Author: Adam Fowler

Take Your First Microsoft Exam!

The idea of taking a Microsoft exam can be quite daunting. Self doubt creeps in, and it’s easy to talk yourself out of putting yourself through a stressful situation that you could just avoid. But, taking a Microsoft exam and passing is a great feeling, and qualifies your understanding of the topic.

I’m hoping I can convince you – the ones out there who have wondered if they should try working towards a Microsoft Certification – to give it a shot.

Let’s work through the fundamentals. There’s Microsoft Exams, and Microsoft Certifications. Often there’s a 1 to 1 relationship – pass an exam, get a certification. Some certifications have prerequisites that you’re already holding other Microsoft Certifications. Exams normally have a code such as AZ-104 where the certification doesn’t. For a nice 1 pager of all the Credentials and exams, have a look at the Certifications Poster.

Screenshot of the Certifications poster, please use the link for the latest version!

For your first exam and certification, focus on choosing one that’s at the fundamentals level. These exams all end in 9xx, such as MS-900 for Microsoft 365 Fundamentals. A full list of these fundamentals I have listed on MSPortals.io with a few handy links on each.

Which exam should you take first? Pick the one you’ve got the most experience or knowledge on. If you aren’t sure, start by checking the study guide. For MS-900 here’s the link: https://learn.microsoft.com/en-gb/credentials/certifications/resources/study-guides/ms-900 and you’ll see a list of the aimed audience, skills measured etc.

You’ll also see a section called ‘Study resources‘. This will contain links such as the ‘Get trained‘ area, which jumps to the certification itself and lists ways to prepare and practise for the exam.

Preparing for the exam is usually an online self-paced course, and this is worth going through to understand the topics and areas that will be covered in the exam. Practice for the exam will take you to a set of multiple choice questions, which is a good test of your knowledge to see if you’re ready to book.

Microsoft exams need a 700/1000 score to pass – which is the equivalent of 70%. For 50 questions, you should be getting at least 35 right, but that’s still cutting it a bit close. You have the luxury of time, being able to look things up and check your answer as you go so I’d be aiming more for getting >45 out of the 50 right.

You can also run an Exam Sandbox, which is just running the actual exam software with unrelated questions just to get a feel of how it’ll be when you actually sit your exam.

Fundamental exams are shorter than the more in-depth exams, and last for roughly 65 minutes with 35-50 questions. Of that hour and a bit, there’s still 15-20 minutes expected of set up and wind down.

There is a cost associated with taking a Microsoft Exam, and on the 1st November 2024 these prices have just changed. The cost is region dependant, but ranges from $44USD to $99USD for the fundamentals.

The certification page will have an area to let you ‘Take the exam‘ which is where you schedule it. Sometimes you might be able to book it for the same day, other times you may need to look a few days or weeks forward to book in an available slot. You’ll have the option of testing the software and making sure everything works as a part of this. Exams used to be in-person only, but now you can do them remote.

On the day of the exam, log in ~15 minutes early and follow the instructions you were emailed – go through the tests again, and there’s a bit of an onboarding and verification process to go through. You may need to take photos of your identity and your work area to show you’re the right person taking the exam and don’t have access to any items that would be considered cheating. You’ll be on camera and open microphone the entire exam, and have a host in the background monitoring you.

Fundamental exams are NOT open book, but other exams are (for those, you can access content on learn.microsoft.com during the exam).

Once you’re in the exam, take your time. You’ll see how long you have to go, and mostly can go back to previous questions or skip questions to answer later (when this isn’t possible, you’ll be prompted – read all screens carefully!).

If you happen to fail, don’t be disheartened. You’ll see your score, how well you did in each area, and you can take the exam again. The first time you can take it again after waiting 24 hours. Further retake policies are available here. Plenty of people fail (including me!) and just treat it as more practise – taking the exam a second time is less stressful than the first as you’ve got a much better idea on what you’re in for. The questions the second time and beyond may not be exactly the same, normally you get a random subset from a larger pool of questions – but you’ll probably see a few that aren’t new.

If you pass well done! The panic of taking the exam should be over, you’ll get a congratulations email and can take the satisfaction of posting about your achievement on LinkedIn.

If you want to check your exam/certification status, log into your Learn Profile https://aka.ms/LearnProfile but don’t expect this to fully update immediately after the exam, some of the information can take a day or two to update.

Here’s a detailed video from Microsoft covering the entire exam experience:
https://learn.microsoft.com/en-us/shows/exam-readiness-zone/what-to-expect-on-your-microsoft-fundamentals-exam
and here’s Microsoft’s documentation on the Exam duration and exam experience:
https://learn.microsoft.com/en-us/credentials/support/exam-duration-exam-experience

I’ve also collected a lot of Microsoft exam and certification related links and created a ‘Training’ section on MSPortals.io:
https://msportals.io/training?search=

If you have any questions or want any advice, drop a comment below. If you pass an exam, post it on LinkedIn and tell me about it so I can congratulate you! https://www.linkedin.com/in/adamfowlerit/

5 Things To Check In Your Microsoft 365 Apps (Office 365) Configuration

Word, Excel, PowerPoint, Outlook, OneNote, and Teams (unless you’re in the EU) are some of the apps that make up the Microsoft 365 Apps suite. We don’t call it Office 365 anymore, and they’ve been around for a very long time. Despite the name change, ‘Office’ is used across Microsoft documentation, the Essential Eight, Windows Registry settings etc so I will use also use it for the rest of this article.

