certain order, Intune offers the ability to set up app dependencies.
5. Distribute your devices
With our larger device deployments, some lessons were:
- Deployment times should include disinfecting the device and associated peripherals.
- If possible, your plan should include distributing from multiple sites. This allows for granular contact tracing logs as well as redundancy if one site gets closed due to infection.
- Multiple sites allow for less traffic into a single, physical distribution site.
Looking for more info?
Microsoft has a lot of detailed sets of documentation on the Microsoft Docs page; our goal is to pull together sets of documentation so you have a single jump off point into those various areas.
The first area we would like to introduce on that page is the Microsoft Education area. In the IT Admins area of that microsite, we break down a workflow of steps grouped into phases. Our main focus, initially, will be in Phase 2 – Device Management. (See image below for site navigation.)
As we’ve engaged with customers around the world, it’s driven us to these Top 5 lessons learned.
Additional guidance has been published for M365 EDU deployment during COVID-19 which revolves around remote learning and Microsoft Teams.
If you are new to device management with Microsoft Endpoint Manager and Intune, we won’t be covering the fundamentals here but please start by checking out how to get started with Intune for Education.
Many of you may work with a partner or vendor for handling your IT needs. If your vendor needs to be introduced to Intune for Education and learn more, there’s a great set of intro videos online created by Joe from our team on the Intune Partner channel here.
We’re going to go technically deeper into the topics mentioned in the Top 5 and more so join us for our next post on enrolling Windows devices with provisioning packages and/or Set Up School PCs in the next few days.
by Scott Muniz | Aug 11, 2020 | Uncategorized
This article is contributed. See the original author and article here.
By: Chris Urban | PM- Intune for Education, Ele Ocholi | PM- Intune for Education & Scott Breen | PM- Intune for Education
Hi, it’s Chris Urban (Atlanta, USA), Ele Ocholi (London, UK) and Scott Breen (Brisbane, Australia) from the Intune for Education team. Thanks for joining us on our series of posts about preparing for Back-to-School! Since we’re on a team which works with school districts and institutions around the world, we’d like to share a few frequently asked questions and answers our customers have about device management in an educational setting as well as a few of the lessons learned as we all navigate Back-to-School 2020.
Preparing for a new school year is always a lot of work. For most of you, one of your tasks involves readying devices, whether they be new or existing as well as one-to-one or shared. With COVID-19, this year brings a significant set of new challenges. Some schools will return to in-person classes, others must embrace complete remote learning, and some are combining both approaches. We’ve learnt the best approach to these scenarios is flexibility and having a solution that allows you to pivot as your circumstances change.
We’re all working with customers to support their management and distribution processes of devices. All in order to empower educators and to give students engaging ways to learn.
Our experience with customers pivoting to remote learning has taught us that some of the biggest challenges have been:
- Distributing devices safely and quickly
- Repurposing existing shared devices to distribute to students, shifting to a 1:1 model
- Lack of management when devices are disconnected from school network when using on-premises management
- Password mismatch on domain-joined devices after a password change when logging on with cached credentials
- Insufficient capacity for Virtual Private Network (VPN)
- Windows Activation for Windows 10 devices that rely on an on-premises Key Management Service (KMS)
- Connectivity to on-premises resources (without a VPN)
- Internet access
Your solutions to these problems may vary depending on your situation, but we thought we would start off with the Top 5 things you can do to prepare for device management for remote learning using Intune for Education and Microsoft Endpoint Manager:
1. Get your devices managed
- For new PCs or those moving to Azure Active Directory:
- For existing computers connected to Active Directory or Configuration Manager:
- For devices joined to Active Directory:
- Get your devices hybrid Azure AD joined.
- Enroll in Intune using Group Policy.
- For customers with Configuration Manager:
- Configure co-management so you can use Intune to manage devices while they aren’t connected to the school network, and/or;
- Configure a cloud management gateway so you can continue to approve software update, deploy software and retrieve inventory from devices that are not connected to the school network.
- For iPadOS devices, setup device management for Apple School Manager devices and enroll.
