I wanted to play with the Attack Simulator in the Office 365 Security & Compliance Admin Portal – but with the enabling MFA warning, none of the ‘Launch Attack’ buttons were available to use. I’ve already set up MFA via Conditional Access though, so why am I seeing this?
At a guess, I wondered if it was actually detecting if MFA was used to log in. It wasn’t because the request was coming from a trusted IP address, which I’d configured in my test tenant to make it a bit less painful.
My hunch was right, I signed in elsewhere, went through MFA and look, the buttons now work:
Bit of a misleading warning – your MFA rules might be completely fine, so try signing in with MFA first before going to the Simulate Attacks page.
Microsoft by default, are enabling a bunch of shopping options in Edge. As per the article above, there’ll be coupons that’ll pop up, detections when there might be the same item you’re looking at cheaper elsewhere, and tab page enhancements to add extra shopping info about items.
I can already hear some of you saying you don’t want this in your place of business, so to disable it you’ll need to find the ‘Shopping in Microsoft Edge Enabled‘ GPO, located under User Configuration > Policies > Administrative Templates > Microsoft Edge default settings (users can override) / Microsoft Edge:
If you’re missing this setting, make sure you update your ADMX files by downloading from here and updating your central repository.
It’s good that this is under both force disable, as well as disable but let a user turn it on if they want. It’s not good that it’s on by default.
If you’re on Edge, you may have noticed this already. Copying a URL link from Edge, then pasting it somewhere that supports HTML code results in this:
It’s another ‘on by default’ and although I can see certain use cases where this would be preferable, I’m fairly against changing the default copy/paste behavior that has been in place for decades.
If you copy a link and want to paste it as the link itself, you can use Ctrl + Shift + V instead of Ctrl + V … except right now, this doesn’t work in Office apps like Outlook or Word, and I’ve tested in both 2016 and 365.
Edge itself also has a new right click menu for pasting showing the options, but right click > mouse to menu, mouse to submenu, choose ‘Plain text’ is a bit clunky.
You can turn this off in the Edge settings, but again businesses and enterprises may not want this new feature in place, since some would more frequently be copying a link because they want the link itself, rather than a nice way to share it.
Again, Group Policy has a setting for this but this time it’s just a forced setting, rather than user changeable. If you want that, you’d need to deploy the registry setting as per the above article with a ‘apply once and don’t reapply’ option ticked.
The GPO is under User Configuration > Policies > Administrative Templates > Microsoft Edge > Configure the default paste format of URLs copied from Microsoft Edge, and determine if additional formats will be available to users
That’s a doozy of a name, and a doozy of a long dropdown menu with a ‘coming soon’ dropdown – none of these dropdowns actually match the description given.
I am a big fan of Edge, but it’s pretty obvious that the normal care that goes into updates just hasn’t happened in this instance. There’s already a fair bit of noise about this change, so who knows, maybe they’ll at least change the default behavior and not have it on?
This one actually sounds really useful and lets both users and admins modify and present different sets of data arounds news and the organisation.
It has to be enabled in the Microsoft 365 admin center, which it was already on for me:
But, I’m missing some of the options selected in my Australian tenant. I checked my U.S. tenant and I see different things:
I’m not actually seeing the My Feed in my Australian tenant’s accounts, so I’d be guessing it’s either a US only thing at this stage, or it’s still rolling out. A bit annoying that this isn’t mentioned in the ‘My Feed‘ article or the original article mentioning the features that are now out, so hopefully the rest of us get it soon!
Previously I’d already covered Synology’s Microsoft 365 Backup software which I was a big fan of, for simplicity of use and an incredibly cheap price point for a small to medium business as a Microsoft 365 data backup solution.
The support goes a long way back years wise, which is great to see. They have a comprehensive overview of this application and it’s abilities, but I’ll cover it all more briefly here while sharing my experience setting each type of backup up.
Installing the software on a Synology DiskStation is easily done via Package Center and a very quick activation process that requires a free Synology account:
After activating, you’ll immediately see the overview screen. At a glance, it gives a good idea on the sorts of things you can back up:
PC and Physical Server backups
Backing up a physical PC or Server is pretty easy, and the wizard takes you through the steps. Windows 7 SP1 and above is supported, as is Windows Server 2008 R2 and above, and needs the ‘Synology Active Backup for Business Agent’ installed. After a next, next finish, install, you’ll need to specify the IP/name of your DiskStation, and username/password:
After connecting and confirming the details, the PC is registered against Active Backup for Business, and the agent continues to run in the tray:
The agent will show when you last backed up, and if a backup is currently running:
No backups will run yet though, because we need to create a backup task back on Active Backup for Business. Again, a wizard will take you through this and let you choose what options you’d like for backup. I’m going to just back up everything, with the data compression and encryption options (which are default)
You then define when you want your backup to run – manually, or on a schedule:
I do quite like some of the options here – backup by event of screen locked or signing out is a nice way of making sure it doesn’t interrupt someone using the PC and slow things down while they’re actually working. Also having backup windows, so you can block out the working day if needed.