Unsurprisingly, there’s both a lot of flexibility in configuration options for these apps, as well as many settings that have security considerations. As with my other blog posts of late, I wanted to have a look at the Center for Internet Security’s (CIS) Microsoft Intune for Office Benchmark 1.0 and pick my favourite 5 recommendations; ones that I think have a high impact, aren’t on by default, and/or ones you may not have considered.

As with other Intune benchmarks, you don’t have to use Microsoft Intune (you can use Group Policy/registry) but these options are natively supported via Intune. To create these policies via Intune from the Microsoft Intune admin center go to Apps > Policy > Policies for Office apps.

I’m not going to pick the obvious settings either – everyone should be following the Essential Eight guidance on blocking Office Macros which is:

Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
Microsoft Office macros in files originating from the internet are blocked.
Microsoft Office macro antivirus scanning is enabled.
Microsoft Office macro security settings cannot be changed by users.

and also should have in place all Attack Surface Reduction settings related to Microsoft 365 Apps such as these:

Block all Office applications from creating child processes
Block Office applications from creating executable content
Block Office applications from injecting code into other processes

…so if you aren’t doing the above (or if you’re not sure) – go sort that out first before you worry about these extra ones!

Alright, let’s get on with my 5 picks:

#1 – 2.3.23.2 Ensure ‘Block signing into Office’ is set to ‘Enabled: Org ID only’

Official description of the setting:
This policy setting controls whether users can provide credentials to Office using either their Microsoft Account or the user ID assigned by your organization for accessing Office 365.
If you enable this policy setting, you can specify one of the following options:

– If you select “Both IDs allowed”, users can sign in and access Office content by using either ID
– If you select “Microsoft Account only”, users can sign in only by using their Microsoft Account.
– If you select “Organization only”, users can sign in only by using the user ID assigned by your organization for accessing Office 365.
– If you select “None allowed”, users cannot sign in by using either ID.

If you disable or do not configure this policy setting, users can sign in by using either ID.

Note: This policy does not apply to licensing. A user can license their product using any applicable ID if they have a valid license associated with that account. Providing credentials for licensing purposes when that ID type has been disabled, however, will not affect the signed in state of Office.

This setting controls whether a consumer Microsoft Account can be used to sign into the Office suite. By default, both a work account and a Microsoft Account can be signed in, so changing it to Org ID only prevents that. This prevents a user either accidentally or wilfully saving and opening files from their personal OneDrive and anywhere else the Microsoft Account may have access to. You can imagine a user not realising they’ve been saving their last year of work on their personal unprotected OneDrive, or doing so because it made it easier to continue working on documents via their home computer. There should be no legitimate business need for this setting to be allowed, so change it.

In Intune, it’s under the ‘Block signing into Office’ setting, as is the Group Policy setting Block signing into Office (admx.help)

#2 – 2.3.38.1.1 Ensure ‘Improve Proofing Tools’ is set to ‘Disabled’

This setting controls whether data learnt from Office Proofing Tools (such as spell check) is sent back to Microsoft. This option is enabled by default. It will include information such as additions to the dictionary (maybe you keep writing Project Phoenixx but that’s actually the ‘correct’ spelling’) or maybe your drivers license combination of letters and numbers, or credit card. Here’s the actual description of the setting:

This policy setting controls whether the Help Improve Proofing Tools feature sends usage data to Microsoft. The Help Improve Proofing Tools feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature stops sending data to Microsoft and deletes the data collection file from the user’s computer.
If you enable this policy setting, this feature is enabled if users choose to participate in the Customer Experience Improvement Program (CEIP). If your organization has policies that govern the use of external resources such as the CEIP, allowing the use of the Help Improve Proofing Tools feature might cause them to violate these policies.
If you disable this policy setting, the Help Improve Proofing Tools feature does not collect proofing tool usage information and transmit it to Microsoft.
If you do not configure this policy setting, the behavior is the equivalent of setting the policy to “Enabled”.

Beyond this data going back to Microsoft, it’s also saving it on your computer in a secondary data collection file. Quite simply, it’s introducing extra risk in both a second location of data + sending off to Microsoft, with no direct immediate user benefit, and no obvious method of showing what data it’s transmitting so should be disabled. On this point, this isn’t questioning how much you trust Microsoft or not – you’re probably using their operating system, software, cloud storage, search results and AI – risk is risk and you reduce it wherever you can that makes sense, and this is one of those scenarios.

This setting can be found under ‘Improve Proofing Tools’ in Intune, or Group Policy/Registry here.