2. Re-purpose existing devices
A key scenario we’ve seen is schools repurposing devices previously used as shared devices for use in a 1:1 scenario. If you previously used Set Up School PCs, you might have configured the device for Shared PC mode which prevents the student from performing certain actions like configuring OneDrive or keeping files locally.
For these devices you could choose to:
- Reset the PC and use a new provisioning package that is catered more to 1:1 usage.
- Configure user-driven Autopilot, reset the PC and have the student log on during the Out-of-Box Experience.
- Leave the devices configured as a shared device and distribute to students.
3. Configure settings for the devices
Intune for Education allows a device administrator to manage features on devices and define how your users can work with their devices. These Windows and iOS/iPadOS settings can be assigned to a user and/or a device through the use of Azure Active Directory groups.
- When assigned to users in a group, the settings will follow the user no matter what device they are using.
- When assigned to devices in a group, the settings will apply to the device no matter who signs into the device.
Examples of settings which are common in school districts we’ve worked with include:
- Accounts and sign-in: Configure preferred Azure Active Directory tenant domain – targeting devices using this setting, students no longer need to type in “user@school.edu” but type in just “user”. This reduces keystrokes and mistakes, allowing students to log in quickly.
- Apps: for Windows devices, block access to administrative apps – when targeting non-administrator accounts, this will prevent users from running the Command Prompt, PowerShell and Registry Tools.
- Power and sleep: when targeting devices, this configures turning off device display, putting device to sleep, putting device in hibernation as well as blocking users from changing the administrative settings.
Intune for Education is a curated experience of the settings which have been requested from institutions around the world. It has Express configuration which is a quick way to enable the recommended common settings on a device. With that being said, the Microsoft Endpoint Manager admin center has additional built in settings, as well as the ability to create custom settings.
4. Deploy and Manage Apps, Microsoft Office, and Microsoft Edge
As outlined above, apps are deployed via group assignment. If an app is assigned to a user group, the app will not start the evaluation, downloading and installation until after the user logs in, so the app may not be available for a user to interact with immediately Depending on your needs, you may choose to target apps to device groups rather than user groups. Also consider the size of the app as well as potential connectivity the end user may or may not have. This will affect installation times. Another way to speed up deployments is to assign the core items that all users need to the “All devices” group.
Intune for Education supports deploying and managing these types of apps:
- Microsoft Office and Microsoft Edge desktop apps
- Microsoft Store apps
- Web apps
- Windows desktop apps (.msi)
- iOS VPP and Store apps
If you have additional app or platform needs, the Microsoft Endpoint Manager admin center includes Android store apps, managed Google Play apps, macOS, Microsoft Edge, Defender ATP (macOS) as well as Win32 apps (.exe). If there is a need to install apps in a certain order, Intune offers the ability to set up app dependencies.
5. Distribute your devices
With our larger device deployments, some lessons were:
- Deployment times should include disinfecting the device and associated peripherals.
- If possible, your plan should include distributing from multiple sites. This allows for granular contact tracing logs as well as redundancy if one site gets closed due to infection.
- Multiple sites allow for less traffic into a single, physical distribution site.
Looking for more info?
Microsoft has a lot of detailed sets of documentation on the Microsoft Docs page; our goal is to pull together sets of documentation so you have a single jump off point into those various areas.
The first area we would like to introduce on that page is the Microsoft Education area. In the IT Admins area of that microsite, we break down a workflow of steps grouped into phases. Our main focus, initially, will be in Phase 2 – Device Management. (See image below for site navigation.)
As we’ve engaged with customers around the world, it’s driven us to these Top 5 lessons learned.
Additional guidance has been published for M365 EDU deployment during COVID-19 which revolves around remote learning and Microsoft Teams.
If you are new to device management with Microsoft Endpoint Manager and Intune, we won’t be covering the fundamentals here but please start by checking out how to get started with Intune for Education.
Many of you may work with a partner or vendor for handling your IT needs. If your vendor needs to be introduced to Intune for Education and learn more, there’s a great set of intro videos online created by Joe from our team on the Intune Partner channel here.
