All the round-up news that's fit to [NEVER EVER] print

This post is coming to you from Windows 365. I’m spending my time alternating between this and Windows 11 preview machine, because…

Windows 11 is set to drop October 5! Insiders can play with it now, both on physical devices and in Azure Virtual Desktop, whereas Windows 365 customers will get access to it on October 5 (seems to be a recurring theme in W365 that there is no "public preview" phase).

Once it's out, I'm gonna be jazzed to be managing it in a Magic Quadrant Leader Endpoint Management solution!

Accolades aside, I am starting to hear a bit of concern over how this upgrade will be managed. Will folks need to update Autopilot profiles, lock down users, prevent Windows Update from automatically deploying it? Intune already has tooling in place to prepare for this kind of thing. First of all, everything that was labeled as "for Windows 10" now says "for Windows 10 and later," so you know going into it that these controls are designed to scale to OS.next, but you can also lock devices into specific Feature Update versions of Windows (pic below), which disallows moving between major versions of Windows. To upgrade the whole OS you'll need to leverage "Target Versions" in Windows Update for Business. Note that at the moment "Target Versions" does not appear in any interface in Intune and must be managed by CSP profiles. [I would expect this to change and either get its own section or get wrapped into Feature Updates.]

 
And while the guidance on what devices qualify for Windows 11 points to updated assessment tools, Intune has its own in the Endpoint Analytics reports that include some of that same data, so customers can get ahead of device qualifications today.

From what I’m seeing so far in both my Windows 365 and Windows 11 preview machines, there’s no immediate need to retool configuration profiles, compliance policies, app deployments, or really much of anything. Because these are app gallery images that come pre-loaded with Microsoft 365 apps, I *might* suggest tweaking any Microsoft 365 Apps (formerly Office ProPlus) app assignments to leverage the new filtering capability in Intune. We’ll cover this in greater detail in September’s Windows 365 management webinar, but it’s a pretty slick way to use cloud-side pre-filtering of devices by attributes (whereas WMI filters in AD are processed client-side). In my case, I have dynamic device groups that include devices whose names start with “CPC-“, and I set an exclusion filter to prevent over-writing the pre-installed apps.

I have to confess I wasn't watching the server space particularly carefully, because it caught me off-guard that Windows Server 2022 became generally available on September 1. Still no new Active Directory functional levels, so I don't think anybody needs to panic, but this OS is specifically designed to enable hybrid cloud workloads.

Azure AD Connect ("sync" -> did you know that's actually part of the product name? I didn't) just got to version 2.0 like a month ago and now it's getting a baby brother. Introducing Azure AD Connect cloud sync. (Or is it Cloud Sync? or CloudSync? I've seen all 3, but the video uses all lower case), a new product for the 3rd major iteration of a feature that does a lot of heavy lifting. There are some pretty fundamental differences. AADCs needs a server or two, and sometimes a SQL database to manage user provisioning. It's robust and you'll find it just about everywhere, but it can get cumbersome in a hurry, especially in federation scenarios and organizations with a zillion-plus users and massive groups. AADC...cs(?) is just an agent, and it's designed to scale better to both current needs and future identity scenarios, and it supports "disconnected forests" for merger/demerger scenarios. And even better, it supports HA & failover natively (without having a hot/cold deployment like DirSync)! Woohoo!! Oh and and and? No 30+ minute gaps between provisioning changes.

So now there are 3 valid tools/methods for synchronizing identities between AD & Azure AD: MIM (here be dragons), AADCs (the new "old" way of doing things), and AADCcs (new hotness). I get the strong sense that Microsoft is going to be pushing heavily toward this new agent-based solution from the way the video script is worded, but it's also brand new, so standard IT caveats apply.

I've had a lot of people ask over the past few years if the P1 & P2 distinctions that exist in AAD and Defender toolsets extend to Defender for Endpoint. Until today the answer had been no, but since the common separation between a P1 tool and a P2 tool has traditionally been behavioral analytics and AIR, it makes good sense that Microsoft has created a P1 offering that handles unified AV/anti-malware, web-control, network protection, endpoint firewall, and device-based conditional access. Think of MDE P1 as an Endpoint Protection (EPP) solution, where P2 is EDR/TVM. The really cool news is that while EDR isn't part of P1, SIEM still is, so if you're piping to Sentinel and have a robust investment in Jupyter notebooks & Logic Apps to turn Sentinel into a SOAR, you really may not be giving up much...except the TVM, which is really, really cool stuff. MDE P1 will be included in Microsoft 365 E3 & A3.

That's good news, because while I've posted a bunch of guides on how to secure things, there are parallel guides for how to...well...do the other thing. It's important to understand how AD works and where its weaknesses are, so while I wrestled a bit with whether or not to add this, the fact is it's out there and you need to know what exactly you're trying to protect. So here's a guide to AD from an attacker's perspective. It's every bit as exhaustive as the guides for protecting AD. Secure what you can and disconnect the rest. And turn on 'smart-card requirements' for on-prem user accounts that have to replicate to Azure AD: that bit has no value in Azure AD but will switch the on-prem password value to system-managed with daily reset without flowing the reset metadata to Azure!

Sometimes I get giddy about things that aren't security. Teams gets features added so frequently this post would almost have to come out twice daily, but a few months ago I saw a statement that Teams Meetings would support streaming to RTMP, and it seems that's now real. Want the youtubes to watch/listen to your internal earnings report? Go for it! Note that the roadmap site still shows this as "In Development," so expect additional information over the coming weeks.

Comments