Which Authentication is the best Authentication?

In the O365 login page, we log in with our username and password. Is this secure?

I have seen multiple incidents where our clients complain that their accounts have been hacked. Someone has sent spam emails using their accounts and they have logged in from different countries, etc. If someone steals our password, what will happen? Let's see what authentication mechanisms are available to us and the benefits of using them.

Password: Passwords can be stolen through keyloggers. To protect ourselves, we can increase the password length, add characters and symbols, and increase password history.

PIN: For PC login, we can use a PIN instead of a password. PINs are more secure than passwords because they are easy to remember and unique to one device. Even if a PIN is stolen, the potential damage is much lesser than a compromised password.

Text Message or Voice Call: This method is more secure than a PIN or password because we receive a real-time code from the authentication service that is valid for a certain time period. A few years ago, I personally told my customers that two-factor authentication using text or voice call was the secure method to safeguard our users. However, this method is not valid nowadays as text messages or voice calls can be accessed through third-party applications.

Biometric or Face ID: Compared to the previous three methods, this is the most secure way because it requires your fingerprint or face to authenticate. This method is unique to you only.

Authenticator App: The Microsoft Authenticator app is one of the most secure apps we can use for authentication. You can set up biometric or Face ID to access applications.

Which is the newest method and most recommended by security experts? 

"Go with PasswordLess"

How do we authenticate with passwordless?

You can select passwordless as your main authentication method. When you enter your username, it will automatically redirect and ask you to enter a number on your Authenticator app. To log in, you will not need a password, but you will need your mobile Authenticator app and biometric or Face ID. It will show you the location and application that is trying to authenticate.

Read More

BitLocker Error: "You can't create both a recovery password and a recovery key"

 

Read More

Sign up for Windows Known issues Email Alerts

 

The Windows release health page, located within the Microsoft 365 admin center, provides access to up-to-date information regarding known issues related to both monthly and feature updates for Windows. These known issues are problems that have been identified within a Windows update and are impacting Windows devices. By accessing the Windows release health page, you can stay informed about these issues and leverage this information to help troubleshoot any problems that your users may be experiencing. Additionally, this resource can help you make informed decisions about when and how to deploy updates within your organization based on the scale and severity of the known issues.

This feature provides an advantage to IT teams when troubleshooting Windows-level issues. Previously, we had to check each endpoint to see which update was recently installed and then search for known issues related to the update. However, with this new approach, we can proactively receive information on all known issues related to the selected product in your inbox. This enables us to take a more efficient and effective approach to troubleshooting.

Read More

Deploy Windows LAPS [Step by step guide]

Microsoft Local Administrator Password Solution (LAPS) is a free solution that provides a secure way to manage local administrator passwords on Windows computers. LAPS works by randomly generating a complex password for the local administrator account on each computer and storing it securely in Active Directory/. The password is then periodically changed and updated, helping to prevent attackers from gaining access to the local administrator account and compromising the computer or network. LAPS is a simple and effective way to improve the security of local administrator accounts across an organization's network.

Windows LAPS is the newer solution  Microsoft has introduced to us. It's much easy to deploy and much easy to maintain the Administrative password.  Windows LAPS also adds many features that aren't available in legacy Microsoft LAPS. You can use Windows LAPS to back up passwords to Azure Active Directory, encrypt passwords in Windows Server Active Directory, and store your password history.

Windows LAPS doesn't required to install any agent on the PCs like legacy Microsoft LAPS. Old day we used MECM (SCCM), GPO or Any 3rd party application to Deploy the client. 

Windows LAPS Support Hybrid Azure AD  Join and Azure AD join but doesn't support the Azure AD registered.  

Same as Microsoft LAPS, Windows LAPS also freely available with Azure AD basic and above but you might be need to purchase Azure AD Premium plan 1 or plan 2 for conditional Access and Intune license for benefit the Windows LAPS other features.

Read More

Hyper-V Windows 11 VM Creation Error - "This PC doesn't meet the minimum System requirements to install this version of windows.

 

When we create a VM on the Hyper-V, Windows 11 we getting these errror. these are the minimum system requirements you need to create the Windows 11 VM.

Blow things we need to check when we are creating the VM

• VM Generations

We need to select Generation 2 because its the one support UEFI Secure boot.

•  Processor

In the Settings we need to make sure that we have selected more than 2 virtual processers.

• Enable Trusted Platform Module

Go to settings and select Security and mark "Enable Trusted Platform Module". Most of the time this might be the issue we getting about error. default its not enable the Trusted Platform Module.

Read More

MD-100 & MD-101 Exam will be Rename to Microsoft 365 Certified: Endpoint Administrator Associate (MD-102)

Microsoft has announced that it will be renaming its popular certification program for desktop administrators, the Microsoft 365 Certified: Modern Desktop Administrator Associate, to the Microsoft 365 Certified: Endpoint Administrator Associate. The new certification program will come into effect on July 1, 2023, and is aimed at addressing the evolving needs of modern workplaces, where endpoint management has become a critical aspect of IT administration.