#3. Modern Office File Formats:
2.11.8.6.1 Ensure ‘Default file format’ is set to ‘Enabled: Word Document (.docx)’
2.2.4.6.1 Ensure ‘Default file format’ is set to ‘Enabled: Excel Workbook (*.xlsx)’
2.6.6.5.1 Ensure ‘Default file format’ is set to ‘Enabled: PowerPoint Presentation (*pptx)’

These are all the same but each application needs it’s own setting enabled. Worth noting is the same setting exists for Access – ideally you don’t have that anywhere, but if you do, change that setting too. It’s also actually two settings – enabling it, then setting the ‘Save x files as’ and choosing the above listed options, e.g. PowerPoint Presentation (*pptx).

Although this setting doesn’t block the older default Office document types (.doc, .xls, .ppt), it makes sure the default format for saving is the newer .docx, .xlsx, pptx. The older formats were the default up to Office 2003, and in Office 2007 onward is where the ‘x’ version (which is based on XML and if you rename any of these documents to .ZIP, you can check out what’s inside!) was introduced. Although I can’t find much officially around the differences, the general takes are that the newer format is less prone to corruption, more secure, better organised internally, and more open for other programs to be able to read the data inside.

Most companies will have the older file formats floating around still, but this setting works towards encouraging the new (and 16 years since release, it’s hard to still call it ‘new’!) file format.

Setting description from Word:
This policy setting determines the default file format for saving files in Word.

If you enable this policy setting, you can set the default file format from among the following options:

– Word Document (*.docx): This option is the default configuration in Word.
– Single Files Web Page (*.mht)
– Web Page (*.htm; *.html)
– Web Page, Filtered (*.htm, *.html)
– Rich Text Format (*.rtf)
– Plain Text (*.txt)
– Word 6.0/95 (*.doc)
– Word 6.0/95 – Chinese (Simplified) (*.doc)
– Word 6.0/95 – Chinese (Traditional) (*.doc)
– Word 6.0/95 – Japanese (*.doc)
– Word 6.0/95 – Korean (*.doc)
– Word 97-2002 and 6.0/95 – RTF
– Word 5.1 for Macintosh (*.mcw)
– Word 5.0 for Macintosh (*.mcw)
– Word 2.x for Windows (*.doc)
– Works 4.0 for Windows (*.wps)
– WordPerfect 5.x for Windows (*.doc)
– WordPerfect 5.1 for DOS (*.doc)
– Word Macro-Enabled Document (*.docm)
– Word Template (*.dotx)
– Word Macro-Enabled Template (*.dotm)
– Word 97 – 2003 Document (*.doc)
– Word 97 – 2003 Template (*.dot)
– Word XML Document (*.xml)
– Strict Open XML Document (*.docx)
– OpenDocument Text (*.odt)

Users can choose to save presentations or documents in a different file format than the default.

If you disable or do not configure this policy setting, Word saves new files in the Office Open XML format: Word files have a .docx extension. For users who run recent versions of Word, Microsoft offers the Microsoft Office Compatibility Pack, which enables them to open and save Office Open XML files. If some users in your organization cannot install the Compatibility Pack, or are running versions of Word older than Microsoft Office 2000 with Service Pack 3, they might not be able to access Office Open XML files.

This policy setting is often set in combination with the “Save As Open XML in Compatibility Mode” policy setting.

The 4 settings in Intune are below, and the Group Policy/Registry settings are here: Word Access Excel PowerPoint

#4. 2.3.23.3 Ensure ‘Control Blogging’ is set to ‘Enabled: All Blogging Disabled’

I partly like this one because not many people know this is even a thing. Description:

This policy setting controls whether users can compose and post blog entries from Word.

If you enable this policy setting, you can choose from three options for controlling blogging:

* Enabled – Users may compose and post blog entries from Word to any available blog provider. This is the default configuration in Word.

* Only SharePoint blogs allowed – Users can only post blog entries to SharePoint sites.

* Disabled – The blogging feature in Word is disabled entirely.

If you disable or do not configure this policy setting, the behavior is the equivalent of setting the policy to Enabled-Enabled.

Word can send off contents of documents to certain blogging platforms via a direct connection from inside the application, and is enabled by default. Although the amount of your user base that would even consider this is quite low, all it takes is for one person to decide to do it, then publish the wrong document to a public site.

As usual, there’s usually no great reason to allow this at all, so disable it – even restricting to SharePoint sites doesn’t mean it’s restricted to the SharePoint sites you control.

Intune setting is Control Blogging, which you need to Enable and set to All blogging disabled, or Group Policy/Registry settings here.

5. 2.5.14.3.4 Ensure ‘Outlook Security Mode’ is set to ‘Enabled’

There’s an Outlook Security Mode? Sounds like something that should be enabled! Description:
This policy setting controls which set of security settings are enforced in Outlook.

If you enable this policy setting, you can choose from four options for enforcing Outlook security settings:

* Outlook Default Security – This option is the default configuration in Outlook. Users can configure security themselves, and Outlook ignores any security-related settings configured in Group Policy.

* Use Security Form from ‘Outlook Security Settings’ Public Folder – Outlook uses the settings from the security form published in the designated public folder.

* Use Security Form from ‘Outlook 10 Security Settings’ Public Folder – Outlook uses the settings from the security form published in the designated public folder.

* Use Outlook Security Group Policy – Outlook uses security settings from Group Policy.

Important – You must enable this policy setting if you want to apply the other Outlook security policy settings mentioned in this guide.