Next is the retention policy, a good way of reducing space taken – is there a difference between a backup 5 months ago vs 5 months and 1 day? Probably not, and very unlikely that you had something worth restoring on your PC only for 1 day.
At the end of the wizard and a summary screen, you have the option to back up now. I kicked this off, and the agent immediately showed the progress and events related to backing up.
This was a really easy and painless setup to back up a PC, but what about restoring? You can either create recovery media for a full restore, or you can use the Restore Portal to navigate through backups and pick what you’d like to restore:
The bottom time line lets you pick from what point in time you’d like to restore, with a dot showing each available time point.
Then, you can navigate through the disk you need, and go through the folders which match the file structure at the time of backup. Once you’re on the single file, multiple files or folder you want to restore, you can choose the “Restore” option to put the files back in their original location, or somewhere else, and decide if you want to automatically overwrite existing files or not.
Download however, will just download the file you selected like any other browser based download, or multiple files will come through as a single ZIP file.
File Server Backups
If you don’t want, or can’t have an agent on a file share, you can instead remotely back up via SMB or rsync:
After entering the remote server details:
It will verify they work, then let you set up a task:
The options are Multi-versioned, Mirroring and Incremental. They cover the different scenarios you might want to use – Multi-versions will take up the most space, where mirroring can only ever be as big as the source files, and incremental is half way between the two, without the versioning component:
You can then choose what to back up in the file share:
And then finish creating your task by giving it a name, telling where to backup the files to locally, and set a schedule.
The restore process is pretty much the same as PC / Physical Server, so I won’t go into detail on that part.
Both VMWare Hypervisor and Microsoft Hyper-V are supported Virtual Machine platforms. As I haven’t touched VMware for years, we’ll look at Hyper-V only. It’s worth noting that cross platform restores are supported – you can restore a Hyper-V VM to VMware vSphere too.
Creating a Hyper-V backup is again an easy process:
First, you’ll need to put in the Hyper-V Host details. If you’re trying to back up VMs on a Windows 10 laptop you have, there’s a few small requirements:
Set up WinRM by running ‘WinRM QuickConfig’ in an elevated command prompt. You’ll need to make sure none of your network connections are set to ‘Public’.
The Hyper-V Backup Task wizard will give you hints as to where you might be stuck, and at the end you’ll have your host listed:
The Hyper-V Virtual Machines will then be automatically detected and listed, but they’re not configured for backup yet – we need another task. Clicking ‘Create Task’ will start by asking you where you want your backups:
Then you can choose the Hyper-V VMs to back up:
One selecting, we have several settings we can configure:
The default options are shown.
Maximum quantity of concurrent backup device(s) can be up to 10.
Enable Changed Block Tracking – Only transfer blocks that have changed since the last backup, rather than all blocks to reduce backup times drastically.
Enable application-aware backup – Use Volume Shadow Copy to ensure consistency with backups
Enable data transfer compression – Suggested for slow networks to improve transfer rates
Enable data transfer encryption – Self explanatory :)
Enable source datastore usage detection – to prevent running out of space
Enable backup verification – Checks the backup when complete
Once you’ve selected the options you want, you’ll see the familiar Schedule Backup Task window, retention policies etc:
I always prefer an agentless backup where possible, so it was good to see no agent was required to backup Hyper-V VMs.
Backing up a Windows Server 2019 VM was rather quick – especially since the laptop hosting the VM was connected via Wifi.
Restoring is again pretty simple, you can navigate to the location of the backups and see a copy of the vhdx for each VM, with other files I expect keep other incremental change data:
The Restore Wizard starts by letting you pick witch platform you’re restoring to- Synolgoy Virtual Machine Manager gives extended options for management and recovery and is recommended for flexibility in production environments. For a lab, you should be able to get away without it:
Restore Type – Instant Restore and Full Virtual Machine Restore are the two choices:
You can then pick which VMs you want to restore and which restore points:
Restore Mode lets you choose if you’re replacing the current live VM, or restoring to a different location as a copy:
Finally, the summary screen with the option of automatically powering on the VM when complete.
Phew! That’s the runthrough of the backup types and restore options Active Backup for Business supports.