The Microsoft 365 Certified: Endpoint Administrator Associate certification is designed to equip IT professionals with the skills and knowledge they need to manage and secure endpoints across a range of devices and platforms, including Windows, macOS, iOS, and Android. It will cover topics such as device management, application management, security, and compliance, among others.

To earn the new certification, IT professionals will need to pass the MD-102 exam, which will be available from May 2, 2023. The exam will test candidates on their ability to configure, manage, and secure endpoint devices and applications, as well as their knowledge of Microsoft 365 security and compliance solutions.

The renaming of the certification program reflects Microsoft's commitment to keeping pace with the changing technology landscape and ensuring that its certification programs remain relevant and up-to-date. By aligning its certification programs with the evolving needs of modern workplaces, Microsoft is helping to ensure that IT professionals have the skills and knowledge they need to succeed in their roles and contribute to the success of their organizations.

In conclusion, the renaming of the Microsoft 365 Certified: Modern Desktop Administrator Associate certification to the Microsoft 365 Certified: Endpoint Administrator Associate certification reflects the changing needs of modern workplaces and underscores Microsoft's commitment to providing IT professionals with the skills and knowledge they need to succeed in their roles. The MD-102 exam, which will be available from May 2, 2023, will test candidates on their ability to manage and secure endpoints across a range of devices and platforms, and is a crucial step for IT professionals looking to enhance their skills and advance their careers.

https://learn.microsoft.com/en-us/certifications/exams/md-102?wt.mc_id=certsustainedmkt_portfolioupdate_blog_wwl

Read More

A New Unified Domain for Microsoft 365 apps and services

Microsoft introduced the cloud.microsoft unified domain for Microsoft 365 apps and services!

Microsoft has always been known for its wide range of products and services, from the popular Windows operating system to its productivity suite, Microsoft Office. However, with the rapid growth of cloud computing and the increasing number of services and applications that Microsoft offers, it can be challenging for end-users to keep track of all the different domains and names associated with these products.

To address this fragmentation, Microsoft recently announced the introduction of a new unified domain for Microsoft 365 apps and services - cloud.microsoft. This move is aimed at providing users with a more consistent and cohesive experience across all Microsoft 365 services, regardless of the specific product or service they are using.

One of the key benefits of this unified domain is the ability to simplify authentication and sign-in processes for users. Previously, users may have had to navigate multiple domains and sign-in pages when accessing different Microsoft 365 apps and services. However, with the introduction of cloud.microsoft, users can sign in once and access all Microsoft 365 apps and services from a single, unified domain.

Furthermore, this move towards a unified domain is part of Microsoft's broader strategy of simplifying its product and service offerings. By consolidating its products and services under a single domain, Microsoft aims to provide a more seamless experience for users and increase overall efficiency across its product lines.

Overall, the introduction of cloud.microsoft is a positive step towards a more streamlined and cohesive experience for Microsoft 365 users. By reducing fragmentation and providing a unified domain for all Microsoft 365 apps and services, users can more easily access the tools they need to be productive, while IT administrators can more effectively manage and secure their organization's Microsoft 365 environment. As Microsoft continues to evolve and expand its product offerings, this move towards a more unified experience is sure to benefit both end-users and administrators alike.

More Details on  cloud.microsoft  - https://techcommunity.microsoft.com/t5/microsoft-365-blog/introducing-cloud-microsoft-a-unified-domain-for-microsoft-365/ba-p/3804961

Read More

Which method suits you to deploy the bitlocker

 BitLocker is a built-in encryption feature of Microsoft Windows operating systems. Here are three steps you can deploy BitLocker:

1. Enable by User
2. GPO Deployment
3. 3rd Party Application or Intune/MECM

Enable By User

User can enable the bitlocker by user following below steps

1. Click on the "Start" button and select "Settings" (the gear icon).
2. Click on "Update & Security".
3. Click on "Device encryption" or "BitLocker".
4. If your device doesn't support device encryption, you will see a message indicating that BitLocker isn't available for your device. Otherwise, you will see the BitLocker settings page.
5. Click on "Turn on BitLocker".
6. Select the drive you want to encrypt.
7. Choose how you want to unlock the drive (password, smart card, etc.) and follow the on-screen instructions to set up the unlock method.
8. Choose where you want to save your recovery key in case you forget your password or lose your unlock method.
9. Click on "Encrypt" to start the encryption process.

Note: Depending on the size of the drive and the speed of your computer, the encryption process may take some time to complete.

Pros

• Easy to enable
• Do not need any vendor support to rollout
• Settings can be select by user

Cons

• Recovery key can be lost if not securely store. 