If you disable or do not configure this policy setting, Outlook users can configure security for themselves, and Outlook ignores any security-related settings that are configured in Group Policy.

Note – In previous versions of Outlook, when security settings were published in a form in Exchange Server public folders, users who needed these settings required the HKEY_CURRENT_USER\Software\Policies\Microsoft\Security\CheckAdminSettings registry key to be set on their computers for the settings to apply. In Outlook, the CheckAdminSettings registry key is no longer used to determine users’ security settings. Instead, the Outlook Security Mode setting can be used to determine whether Outlook security should be controlled directly by Group Policy, by the security form from the Outlook Security Settings Public Folder, or by the settings on users’ own computers.

Intune has the option ‘Microsoft recommended baseline’ under ‘Outlook Security Mode’ in Intune, which is documented here on all the settings it controls: https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-v2-office-settings?pivots=v2306#microsoft-outlook-2016

If you need to change any of those related settings from the default, you instead need to change this from ‘Microsoft recommended baseline’ to Manually configured, and ‘Use Outlook Security Group Policy’ – and then ensure all related policies are configured the way you want.

The CIS benchmark documentation also mentions:
Note: This setting is essential for ensuring that the other Outlook security settings mentioned in this baseline are applied as suggested.

So, what all this means is the CIS benchmark overall has different configuration recommendations compared to the Microsoft recommended baseline, but in doing this option it’s worth assessing all the settings that the baseline would do!

Intune setting is ‘Outlook Security Mode’ and Group Policy/Registry settings here

I hope you found the above options interesting, and as always this is designed to grow awareness of what you need to consider in managing an environment, and always have that security mindset. These options are not set and forget either – you need frequent checks to make sure no gaps have been created either by reconfiguration or new settings coming in.

5 Things To Check In Your Microsoft Intune for Apple iOS 17 and iPadOS 17 Configuration

Welcome to another ‘5 Things To Check’ security blog post. This time we’re looking at iPhones and iPads. Do you let people BYOD their own mobile device and just let them consume email on it? Are you controlling which application(s) can connect to your tenant on unmanaged devices, and are you applying application management to prevent data going out of those controlled applications?

iOS/iPadOS hardening has a lot of similarity to SOE/Windows Client hardening these days. Although when iPhones first launched there were next to no controls or management, the platform has eventually progressed into one that can be tightly controlled and hardened. Just like Windows though, this doesn’t mean that the out of the box is the most secure, and you’ll have to review a bunch of settings. You’ll also notice the settings are a bit more ‘basic’ compared to Windows, but that doesn’t mean they’re any less important.

Unsurprisingly, there’s a large amount of configuration than can be applied to harden the mobile user’s experience in dealing with company data, as well as protecting the users themselves. Again, I’m basing my 5 picks off the Center for Internet Security’s (CIS) benchmark’s list of ‘CIS Apple iOS 17 and iPadOS 17 Intune Benchmark’ items (freely available for non-commercial use), and I’m picking 5 that I think are important and not configured by default. This doesn’t mean you should only implement these 5, but it’s a good start for awareness on how much consideration needs to go into hardening an environment and why you need to put the effort in.

The CIS benchmark is broken up into two sections: BYOD and Supervised (i.e. company owned) devices, so my picks will be items that are recommended in both scenarios.

1. Ensure “Block Siri while device is locked” is set to “Yes” (and the lock screen in general)

Some may argue that Siri should be blocked altogether, because you’re sending data that could be sensitive back to Apple, and it may occur without you knowing. In reality, many people working from home probably have an Apple, Google, or Amazon device listening to everything they’re doing on their Teams or Zoom call anyway. However, those devices should at least not be connected to corporate data – unlike their Apple phone or tablet. This is more about someone gaining access to the physical device, and potentially being able to find out information about the data the iPhone has saved on it, or has access to. There have also been past bypasses on using Siri on the lock screen to unlock the phone or access certain other areas without needing the phone properly unlocked, so it’s seen as an unnecessary risk to leave this on.

This also extends to other data that could be viewable while the phone is locked, such as ‘Ensure “Block Today view in lock screen” is set to “Yes”‘ as this can show items like meetings, and ‘Ensure “Block voice dialing while device is locked” is set to “Yes”‘ as voice dialling is a function unrelated to Siri (there’s several more settings around lock screen information too!). You don’t want someone that finds your phone being able to access these and several other areas. One thing I’d potentially disagree with on the CIS benchmark is configuring the ‘Ensure a “Lock Screen Message” has been set’ message. Their advice is to have a helpdesk phone number or email address. The problem with this is, it shows someone who finds the phone what company the phone belongs to, and might incentivise them to keep or sell the phone somehow. If someone finds a phone from either a big company, or a company they don’t like, or a competitor to their own company, that’s a risky scenario. I’d suggest it’s better to use Apple’s guide on how to deal with a lost phone https://support.apple.com/en-au/101593 and also use Intune to destroy anything company managed – it should all be synced anyway and easily replaceable.

