Managing Role Based Access (RBAC) for Microsoft Defender Advanced Threat Protection

I spend quite some time during the week travelling to and from customers, to make the best use of travel time, I usually read blogs and tweets or take online trainings to keep myself up to date about whatever interests me. Yesterday I noticed a tweet from someone regarding MDATP Portal access “Security Administrator can’t be assigned to staff in my org. It’s too powerful.” Maybe not everyone is aware of the RBAC capabilities in Read More …

Exploring Microsoft Cloud App Security with PowerShell – Part1

Last Friday I was given the opportunity to present at the Configuration Manager Community Event (CMCE1905) in Bern, Switzerland. Although Microsoft Cloud App Security is not really related to ConfigMgr, many of the attendees are dealing with managing classic and modern workplaces and security is almost on everyone’s list of interest. During my session “Unleash the power of Microsoft Cloud App Security” I also demonstrated how one can explore information within Microsoft Cloud App Security Read More …

Retrieving Windows Defender Exploit Guard Windows Event logs with PowerShell

Most of the features included in Windows Defender Exploit Guard can be enabled in audit or block mode. The impact can then be analyzed either by looking at the corresponding Windows Event log entries or through advanced hunting queries in Windows Defender ATP. Today, I’ll share a script I recently wrote to quickly pull Windows Defender Exploit Guard related events from the Windows Event log. Anytime soon I will share some Kusto queries for the Read More …

How to Configure Splunk to pull Windows Defender ATP alerts

Windows Defender ATP provides SIEM integration, allowing you to pull alerts from Windows Defender ATP Security Center into Splunk. The SIEM integration uses the Windows Defender ATP Alerts Rest API. Since I have an actual customer demand for such an integration, I thought it’s about time to get a feel for how this works. Prerequisites An active Windows Defender ATP subscription with portal admin access Windows Defender ATP SIEM integration enabled within the portal. A Read More …

Configuring Windows Defender Credential Guard with ConfigMgr

I’m currently engaged in multiple customer projects where Windows 10 is already in production, but unfortunately without Windows Credential Guard enabled. For those who think “Credential ….what?” Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. More details can be found here. Some of you might think, why wasn’t Read More …

How to customize Windows Defender ATP Alert Email Notifications

During a recent customer engagement, I was asked whether the it would be possible to add additional information to the Alert email that is send out by Windows Defender ATP when a new alert occurs. @RagoReady from Microsoft gave me a good hint to look into Microsoft Flow and the Windows Defender ATP connector. When you enable Alert Notifications within the Windows Defender ATP portal, subscribed users get an alert email that looks as shown Read More …

Check Windows Defender ATP Client Status with PowerShell

Here’s a little utility to check the status of Windows Defender ATP on a local or remote client. I basically took some code from the WDATP connectivity verification tool, removed the network connectivity testing part (I might add that later as well) and transformed the code so it can be used to check whether the client is properly onboarded and if all required services are running.

Retrieving Azure MFA registration status with PowerShell

I’m in the process of supporting one of our clients to enable Azure Multifactor Authentication for all their users because at a later stage we want to introduce Conditional Access. In a larger environment it’s probably a good idea to start informing users about MFA, why and how it works. Then ask users to start registering themselves. In our case we’re using the Converged registration for self-service password reset and Azure Multi-Factor Authentication which is Read More …

Windows 7 Hybrid Join and MFA ramblings

Today I ran into an issue where Windows 7 would not hybrid join as expected. Before going into the details, for those who might not be aware like Windows 10 and Server 2016, you can also hybrid join down-level devices. The functionality is of course not built into Windows so you need to install the “Microsoft Workplace Join for non-Windows 10 computers” software. One reason why you want to hybrid join Windows 7 devices is Read More …

How to enable DKIM in Office 365

Just in case you are not familiar with what DKIM is all about but still interested, I suggest you first read Use DKIM to validate outbound email sent from your custom domain in Office 365 If you’re looking for detailed instructions how to enable DKIM in Office 365 continue reading. Prerequisites Windows PowerShell PowerShell Script Validate-DkimConfig.ps1 download from here Access to Exchange Online through PowerShell Access to DNS Connect to Exchange Online First we connect Read More …