Note: its good to store on the Microsoft Account. here is the link to access the recovery key https://account.microsoft.com/devices/recoverykey

GPO Deployment

Enabling BitLocker by GPO (Group Policy Object) is a good way to ensure that all computers in your organization have BitLocker enabled and that they comply with your company's security policies. Here are the steps to enable BitLocker by GPO:

1. Open the Group Policy Management Console (gpmc.msc) on a domain-joined computer.
2. Expand the domain and select the Organizational Unit (OU) that contains the computers you want to enable BitLocker on.
3. Right-click the OU and select "Create a GPO in this domain, and Link it here".
4. Name the GPO and click "OK".
5. Right-click the new GPO and select "Edit".
6. Navigate to "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption".
7. Double-click "Operating System Drives" to open the policy settings.
8. Enable the "Require additional authentication at startup" policy and set it to "Enabled".
9. Enable the "Choose how BitLocker-protected operating system drives can be recovered" policy and set it to "Enabled".
10. Configure the remaining policies based on your organization's security policies.
11. Click "OK" to save the changes.
12. Close the Group Policy Management Editor window.

The next time the computers in the selected OU update their group policies, BitLocker will be enabled on the operating system drives, and the policies you configured will be applied.

There are Two method we can store the recovery key

• Store in the Share file location

Navigate to "Computer Configuration\Administrative Templates\Windows Components\Choose Default Folder for Recovery Password"

• Store in Active directory services

Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption and Change the “Store Bitlocker recovery information in Active Directory Domain Services” to enabled

Pros

• Easy to rollout mass scale
• automated
• Key will be store in secure location

Cons

• Reporting not available

Note, if we only use 3rd party or Intune/MECE will provide the Reporting features. 

Conclusion

In summary, there are three ways to deploy BitLocker encryption on your organization's devices: by enabling it by the user, by using GPO deployment, or by using a third-party application or Intune/MECM. Each method has its own advantages and disadvantages, and the best method for your organization will depend on your specific needs and security policies. By enabling BitLocker encryption on your organization's devices, you can help protect your sensitive data from unauthorized access and mitigate the risk of data breaches.

Read More

How to short Teams Meeting URL?

Sharing Teams URLs via email or social media can be a bit of a hassle. The lengthy URLs can take up a lot of space and may not fit properly on certain platforms. Fortunately, there is a solution to this problem: URL shortening. By shortening the URL, you can make it easier to share the link with others, without taking up too much space.

One of the easiest ways to shorten a Teams URL is to use the Microsoft Teams URL Shortener. This tool is designed specifically for Teams links and can be accessed at https://en.msteams.link/. All you need to do is copy and paste the long Teams URL into the input box, and the tool will generate a shorter, more manageable URL.

For example, let's take this Teams URL:

https://teams.microsoft.com/l/meetup-join/19%3ameeting_Y2UzMzhjZTMtNDljMi00MTg4LTg5ZjgtYmJhM2RhZGI0MDU5%40thread.v2/0?context=%7b%22Tid%22%3a%2248f5eb81-f396-4273-836d-10b63b081eb5%22%2c%22Oid%22%3a%22b8b4094c-ccc9-4100-9f37-24b2624dcccc%22%7d

This URL is quite long and may not fit properly on certain platforms. However, by using the Microsoft Teams URL Shortener, we can generate a shorter URL like this:

As you can see, the new URL is much shorter and easier to share with others. Additionally, the Microsoft Teams URL Shortener also provides a QR code, which can be scanned by others to quickly access the Teams link.

In conclusion, sharing Teams URLs via email or social media doesn't have to be a hassle. By using a URL shortener like the Microsoft Teams URL Shortener, you can generate shorter, more manageable URLs that are easier to share with others. So next time you need to share a Teams link, give it a try!

Read More

Windows LAPS management via Microsoft Intune available in preview

 Microsoft has recently announced the preview availability of Local Administrator Password Solution (LAPS) management via Microsoft Intune. This new feature enables IT administrators to manage LAPS settings for on-premises Windows devices from the cloud-based Intune console.

LAPS is a Microsoft solution that provides a random and unique password for the local administrator account on each Windows device, helping to enhance security by preventing the spread of credentials between devices. With this new Intune integration, administrators can now easily manage LAPS settings for on-premises Windows devices without the need for additional infrastructure or tools.

To get started with LAPS management via Intune, administrators need to enable the feature in their Intune tenant and configure the settings they want to use. They can then deploy the LAPS client to their on-premises Windows devices using Intune, and configure the LAPS settings as needed.

Once the LAPS client is deployed, Intune will automatically rotate the local administrator password according to the configured policy. The new password will be stored securely in Active Directory, where it can be retrieved if needed.

This new feature is particularly useful for organizations with a large number of on-premises Windows devices that want to improve their security posture without additional complexity. By leveraging Microsoft Intune for LAPS management, administrators can easily manage this critical security feature for their on-premises devices from a single, cloud-based console.

Overall, the availability of LAPS management via Microsoft Intune is a welcome addition to the already robust security management capabilities of the platform. As more organizations adopt cloud-based management solutions, this feature will provide an easier and more streamlined way to manage LAPS settings for on-premises Windows devices.

Read More