In Intune, this configuration is called ‘Allow Assistant White Locked’

2. Ensure “Maximum minutes after screen lock before password is required” is set to “Immediately”

This one is a straight forward setting. When the device’s screen is locked, how long should it wait before letting you just unlock it without a passcode or Face Unlock. It appears that the default for this is ‘Immediately’ but this demonstrates the importance of locking down configuration using a MDM such as Intune. The maximum time configurable is 4 hours, which is a long time someone could put their device down somewhere or completely lose it, and have no protection from being unlocked. The minimum time beyond immediate is 1 minute, which doesn’t seem like much – but someone locking their phone and putting it down leaving a whole minute for someone to obtain the phone is a fair amount of time. This is one I’d like to see a 5 second option just so users who accidently lock their device have a tiny window to unlock it again without having to verify – especially for BYOD. Extra layers of protection can be put on work related apps anyway requiring another Passcode or biometrics unlock.

To look at this option on iOS, Tap ‘Settings’ > ‘Touch ID & Passcode’ or ‘Face ID & Passcode’ depending on the device > Require Passcode. This needs to be set to ‘Immediately’, but as mentioned above a user can just change this.

In Intune, iOS Configuration Settings, the Maximum Grace Period can be set to ‘0’ which means ‘immediately’.

3. Ensure “Block viewing corporate documents in unmanaged apps” is set to “Yes”

As per Microsoft Learn documentation iOS/iPadOS device settings in Microsoft Intune | Microsoft Learn , this setting prevents documents being viewed/opened/saved to non-managed apps. Although some users might find this frustrating that they can’t use their favorite personal program, it prevents data leakage. Many apps will have their own data storage solutions and it’s quite easy for a user to accidently save a document in the wrong place, potentially another cloud provider and to a different country. On top of that, the app itself may not have the same protections as the managed apps you provide. Does the company scrape the data of what the user is doing – document names, metadata, or do they even try to use their own AI solution to read and help the user edit the document, provide a summary, or other hot AI topics? All this needs to be controlled by keeping the data where you manage it as much as possible, and not letting users have an easy path of getting data out. Without something like Purview, there’s always ways of extracting data, but you need to both provide good native ways of working with the data, as well as preventing or slowing down other methods.

As noted on the documentation, this setting does block third party keyboards, but for the same reasons as above, this is a good thing. Keyboard apps may track what you’re typing in different ways and keep a dynamic suggested list of shortcut words you commonly use – maybe you want to keep that project codenamed ‘Order 66’ under wraps as much as possible.

In Intune, Device Restrictions configuration has the ‘Yes’ option for ‘Block viewing corporate documents in unmanaged apps:

4. Ensure “Block trusting new enterprise app authors” is set to “Yes”

As the little (i) next to this configuration states – “Removes the Trust Enterprise Developer button in Settings->General->Profiles & Device Management.”

This setting actually blocks users from being able to trust apps that aren’t downloaded from the app store. Maybe good for a developer trying to quickly test their own app, but for normal users this shouldn’t be necessary. You can probably imagine plenty of scenarios where a user may get tricked into installing an app through non-standard means (such as being emailed a PDF that says to unlock the PDF, please install this software) and giving an attacker an easy path of getting malicious code onto a device.

The title of this setting is a bit misleading, because it sounds like new app authors to the Apple App Store would be blocked, but that’s not the case. Apple have a stringent App approval process and arguably it may not be perfect, it’s still a much larger barrier than just a file downloaded anywhere from the internet.

The approach of ‘only install approved apps’ may work for Corporate Owned devices, but not BYOD.

This is configured in Intune under Device restrictions > General > Block trusting new enterprise app authors:

5. Ensure “Block screenshots and screen recording” is set to “Yes”

I don’t really like the user impact of blocking screenshots and screen recording, but it’s a Level 1 CIS profile item which is their lowest baseline security recommendations. To quote CIS:

Be practical and prudent.
Provide a clear security benefit.
Not inhibit the utility of the technology beyond acceptable means.

Based on this, what is the big issue with screenshots, where’s the security benefit? If you think about most users (including yourself) there’s probably a mess of screenshots somewhere. People rarely clean these up. Worse, they get treated as images/photos and will sync to potentially multiple cloud solutions – Apple’s native photo sync, OneDrive, Google, and many other apps/companies that monitor newly created images and sync them off somewhere. Although you can protect Outlook from being able to take screenshots from within Intune via application configuration, you can’t stop someone screenshotting in many other apps, and therefore can’t protect the data in that screenshot.

If someone wants to take a photo of their computer screen or phone screen you can’t stop them, but blocking screenshots makes the process more difficult and means it should only happen when really needed (or someone’s stealing data on purpose!) and you severely reduce the risk of confidential screenshots floating around many unprotected consumer cloud solutions.

I hope this list has been useful, and I’m sure iOS/iPadOS 18 and beyond will come out soon, but the above should be relevant for quite some time!

5 Things To Check In Your Microsoft Edge Configuration

In what has now become a ‘5 Things To Check’ series, this time we’re looking at Microsoft Edge. The Center for Internet Security’s (CIS) Microsoft Edge benchmark is up to v2.0.0, so again I’ll pick my favourite 5 things listed, along with giving my own explanation of why they matter and other considerations.

