Starting with Windows 365

Welcome to the blog series around Windows 365. During the series I want to provide you with the necessary information and installation steps to build and configure Windows 365 services. This first post is meant to provide you with some basic information around the Windows 365 services.

What is Windows 365?

Stating the Microsoft documentation:
Windows 365 is a cloud-based service that automatically creates a new type of Windows virtual machine (Cloud PCs) for your end users. Each Cloud PC is assigned to an individual user and is their dedicated Windows device. Windows 365 provides the productivity, security, and collaboration benefits of Microsoft 365.

Windows 365 provides user with a single dedicated virtual machine that users can remotely sign in to.

Windows 365 comes in two flavors: Enterprise and Business. Windows 365 Enterprise is aimed to companies who are already invested in Microsoft’s Endpoint Manager and using Endpoint Manager to deploy and manage their Windows 10/11 devices. This means that if you want to start using Windows 365 Enterprise you will also need a license that includes Intune.

Windows 365 Business is aimed to small companies (up to 300 seats) who just need a pc to work from. This means that a user just gets a cloud pc. You do not need an Intune license. But if you want to manage the device an Intune license is required. Windows 365 Business also does not support joining to a custom (Azure) Vnet. So, if you would like to connect your cloud pcs to your network so they can access a file server for example you won’t be able to do so.

Basically, it comes down to this. If you want to have a quick lightly managed device for your end users, you should go with Windows 365 Business. If you want to have more control, you should go with Windows 365 Enterprise. To see a full comparison, check out the docs from Microsoft Compare Windows 365 Business and Enterprise | Microsoft Learn

Azure virtual Desktop

But then there is also Azure Virtual Desktop, where does this fit in? Because you can also deliver one to one desktop using the AVD technology. AVD is the next step from Windows 365 Enterprise, and it would provide you with maximum flexibility when deploying desktop for your users. Both Windows 365 and AVD make use of some overlapping technology, so they may seem similar but there are major differences. One big difference is that Windows 365 does not support multi session and the billing of AVD is based on usage. Where Windows 365 is a single subscription per user.

Nerdio has created a nice overview

Windows 365 vs. Azure (Windows) Virtual Desktop | Nerdio (getnerdio.com)

Upcoming features

As Im writing these blog series, Microsoft Ignite is happening. This events always leads to new announcements and product updates. Also for Windows 365. Here are my favorite developments:

  • Windows 365 app – Microsoft Store on Windows. With Windows 365 app, you can access your Windows 365 Cloud PC from the taskbar or the Start menu, enjoying a full Windows 11 experience while moving between your local and Cloud PCs. Supported by all Windows 11 devices, the app delivers high-performing and reliable experiences optimized for Microsoft Teams and your other Microsoft 365 apps.
  • Single Sign on – To provide a seamless user experience while also reducing the risk of credential theft in your environment, we will soon be releasing single sign-on features as part of Windows 365. 

Read all the announcements here: What’s new in Windows 365: Microsoft Ignite 2022 edition – Microsoft Community Hub

Deploy Dropbox as a Win32 App with Intune

Package Dropbox as a Win32 app to deploy it using Microsoft’s Intune

Dropbox is a widely adopted platform to save and share your documents. Although Microsoft’s OneDrive may be the most logical choose when using Microsoft products there still are companies actively using Dropbox as their cloud file storage solution. In this blog I will share how to deploy the Dropbox client in your organization by using Intune. This is what you need:

On your PC create a new folder. The folder will contain three files: The Dropbox installer you downloaded and you create 2 additional files, an install.cmd and an uninstall.cmd file.

For the install.cmd you use the following lines:

@ECHO OFF
PUSHD "%~dp0"
"Dropbox 139.4.4896 Offline Installer.exe" /NOLAUNCH

You can validate the command by running the install.cmd as an admin.