The dashboard gives a great ‘at a glance’ overview of everything going on, and we even have de-duplication of data! This is what it looks like with some real data in it, compared to the first screenshot of this post:
There’s a bunch of other first party Synology apps available too:
Plus third party apps:
And with solutions like Docker, you can use your Synolgoy to host many other solutions available in containers, and run them off this little black box.
I’ll say the same thing about Synology Active Backup for Business I did in my Synology Microsoft 365 Backup Review – this is pretty impressive for ‘free’. Yes, you have to buy the Synology DiskStation itself, and you’ll need disks, but that’s it. Even if you use it as a single nightly backup for having a local and quickly accessible restore point to provide as much business continuity as possible, it’s an entire solution at an incredibly cheap price point.
Because you can do both Microsoft 365 data AND Hyper-V VMs on this single device, it should be an option that any small to medium business should investigate. The interface is easy to use, the logs show detailed information about what’s going on – and even for a home business setup, it’s very much a set and forget event.
Earlier this year, Microsoft changed how voicemail worked for Skype for Business on-premises customers. There was little difference to end users when Unified Messaging changed to Cloud Voicemail, but it did break a few Auto Attendant options for those not in the cloud.
At the time I remember it being rather difficult to find out information on, and the good contacts I had at vendors also struggled to gather intel on how the change would go.
The Call Answer Rules section (Choose how you want your calls to be handled when they reach the voicemail service) lets you pick what happens when someone hears your voicemail, including the last option ‘Play greeting, then allow the caller to recording a message or transfer to the target user’. If you set this, you can then enter the number you want calls to go to if someone does press ‘0’ – such as Reception, or your mobile phone. The default setting is ‘Play greeting, then allow the caller to record a message’.
The Prompt Language section (Changing this setting will change the greeting prompt language) will change the language and accent of the greeting – so if you’d like them to sound Australian, you can choose that.
The Configure Out of Office greeting section (Customize an Out of Office greeting message, and choose to play it to callers all the time, based on your Outlook auto-reply status, or calendar OOF status) was the one I liked the most. It can sync with your mailbox to know when you’re Out of Office via your current Outlook status (either with an autoreply, or just in a meeting with the status ‘Out of Office’), and when true, give a different message to the caller saying you’re out of the office.
There’s also another option Text-to-Speech Customized Greeting Option (Customize your Text-to-speech greeting message) that lets you customise the generic Out of Office greeting to whatever you like. Although you can only type your greeting message, the text-to-speech works really well and sounds natural.
To me, this is great. I can set a generic ‘I’m out of the office, please call X on this number’ which only plays when I’m actually out of the office. If I’m not, then a caller will hear my standard greeting and can leave a message, instead of hassling co-workers. I don’t have to remember to set it or change it, it just applies if I do the right thing in my Outlook calendar.
If you’ve got Cloud Voicemail; which you should if you’re on Skype for Business, Skype for Business Online, or Microsoft Teams as your phone system, check it out and save yourself some time from changing your voicemail when you go on leave, or just have a meeting when you’re not around.
After upgrading to Windows 10 2004, I noticed an alert in Windows Defender. It was alerting that something needed to be turned on, and I wondered what as I needed to do this in Group Policy for the entire organisation.
Clicking the area around the ‘turn on’ button takes you to the App & browser control – containing another ‘Turn on’.
Go into the ‘Reputation-based protection settings’ link and there’s more info:
Aha! an option that’s not on – Block downloads. This is actually a Microsoft Edge setting which you can toggle, and will at the same time tick ‘Block downloads’:
I couldn’t find where this was set in Group Policy, so used Procmon to work out what was changing with that toggle. I ended up working out it was in the registery: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled and setting the default value to 1:
Great, now I knew what was changing, I could work backwards. Using GPSearch I looked for “SmartScreenPuaEnabled” and came back with
Configure Microsoft Defender SmartScreen to block potentially unwanted apps – User Configuration\Administrative Templates\Microsoft Edge\SmartScreen settings\
I didn’t have this Group Policy setting, so checked I had the latest ADMX files loaded for Windows 10 2004 – which I did, and they include templates for the Chromium based Microsoft Edge.
What I then discovered (or remembered!) was that there were separate ADMX files to get for Microsoft Edge, updated with each release. Downloading and loading these into my central repository brought in the “Configure Microsoft Defender SmartScreen to block potentially unwanted apps” setting I wanted. Enabling that, running a gpupdate set the value to what I wanted, and cleared the Microsoft Defender alert.
Long story short – if you’re still using Group Policy like me, you may want to get into the habit of updating your ADMX files for Microsoft Edge more frequently than your Windows 10 builds – Microsoft releases major versions of Edge every 6 weeks.