By the way, did you know there’s now a whole ‘Policies for Microsoft Edge’ area of the Microsoft 365 admin center? More details on the Microsoft Edge management service here.

OK let’s jump into the top 5!

1. Ensure ‘Configure extension management settings’ is set to ‘Enabled: *’

Browser extensions can do a bunch of useful things, including potentially reading everything you do and sending it off to a third party. Even if it’s not for malicious purposes, your users certainly aren’t looking into what an extension does permission wise, and thinking about data sovereignty (I know there will be exceptions to this!). Just like any other app, extensions should be controlled and go through an approval process before they’re allowed on a work device. Moreso, the tie-in with using Microsoft Edge with a work profile to both be required to access certain resources, as well as pulling down policies automatically to configure the profile in a secure state goes a long way to providing a full secure experience.

By default, all users can install whatever extensions they like.

Microsoft have full documentation on how to manage Microsoft Edge extensions here Detailed guide to the ExtensionSettings policy | Microsoft Learn but this setting is the start of enabling it, and blocking all by default unless there’s an exception – which is why it’s being set to a wildcard *. Exceptions to the global block can be granted with the setting ‘Allow specific extensions to be installed.’. There’s several ways to manage and deploy this:

Group Policy – https://learn.microsoft.com/en-us/deployedge/microsoft-edge-manage-extensions-policies#allow-or-block-extensions-in-group-policy

Intune – https://support.imperosoftware.com/hc/en-au/articles/10590384691347-Managing-Edge-extensions-in-Microsoft-InTune

Microsoft Edge management service (the new way!) https://learn.microsoft.com/en-us/deployedge/microsoft-edge-management-service#manage-settings-for-all-extensions

Yes there is management overhead in blocking all extensions and looking at each case on what you should allow, and yes you need to consider other browsers like Google Chrome – you can’t just lock down Microsoft Edge and leave Google Chrome to be a free for all, or users will go there instead.

2. Ensure ‘Enable profile creation from the Identity flyout menu or the Settings page’ is set to ‘Disabled’

I called out profiles in the first tip – Edge profiles are a core component of Microsoft Edge security. A work or school account signed into Microsoft Edge can pull down Microsoft 365 tenant settings, including the new Microsoft Edge Management Service which to quote the start of the learn.microsoft.com article:

The Microsoft Edge management service is a platform in the Microsoft 365 admin center that enables admins to easily configure Microsoft Edge browser settings for their organization. These configurations are stored in the cloud and the settings can be applied to a user’s browser through group assignment or group policy. Users must be logged into Microsoft Edge to retrieve these settings.

https://learn.microsoft.com/en-us/deployedge/microsoft-edge-management-service

Either Single Sign-on should enforce Edge to automatically sign in with the same account as the PC is logged in as, or on BYOD the requirement to create a profile with the work account can allow for application management – things like stopping data exiting the browser session, screenshots, the blocking of extensions etc.

On the flip side, letting users create profiles throws all that security and control out the window. If someone can create a new profile even as a guest, a lot of the controls drop off – as well as potentially treating the browser session as a consumer one, and things like Microsoft Rewards turn up. You also have history, bookmarks, password managers etc potentially being saved against a Microsoft account (rather than a work/school one). That Microsoft account may not even have MFA on it – so a compromised Microsoft account used to sync browser information could grab a lot of company related data if it’s being used for the wrong purposes.

The setting can be set by Group Policy if you download the Microsoft Edge for Business pack (worth doing if you’re living in Group Policy land still) – Download Edge for Business (microsoft.com), or the registry setting:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]
“BrowserAddProfileEnabled”=0

You can also set this via Microsoft Edge management service https://admin.cloud.microsoft/#/Edge/PolicyConfiguration/

3. Ensure ‘Enable AutoFill for addresses’ is set to ‘Disabled’

Ever walked up to an iPad at a business that you need to register your details on, and as you click on the first part of the form it shows you a bunch of other people’s data? That’s AutoFill enabled by default, when it definitely should not be.

This is a tough one, because AutoFill is so handy. You go to a website and need to fill in a form, but instead you get a dropdown, pick your name and the form is mostly filled out! In a work environment though, this can be a big catch. Are you ever putting in personally identifiable information for someone else? It could be as simple as an email address. That data gets saved in a manner that isn’t that much different to having a text file in your profile that contains the same data – so it shouldn’t be allowed.

You’d probably get user pushback on this, but a decent password manager should also have AutoFill functionality, but where it prompts you before it saves the data, and it’s easily readable against a profile rather than the more obfuscated method that Edge (and other browsers) generally use.

The AutofillAddressEnabled is easy to disable via registry, Group Policy with Download Edge for Business (microsoft.com) or via Microsoft Edge management service (and untick that ‘Allow users to override’ option which is ticked by default!).