For the uninstall.cmd file you use the following lines:

@ECHO OFF
"%PROGRAMFILES(x86)%\Dropbox\Client\DropboxUninstaller.exe" /S

Also on your machine take a look in the registry which version is installed. Apparently the version that the installer states is different than what is found in the registry. You can check the version in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Dropbox\Client

Now that you have prepared the files its time to wrap them into a intunewin file.

  • Source folder: specify the files which contains your installation files
  • Setup file: is the Dropbox offline installer files
  • Output folder: a folder where you want to save the intunewin file. Choose a different location than your source folder
  • For catalog folder choose no

Now that you have prepared Dropbox its time to deploy it via Intune. Follow this link to get to Windows Applications  https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/AppsWindowsMenu/windowsApps

Choose Add and for App type Windows app (Win32). For package file select your Dropbox intunewin file. Fill out the required app information and choose next.

At the second step for the install command enter install.cmd and for the uninstall command choose uninstall.cmd. The install behavior should be set to System.

At the requirements choose the system architecture and a minimal operating system version. The fourth step is the detection rules. For Rules format choose Manually configure detection rules:

  • Rule type: Registry
  • Key path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Dropbox\Client
  • Value name: Version
  • Detection method: Version comparison
  • Operator: Equals
  • Value: 139.4.4896 ( or whatever value you installed)

Finally assign the application to a user or computer group, and wait for the installation to take place.

Hope this blog was helpful, if you have any questions feel free to post them in the comments.

Endpoint Manager and Windows Defender Application Control

HOW TO: Deploy Windows Defender Application Control with Microsoft Endpoint Manager

Windows 10 has a variety of security features build in. These features are not enabled by default, but if configured correctly they can significantly increase the security of the devices. The main advantage of Windows 10 Enterprise are the security features. These security features ‘harden’ the operating system. By hardening your OS, you protect yourself and the Enterprise against viruses, ransomware, and possible hackers. This blog series explains the different “Defender” functionalities that are available in Windows 10 Enterprise and how to configure them by using Microsofts Endpoint Manager (Intune).  

Microsoft always likes to rebrand their functionalities, and the name defender is now used generally for all the security features, not only covering Windows 10. You can think of Defender for Endpoint, Defender for Azure etc. This is also true for the functionalities of this blog series. Windows Defender Application Control is the new name for services which were once called Application Control Guard, or even Configurable Code Integrity (CCI).

This series touches upon the following subjects:

  1. Windows Defender Application Control
  2. Windows Defender Application Guard
  3. Windows Defender Credential Guard
  4. Windows Defender Device Guard

Prerequisites

  1. A physical test client with Windows 10
  2. Microsoft subscription with Endpoint Manager

Windows Defender Application Control

Simply stated: Windows Defender Application Control (WDAC) controls whether an application may or may not run on a Windows 10 device. If the application is trusted the application can run, otherwise the application is blocked. There is a lot more to it of course but in essence this is what is does. Some may remember AppLocker which was introduced in Windows 7 and it allowed organization to control which applications could run on a device. If stated like this the functionalities of AppLocker and WDAC are very alike, but WDAC takes it a lot further. Not only does WDAC now has the capability to also control drivers, it can also make use of Microsoft’s Intelligent Security Graph. By using the Intelligent Security Graph, you do not have to whitelist applications individually, but you automatically trust the application is Microsoft trusts the application. This will save you a lot of time maintaining the WDAC policies. Furthermore, you have the option to automatically approve applications that have been deployed by using software distribution solutions, such as Microsoft Endpoint Manger.

Securing your environment by building and maintaining WDAC policies or any other security solution will take time. The policies you create will change over time since applications and other software change. You should understand that this is not a one-time configuration, and this should be evaluated on a regular basis. Before you start implementing WDAC I would recommend to start by reading and understanding the documentation of Microsoft. Make sure that the requirements of your business needs are clear.