We’re going to go technically deeper into the topics mentioned in the Top 5 and more so join us for our next post on enrolling Windows devices with provisioning packages and/or Set Up School PCs in the next few days.
by Scott Muniz | Aug 11, 2020 | Azure, Microsoft, Technology, Uncategorized
This article is contributed. See the original author and article here.
We are bringing this blog post to continue the learning about the protection that Azure Security Center offers for the SQL IaaS VMs. As you learnt in this blog post, Azure Security Center protects SQL servers hosted on either Azure VMs, Azure Arc and on-premises.
SQL Server on Azure Arc
While hybrid approaches bring greater power and flexibility, they also present greater complexity. Azure Arc was announced at Ignite 2019 to better address these challenges. Using Azure Arc, organizations can deliver a broader range of services while simplifying matters of management and security. Azure Arc provides deeper integration across all your Azure environment. Essentially Azure Arc allows organizations to use Azure’s management technologies (“control plane”) to centrally administer public cloud resources along with on-premises servers, virtual machines, and containers. All of Azure’s AI, automation, compliance and security best practices are now available to manage all of their distributed cloud resources, and their underlying infrastructure, which is known as “connected machines.” Additionally, several of Azure’s AI and data services can now be deployed on-premises and centrally managed through Azure Arc, enhancing local and offline management and offering greater data sovereignty.
Utilize Azure Security Center to produce a comprehensive report of vulnerabilities in SQL Servers and get advanced, real-time security alerts for threats to SQL Servers and the OS. Azure Security Center centralizes all security policies and protects the entire managed environment. When Security Center is enabled, the Azure monitoring agents will report data back from the servers, networks, virtual machines, databases, and applications. The Azure Security Center analytics engines will ingest the data and use AI to provide guidance. It will recommend a broad set of improvements to enhance security, such as closing unnecessary ports or encrypting disks and more. Azure Arc extends these security features to connected machines and services to protect all registered resources.
To use this threat detection capability, you need to enable the SQL servers on machine threat bundle in Azure Security Center pricing tier as shown in ‘Image 1’:
Image 1: Azure Security Center Pricing Tier
If your SQL server is hosted on Azure Arc machine and if you have auto-provisioning option enabled, Log Analytics agent will be automatically installed in your machine. If Otherwise, you can deploy the Log Analytics agent using the Security Center recommendation “Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview)”. Alternatively, you can install the agent manually in two easy steps by adding the Log Analytics VM extension. Refer to this article for step-by-step procedure to enable extension from portal/JSON/PowerShell.
A PowerShell script was used in this case to simulate a SQL injection attack scenario on the SQL server running on Azure Arc.
Injection flaws allow attackers to relay malicious code through an application to another system. These attacks include calls to the operating system via system calls, the use of external programs via shell commands, as well as calls to backend databases via SQL (i.e., SQL injection). Attackers can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. SQL injection is a particularly widespread and dangerous form of injection. The consequences are particularly damaging, as an attacker can obtain, corrupt, or destroy database contents. Security Center detects unusual and potentially harmful attempts to access SQL servers based on behavior analysis using machine learning.
In this scenario, Azure Security Center detected the threat and provided an alert with details of the machine, attacker activity, host information and more as shown in ‘Image 2 & Image 3’
Image 2: Security Alert, Alert details
Image 3: Security Alert, Take Action
NOTE: As of June 2020 release, Two new recommendations have been added to help deploy the Log Analytics Agent to your Azure Arc machines and ensure they’re protected by Azure Security Center:
- Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview)
- Log Analytics agent should be installed on your Linux-based Azure Arc machines (Preview)
These new recommendations will appear in the same four security controls as the existing (related) recommendation, Monitoring agent should be installed on your machines: remediate security configurations, apply adaptive application control, apply system updates, and enable endpoint protection. The recommendations also include the Quick fix capability to help speed up the deployment process.
In the next blog posts, we will discuss on how you can leverage Azure Security Center to protect your SQL IaaS VMs hosted On-premises. Stay Tuned!!
Special thanks to:
Yuri Diogenes, Senior PM, CxE Security – ASC Team for reviewing this post.
Recent Comments