4. Ensure ‘Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads’ is set to ‘Enabled’

Microsoft Defender SmartScreen

Microsoft’s support site explains to users about Defender SmartScreen, including the Screening downloads part. Seems like a pretty good idea, if a user downloads something and it matches a file that Microsoft has already found unsafe, it’ll warn you:

Screening downloads: SmartScreen checks your downloads against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen warns you that the download has been blocked for your safety. SmartScreen also checks your downloaded files against a list of well-known and popular downloads by Microsoft Edge users and warns you if your download is not on this list. 

https://support.microsoft.com/en-au/microsoft-edge/how-can-smartscreen-help-protect-me-in-microsoft-edge-1c9a874a-6826-be5e-45b1-67fa445a74c8#:~:text=Screening%20downloads%3A%20SmartScreen%20checks%20your,been%20blocked%20for%20your%20safety.

You can just bypass this warning and download the file anyway. A home user may want this experience to make the decision themselves, but this probably isn’t the decision you want an end user to make in a corporate environment and on a work device. Arguably, several other layers should protect you anyway including Defender for Endpoint or whatever EDR solution is in place, but this is a pretty safe extra layer to have in place.

Preventing user bypass of a SmartScreen detected suspicious download seems like an obvious one. Again, PreventSmartScreenPromptOverrideForFiles is a single setting via registry, Group Policy, or Microsoft Edge management service:

5. Ensure ‘Enhance the security state in Microsoft Edge’ is set to ‘Enabled: Balanced mode’

This is disabled by default. Clicking the ? next to ‘Enhance your security on the web’ will tell you:

What is enhanced security mode?
This runs your unfamiliar sites without the just in time (JIT) compilation to provide added protection. Running JIT-less reduces attack surface, making it difficult for malicious sites to exploit.
The additional protection includes Windows operating system mitigations such as Hardware Enforced Stack Protection, Arbitrary Code Guard (ACG), and Control Flow Guard (CFG).

Although there is a caveat ‘Most sites work as expected’, it’s an adaptive setting that learns behavour and what’s common the more it gets used. Admins can also add exceptions or forced enhanced security to certain sites: Browse more safely with Microsoft Edge | Microsoft Learn

I’ve been running this setting on at home for several months and haven’t noticed any issues, but I’m sure there are some sites that would be affected by this. You can decide if you let users toggle the option off on a per-website basis too.

The ‘Balanced mode option under ‘EnhanceSecurityMode’ setting can be set via registry, Group Policy with Download Edge for Business (microsoft.com) or via Microsoft Edge management service:

Bonus because I couldn’t pick between this and #5!
6. Ensure ‘Allow personalization of ads, Microsoft Edge, search, news and other Microsoft services by sending browsing history, favorites and collections, usage and other browsing data to Microsoft’ is set to ‘Disabled’

This is enabled by default. Regardless of trust in Microsoft or not, unnecessarily sending information such as browser history, favorites/collections etc is worth blocking. At the cost of ad personalisation, which should be irrelevant in a corporate setting. Enable this one!

The PersonalizationReportingEnabled setting is easy to disable via registry, Group Policy with Download Edge for Business (microsoft.com) or via Microsoft Edge management service:

It’s also worth calling out that Microsoft have their own Security Baseline for Microsoft Edge included in this: Download Microsoft Security Compliance Toolkit 1.0 from Official Microsoft Download Center which lists out all the policies with recommended settings, along with a bunch of other products. You should be keeping track of the Security Baseline for Microsoft Edge and following the guidance where possible on each release.

5 Things To Check In Your Intune for Windows 11 Configuration

After receiving a lot of great feedback on my post 5 Things To Check In Your Microsoft 365 Tenant, I thought I’d do another post, picking my top 5 items from the Center for Internet Security’s (CIS) benchmark Microsoft Intune for Windows 11 Benchmark v3.0.1

This is a really big list to pick from, much bigger than the Microsoft 365 one – the document is over 1000 pages! Also you may look at this list and say ‘What has this got to do with Intune, I can apply these settings to any Windows 11 PC?’ – This is true, but the options CIS has laid out are ones that are natively available in Intune and therefore easily deployable. I’m also going to spend more time explaining the meaning behind the setting rather than telling you how to do it, as the CIS documentation (again freely avaialable for non-commerical use) clearly explains the setting and how to configure it.

Again these 5 things are important and I’ve tried to pick items that aren’t in the secure state by default, so I hope you find something new (or at least reassured!).

1. Ensure ‘Turn off access to the Store’ is set to ‘Enabled’

By default, any Windows 11 PC has the Microsoft Store enabled, the app installed, and a user can use it to obtain any software available in the store. I’ll avoid the whole ‘are Microsoft Store apps safe’ as I’m not privy to Microsoft’s application monitoring regime, just like Google’s Google Play or Apple’s App Store – but just like blocking users from installing software from other sources and methods, the Microsoft Store should be controlled in a corporate environment. There’s an entire history behind the Microsoft Store for Business and Microsoft Store for Education which is being replaced by packaging the apps in Intune for Microsoft Store which is still a work in progress with original retirement planned for 2023 being postponed.