There are so many variables that go into designing this solution that it is impossible to cover all the steps. This series of articles should give you a basic understanding on how to use these security features to your advantage. What are the high level steps in this article:

  1. Create a baseline policy
  2. Update baseline policy
  3. Test a WDAC policy
  4. Deploy a WDAC Policy
  5. Monitor your WDAC Policy
  6. Enforcing WDAC policy

In this article we create a policy for a fully managed device. You can also create policies for lightly managed devices. The difference between the two is that with fully managed devices all the software installed on the device is managed by IT and users cannot install any applications. On lightly managed devices users can install applications. If you are planning to start with WDAC it is recommended to start by treating your devices as if they are lightly managed. After that slowly build up the security around the device until they are “fully managed”.

1.      Create a baseline policy

You start with a baseline. Creating a baseline policy depends on what type of device you are using. Each type of device has its own drivers and specifications, depending on the manufacturer of the device. So, it is important to capture baseline policies for each type of device. If you have multiple types of devices you can use each baseline for the specific device type, or you can merge the baseline into one baseline policy which you can then use for all of them. Microsoft has provided some example policies in C:\Windows\schemas\CodeIntegrity\ExamplePolicies. For this article we start from scratch.

Take a Windows 10 device which is as clean as possible to start the inventorying phase. To start use the following PowerShell command. This command will scan the entire device and creates a baseline XML. This will take some time to complete.

$CIPolicyXML = "C:\temp\WDAC_Policy_DellLatitude5500.xml" 
New-CIPolicy -MultiplePolicyFormat -filePath $CIPolicyXML -ScanPath C: -level FilePublisher -UserPEs -Fallback Hash 

Powershell Explained:

-MultiplePolicyFormatYou can add the -MultiplePolicyFormat parameter when creating policies which will be deployed to computers which are running Windows build 1903+.
-filePathWhere to save the xml
-ScanPath C:What directory do you want to scan
-level FilePublisherSpecifies the primary level of detail for generated rules
-UserPEsCommand scans for user-mode executables (applications) along with kernel-mode binaries such as drivers and creates rules at the Publisher level.
-Fallback HashTo catch any applications not discovered using the primary file rule level specified by the -Level parameter

2. Update baseline policy

Scanning your device will take a considerable time. When the scanning is complete you can add extra rules to the XML file. Understand WDAC policy rules and file rules (Windows 10) – Windows security | Microsoft Docs

  • Option 13 is used so that applications installed by a software distribution solution are automatically allowed.
  • Option 14 enables the use of the Microsoft Intelligent Security Graph so that well known applications are automatically approved.
  • Option 16, so no reboot is required when applying WDAC policies.
  • Option 17, so you can combine policies.
  • Activating Hardware Virtualized Code Integrity and set it to enabled. To be used with care, some applications and drivers are incompatible with HVCI and can cause software malfunction and blue screens.
Set-RuleOption -FilePath $CIPolicyfileXML -Option 13
Set-RuleOption -FilePath $CIPolicyfileXML -Option 14
Set-RuleOption -FilePath $CIPolicyfileXML -Option 16
Set-RuleOption -FilePath $CIPolicyfileXML -Option 17
Set-HVCIOptions -Enabled -FilePath $ CIPolicyXML

3. Test a WDAC policy

When your XML has finished building you can convert the XML to a CIP file. First open the XML file and copy the <PolicyID> , this can be found at the bottom of the XML file and looks something like {DF4B2E6F-F05F-4D3C-AE70-000F6CCD445C}. The name of the CIP file must match the Policy GUID. To create a CIP file run:

ConvertFrom-CIPolicy -XmlFilePath $CIPolicyXML -BinaryFilePath “C:\temp\{DF4B2E6F-F05F-4D3C-AE70-000F6CCD445C}.cip”

The CIP file is now ready to be tested. Copy the CIP file to C:\Windows\System32\CodeIntegrity\CIPolicies\Active and reboot the machine.

The WDAC policy was created  in audit mode, meaning that no applications will be blocked. However, the event log will show if an application would have been blocked if the policy were being enforced. In the Event Viewer under Applications and Services Logs > Microsoft > Windows > Code Integrity > Operational you will see all the warnings. Make sure to run different application and check the event viewer for warnings and errors.

4. Deploy WDAC policy – pilot

Before this section explains how to deploy WDAC policies with Endpoint Manager, a little side step. I was preparing this blog by reading documentation and trying to the deploy the WDAC policy in my lab. I’ve followed the documentation from Microsoft Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Intune (Windows 10) – Windows security | Microsoft Docs. Everything went fine until I was not able to upload the bin file that was created. Every time I tried to create the policy I received the error: Unable to save due to invalid data. Update your data then try again: Exception has been thrown by the target of an invocation. After a while I found this article stating that OMA-URI policies with payload over 350k bytes were no longer supported Support Tip: Custom OMA-URI’s not always applying to Windows 10 Devices – Microsoft Tech Community . Well the payload for a WDAC policy is way bigger then 350k bytes so that would explain why I wasn’t able to add the policy. Even by stripping a WDAC policy to its bear minimum it would still be bigger than 350k bytes… I’m hoping this will be resolved in the future, so I will leave the original procedure in place, but also provide an alternative method to deploy the WDAC policy.

Original method

You have created a baseline policy and tested the policy on a device. Ideally you want to test the policy on multiple devices which are being used by multiple people within your organization. Running a pilot will better determine if your baseline policy fits the business needs. So, its time to deploy the policy to several devices by using Configuration Manager.

To deploy the policy with Endpoint manager the policy first must be converted to a bin file.

ConvertFrom-CIPolicy -XmlFilePath $CIPolicyXML -BinaryFilePath “C:\temp\{DF4B2E6F-F05F-4D3C-AE70-000F6CCD445C}.bin”
  • In Endpoint Manager go to Configuration Profiles and add a new policy. For platform select Windows 10 and later for profile select Custom.
  • Give your policy a name, and go to the next step
  • In configuration settings Add a new OMA-URI setting
    • Provide a clear name
    • OMA-URI is ./Vendor/MSFT/ApplicationControl/Policies/<POLICYID> /Policy. Here you replace <POLICYID> with the value of the policy ID without the brackets
    • For Data type select Base64 (file) and upload the bin file
  • Assign the deployment to a group with test devices / users

Alternative Method

For the alternative distribution method, we are going to use the IntuneWinAppUtil.exe utility from Microsoft. The goal is to copy the CIP file to C:\Windows\System32\CodeIntegrity\CIPolicies\Active folder. However this brings on a new problem, because in order to copy something in that directory you need administrative permissions. Even though the account installing the application should have this permissions, it is not permitted to copy files to that location. Or I haven’t found a good way of doing this, if you know the solution please let me know because I haven’t found a better way. I did however found one way of completing this and it seems a little bit devious, but if it works it works. It involves creating a scheduled task which then copies the files to the right location.. In order to make it work all the necessary information is wrapped into a Win32 Intune package to deploy it to the device. The tool for doing this will also be used for the monitoring agent later on in this blog. To learn and read more about this packaging method check out my previous blog.

To start create a folder containing the following:

-Your CIP file
– A Powershell script to Deploy the CIPolicy  (Deploy-CIP.ps1 Adjust the script to match your CIPolicy id.)


#Create CIP directory
New-Item -Path "c:\" -Name "CIP" -ItemType "directory"

#Start logging
$logfile = 'c:\CIP\CopyCIPolicy.txt'
Start-Transcript $logfile -force

#Copy items to CIP directory
Copy-Item -Path ".\{DF4B2E6F-F05F-4C3D-AE70-000F6CCD445C}.cip" -Destination "C:\CIP" -Force
Copy-Item -Path ".\Copy-CIP.ps1" -Destination "C:\CIP" -Force

#Create scheduled task
$Time = New-ScheduledTaskTrigger -Once -At 12:00
$User = "SYSTEM"
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -file `"C:\CIP\Copy-CIP.ps1`""
Register-ScheduledTask -TaskName "CopyCIPolicy" -Trigger $Time -User $User -Action $Action -Force
Start-ScheduledTask -TaskName "CopyCIPolicy"

Stop-Transcript

#Exit code
Return 0

– A Powershell script to Copy the CIPolicy  (Copy-CIP.ps1 Adjust the script to match your CIPolicy id.)