All this leads to this one setting, which is just preventing the user being prompted the Windows Store as an option to find a program to open a file or protocol that currently has no association (for example, a user found a data.db file and tries to open it). They’ll see this dialog:

Either enable the confusingly named Intune setting ‘Turn off access to the Store’ (due to it only doing the below, which it describes in the details of the setting) or use this registry setting to remove the Microsoft Store option for any ‘open with’ dialog – Turn off access to the Store (admx.help)

Simple, but it ticks the box of a user complaining that they just followed what the computer told them to do when they end up with some wacky or weird solution obtained from the Microsoft Store that they start entering company data into. It also ties into a bigger piece around how you handle the Microsoft Store as a whole. I also found this blog post which goes into great detail about the Microsoft Store and how to control it, including the above setting: Restricting or blocking access to the Microsoft Store (call4cloud.nl)

2. Ensure ‘Backup Directory’ is set to ‘Backup the password to Azure AD only’

LAPS (Local Administrator Password Solution) is an incredibly important solution to prevent lateral movement between devices. At the high level, it is designed to automatically manage the local administrator password on each device, and make it unique. This means if someone was able to obtain the password on a single device, they can’t then use that same account against every other device in an organisation. More details: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview (and back in 2017 I was going on about it too https://www.adamfowlerit.com/2017/02/havent-deployed-laps-yet/)

Up until October 2023, this was only an on-premises natively supported solution; but now Intune supports it too. If you haven’t looked into LAPS or didn’t realise you could now do it in a cloud only environment, then put it at the top of your list.

Assuming you are now living with LAPS, the option Backup Directory controls where the LAPS password for each device goes. Apart from the default disabled option, this can either be ‘Backup the password to Active Directory only’ or ‘Backup the password to Azure AD only’ (yes I know it’s now Entra ID, nobody’s updated this name yet).

If you’re cloud only (Entra ID Joined) or cloud first, then this option should be ‘Backup the password to Azure AD only’ – your Entra ID should be more secure than your Active Directory, and this decision should really be a part of whatever system you’re putting first. It’s also a bit neater to view/report on events where any account is looking at the LAPS password value of a device in Entra ID, compared to on-premises Active Directory where you may have many different AD domain controllers and hopefully good monitoring/reporting of events across the entire environment – but more room for error there.

Creating a policy for this is quite a simple process from the Microsoft Intune Admin Center:

3. Ensure ‘Allow Cross Device Clipboard’ is set to ‘Block’

I am a huge fan of Clipboard in Windows and use it many times every single day. If you aren’t aware of this feature, press Winkey + V on your keyboard and it’ll pop up, asking if you want to enable it. It keeps a history of your clipboard contents – whatever you Ctrl + X or right click > copy. This is really handy when you’re copying all the time, but want to paste/recall anything beyond the absolute last thing you copied. It supports both text and pictures. Of course, this means it will copy things like passwords and other data you probably don’t want floating around. One feature of Clipboard in Windows is the ability to enable ‘Clipboard history across your devices’ which sounds somewhat handy, but drastically increases the risk of data leakage when you’re syncing that information to your account (if a work account, then should sit securely in your M365 tenant/Entra ID) or Microsoft consumer account. It’s just an unnecessary risk for little benefit – the clipboard history should stay local and be cleared on logoff/reboot. It will purely sit in memory and be lost afterwards when Clipboard sync is disabled.

Please start or keep using Clipboard in Windows but turn off Clipboard sync. It’s enabled by default.

Here’s the registry setting: Allow Clipboard synchronization across devices (admx.help)

4. Ensure ‘Notify Unsafe App’ is set to ‘Enabled’

Another setting disabled by default. Instead of explaining, I’ll just quote directly from the Group Policy setting:

This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school passwords in Notepad, Winword, or M365 Office apps like OneNote, Word, Excel, etc.

If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they store their password in text editor apps.

If you disable or don’t configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn users if they store their password in text editor apps.

This one sounds pretty reasonable right? If a user types their password into a program being monitored by Enhanced Phishing Protection, it’ll pop up and tell you:

Note that with my testing, this doesn’t apply to Microsoft Edge, nor does it apply if you paste your password, it has to be typed – but still a pretty good user reminder on something they shouldn’t be doing!

Interestingly I couldn’t find the registry value on GetADMX but the ‘Notify Unsafe App’ setting is available in Group Policy, and in Intune – create a Settings catalog policy, and use the settings listed under the category SmartScreen > Enhanced Phishing Protection: Notify Unsafe App. Further information here: https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection?tabs=intune

Also worth calling out checking out the other Enhanced Phishing Protection settings at the same time: Automatic Data Collection, Service Enabled, Notify Malicious. Notify Password Reuse.

5. Ensure ‘Turn off toast notifications on the lock screen (User)’ is set to ‘Enabled’

This final one is pretty obvious. When a PC is locked, you don’t want notifications popping up that may contain sensitive information and be visible by anyone that can see the screen. This is a feature that I don’t think should even exist… but it does and it’s on by default. You want to enable the setting to disable the feature (yes this is a dig at the inconsistent state of settings and enabling/disabling!).

Easily done via Turn off toast notifications on the lock screen (admx.help) or enable the Turn off toast notifications on the lock screen via Intune via a Configuration Profile. A full guide is available here: Disable Toast Notifications From Lock Screen Using Intune HTMD Blog (anoopcnair.com)


That’s it for the list – as always I hope you found it interesting and love hearing any feedback (including constructive criticism), and hope it helps people out there to always be thinking security.