Copy-Item -Path "C:\CIP\{DF4B2E6F-F05F-4C3D-AE70-000F6CCD445C}.cip" -Destination "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" -Force

– A Powershell script to remove the CIPolicy (Remove-CIP.ps1 Adjust the script to match your CIPolicy id

#Cleaning up resources

Stop-ScheduledTask -TaskName "CopyCIPolicy"
Unregister-ScheduledTask -TaskName "CopyCIPolicy" -Confirm:$false
Remove-Item -Path "c:\CIP" -Recurse -Force 

#remove policy from C:\Windows\System32\CodeIntegrity\CiPolicies\Active

Remove-Item -Path "C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{DF4B2E6F-F05F-4C3D-AE70-000F6CCD445C}.cip" -Force


#Exit code
Return 0
  • Run the IntuneWinAppUtil.exe and specify:
    • The source folder location
    • The setup file, which is Deploy-CiPolicy.ps1
    • Output folder
    • You do not need a catalog folder

To deploy the application use endpoint.microsoft.com:

  • Add and new Windows app (Win32)
  • Fill in the app information
  • For the install command use powershell.exe -ExecutionPolicy Bypass .\Deploy-CIP.ps1
  • For the uninstall use powershell.exe -ExecutionPolicy Bypass .\Remove-CIP.ps1
  • Run as system
  • Specify your requirements
  • For Detection rules make use of a File manually detection rule. Here you can use C:\Windows\system32\CodeIntegrity\CiPolicies\Active and for File use {DF4B2E6F-F05F-4C3D-AE70-000F6CCD445C}.cip (change the name to your CIP policy), detection method File or folder exists

5. Monitor your WDAC Policy

As mentioned previously in this blog you can view the Event Viewer to check if applications are blocked. In larger deployments this is not really practical to check each individually device for events.  Ideally you want to have a central location for all the Event logs. For this you can use a Log Analytics Workspace.

To create a Log Analytics Workspace follow these steps Create a Log Analytics workspace in the Azure portal – Azure Monitor | Microsoft Docs. Then open the workspace and select Advanced Settings and Data. Search for Microsoft-Windows-CodeIntegrity and add both, also add Operations Manager. Do not forget to save the configuration.

After you have a Workspace enable logging in endpoint.microsoft.com by going to Reports and selecting Diagnostics settings. Select Add diagnostic setting. Select all the different log types and for destination details select Send to Log Analytics Workspace and select your subscription and Workspace.

Enable logging Endpoint Manager

Go back to the Analytics Workspace and now go to Agents Management. Here you can download the log agent and make sure to note the Workspace ID and the Primary key.

The downloaded Analytics agents needs to be repackaged using the IntuneWinAppUtil.exe. Check out my previous blog for more in-depth information.  The first step is to extract the contents of the AnalyticsAgent.exe.

  • Place the downloaded MMASetup-AMD64.exe into a folder
  • Run .\ MMASetup-AMD64.exe /c and specify a folder location on where to put the extracted data.
  • Run the IntuneWinAppUtil.exe and specify:
    • The source folder location
    • The setup file, which is setup.exe
    • Output folder
    • You do not need a catalog folder
  • You now have the monitoring app packaged into the Intune format

To deploy the application use endpoint.microsoft.com:

  • Add and new Windows app (Win32)
  • Fill in the app information
  • For the install command use setup.exe /qn NOAPM=0 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_ID=”<WORKSPACEID>” OPINSIGHTS_WORKSPACE_KEY=”<PRIMARYKEY>” OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0   AcceptEndUserLicenseAgreement=1″
    You need the Workspace ID and the Primary key from your workspace. View the reference in the docs Install Log Analytics agent on Windows computers – Azure Monitor | Microsoft Docs
  • SPecify your requirements
  • For Detection rules make use of a Registry manually detection rule. Here you can use Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\AOI-<WORKSPACEID> where you change WORKSPACEID to your Workspace ID
  • Assign your application to a group

After the deployment is finished the Monitor Agent starts uploading Event logs to the Workspace. To view the Event Logs open the Workspace and select Logs. Here you can enter Query based on Kusto Query Language to search the Event Viewer logs. For example you can use the following query to display all the logs with a Warning or Error in the Code Integrity Events category.

Event
| where Source == "Microsoft-Windows-CodeIntegrity"
| where EventLevelName == "Warning" or EventLevelName == "Error"
| project TimeGenerated, Computer, RenderedDescription
| sort by TimeGenerated desc 

6. No more testing, time for enforced mode

When your done with testing and you have validated everything to work as expected it is time to turn on the enforced mode. To enforce the policy option 3 is removed from the XML which is the configuration for audit mode.

$CIPolicyXML = "C:\temp\WDAC_Policy_DellLatitude5500.xml"
Set-RuleOption -FilePath $CIPolicyXML -Delete -Option 3

After the audit mode is removed repackage the XML to a CIP for local testing or to a bin file if you deploy the policy with Endpoint Manager.  

Windows Virtual Desktop Management Tools

Windows Virtual Desktop is probably one of the most anticipated new products of Microsoft. If you haven’t heard from it, I would suggest that you start catching up ;). With the announcement of Scott Manchester GA (General Availability) just became a little bit closer.

There are plenty of blogs about how to set up a WVD tenant and sessions hosts, so I don’ want to go into detail on how to set it up. But if you have set up a WVD tenant you must have noted the lack of management tools. Or actually the absents of management tools, you can’t even find WVD in the Azure portal. Everything is managed with PowerShell, which can be a bit challenging. Microsoft did provide some management options for you but you will have to deploy them manually. They also require you to have an App service plan, which of course will cost you money, but you won’t have to use PowerShell for you management. Nevertheless I hope Microsoft will include these managements functionalities in the Azure Portal, but for now this is your best option.

WVD Management UX

The first management tool I would like to share is the WVD Management UX. The Managment UX helps you to preform basic management tasks. In here you can:

  • Create a New Host Pool
  • Add New Hosts to a Host Pool
  • Allow or block new connections to a host.(If you would like to drain the server for maintenance)
  • Create App groups. You can create App groups for Desktops or you can create App groups for RemoteApp
  • Assign permissions to App groups

Even though this may seem somewhat limited there are some extra functions you can use. However, these basic management tasks will help you a lot in doing day to day management for WVD.

WVD Management UX

If you want to use the WVD Management UX you can deploy it via the Github repository from Microsoft. The deployment will create an App service plan S1-Standard which will cost you around 70 euro/dollar each month.

WVD Diagnostics Tool

The second tool Microsoft has provided is the Diagnostics tool and it has just been released. With the introduction of WVD Microsoft also introduced some new RDS roles. We all know the Connections broker, Gateway, Session Hosts and we all know it was very hard to troubleshoot failing connections. Therefore Microsoft introduced the new Diagnotics role, which is also fully managed by Microsoft.

New Diagnostics role in WVD

Starting with the preview it was only possible to view the diagnostics using PowerShell, luckily Microsoft has made an App so you can troubleshoot using your browser. With the new Diagnostics app you can do the following:

  • Look up diagnostic activities (management, connection, or feed) for a single user over a period of one week.
  • Gather session host information for connection activities from your Log Analytics workspace.
  • Review virtual machine (VM) performance details for a particular host.
  • See which users are signed in to the session host.
  • Send message to active users on a specific session host.
  • Sign users out of a session host.

Unfortunately these functions aren’t available in the Management UX, you’ll have to deploy another application with an new app service plan. Which will cost you 70 euro/dollar extra each month, plus the additional storage for the log files. The deployment is pretty straightforward, Microsoft will guide you through the steps.

Example of diagnostics logging
Example of VM diagnostics
Here you can log off users and send them messages.