imageOne of my favorite Microsoft Security Global Black Belts, Andrea Fisher, wrote a great post explaining what should be ingested into Microsoft Sentinel & why.

She’s got a table and some advice on the post below. Andrea has done 70+ Microsoft Sentinel engagements & you should probably heed her advice. Smile 

clip_image002What is Microsoft Defender for Endpoint?

  • Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
  • Defender for Endpoint uses the following combination of technology built into Windows 10 and Microsoft’s robust cloud service:
    • Endpoint behavioral sensors
    • Cloud security analytics
    • Threat intelligence
    • Core Defender Vulnerability Management
    • Attack surface reduction
    • Next-generation protection
    • Endpoint detection and response
    • Automated investigation and remediation
    • Microsoft Secure Score for Devices
    • Microsoft Threat Experts
    • Centralized configuration and administration, APIs

More details:

Is there a solution for non-Microsoft platforms?

  • Microsoft Defender for Endpoint on macOS
  • Microsoft Defender for Endpoint on Linux
  • Microsoft Defender for Endpoint on Android
  • Microsoft Defender for Endpoint on iOS

More details: Microsoft Defender for Endpoint on other platforms:
Microsoft 365 Defender

With Microsoft 365 Defender, Defender for Endpoint, and various Microsoft security solutions, form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.

Did you know? Azure AD Identity Protection has risk detections for both premium licensed users and non-premium licensed users?

imageAzure AD Identity Protection identifies and reports suspicious actions related to user accounts in the directory, which contribute to the overall user risk score in the Risky Users report. The feature enables organizations to quickly see and respond to these suspicious actions.

The detection of risk can be classified into two levels, User and Sign-in, and can be calculated in Real-time or Offline mode. While certain risk types are exclusive to Azure AD Premium P2 customers, others are accessible to Free and Azure AD Premium P1 customers.

imageSign-in risk refers to the likelihood that an authentication request is unauthorized by the identity owner. Suspicious activity may be identified for a user that is not associated with a specific malicious sign-in, but rather the user as a whole.

You can review which risk detections are for the Free, Azure AD Premium P1 and Azure AD Premium P2 licensed users here:

imageMicrosoft is a 1st class platform leader in IaaS platform native Security, with Microsoft Defender cloud security solutions for virtually all IaaS workloads such as:

  • Comprehensive Cloud Security Posture Management & Cloud Infrastructure Entitlement Management
  • World class DDOS protection, Malware detection for blob storage, VMs, containers, etc.

Other lower-tier cloud providers do not have most of the same native IaaS security solutions to protect assets in their cloud and generally rely on customers purchasing separately licensed, 3rd party security solutions & their positions on the Forrester Wave highlights this lack of attention to this critical area.

To download the Forrester Wave report on “Infrastructure-as-a-service Platform Native Security” (licensed for distribution):

clip_image002We’ve published a request form for the Early Access Program for “Microsoft 365 Copilot”:

In March, we introduced the world to Microsoft 365 Copilot – your copilot for work. We’re excited to share the next step in our journey as we bring Copilot to more customers and introduce new capabilities. We’re also releasing new data and insights from our 2023 Work Trend Index on how work is changing in the era of AI.

Microsoft 365 Copilot Early Access Program
Since March, we’ve been testing Copilot with 20 enterprise customers, learning alongside companies like Chevron, Goodyear, General Motors and Dow. Their overwhelming feedback is that Copilot has the potential to revolutionize work. They point to how it is a game changer for meetings and is beginning to transform the way they create. And, they’ve identified areas where we can do more to help people adapt to this new way of working, like the need for more conversational, multi-turn interactions. As we bring Copilot to more customers, we’ll continue to rely on this kind of feedback to refine Copilot and help guide users as they adapt to this new way of working.

In addition to Microsoft 365 Copilot features previously announced, including Copilot for Word, Copilot for Excel, Copilot for PowerPoint, and others, we’re also announcing the following NEW capabilities:

Introducing new Microsoft 365 Copilot capabilities
When we introduced Copilot in March, we unveiled capabilities across the Microsoft 365 suite of apps that millions use every day to get work done. We’re not stopping there – we’re continuing to add new Copilot capabilities to bring AI to every part of the suite, enabling employees and organizations to unleash creativity, unlock productivity and uplevel skills.

· Copilot in Whiteboard will make Microsoft Teams meetings and brainstorms more creative and effective. Using natural language, you can ask Copilot to generate ideas, organize ideas into themes, create designs that bring ideas to life and summarize whiteboard content.

· By integrating DALL-E, OpenAI’s image generator, into PowerPoint, users will be able to ask Copilot to create custom images to support their content.

· Copilot in Outlook will offer coaching tips and suggestions on clarity, sentiment and tone to help users write more effective emails and communicate more confidently.

· Copilot in OneNote will use prompts to draft plans, generate ideas, create lists and organize information to help customers find what they need easily.

· Copilot in Loop helps your team stay in sync by quickly summarizing all the content on your Loop page to keep everyone aligned and able to collaborate effectively.

· Copilot in Viva Learning will use a natural language chat interface to help users create a personalized learning journey including designing upskilling paths, discovering relevant learning resources and scheduling time for assigned trainings.

Read more about how to request access here:


A few more announcements regarding integration support for the new Windows Local Administrator Password Solution (WLAPS):


One of Microsoft’s MVPs documented steps on how to create Data Collection Rules (DCRs) for Microsoft Sentinel that will collect LAPS events from your environment.


We’ve also announced Microsoft Intune support for the ability to manage and support Windows LAPS, bringing Microsoft’s admin password management solution to the cloud.

Posted by: kurtsh | May 7, 2023

BETA: Windows 365 Frontline

Does your organization have:

  • field workers
  • call centers
  • factory floor workers

…or folks that other work in “rotation schedules”? 

Wouldn’t it be cool if you could provide Cloud PC access for any 3 employees per license – like shift-workers & 3rd party contractors?

imageWindows 365 Frontline is a version of Windows 365 that helps organizations save costs by providing a single license to provision three Cloud PC virtual machines. For each Windows 365 Frontline license that you buy, you can provision three different Cloud PCs that can’t be used concurrently. Instead, each user receives a unique Cloud PC that they can use when the other two users on the same license aren’t signed into their Cloud PCs.

Windows 365 Frontline is designed specifically for workers who share computing resources and don’t require 24/7 dedicated Cloud PCs. This system better supports organizations that are more elastic and distributed working across various devices. Frontline Cloud PCs can be helpful for users who are:

  • On a rotation schedule.
  • Working across time zones and regions.
  • Part-time workers.
  • Contingent staff.

The maximum number of active Windows 365 Frontline Cloud PCs in your organization is equal to the number of Windows 365 Frontline licenses that you’ve purchased. For example, if you purchase 10 licenses, 30 Cloud PCs will be provisioned. Ten of those Cloud PCs can be active at a given time. The licenses are managed automatically based on active sessions. When a user ends their session, the license is released for another user to start using their Cloud PC.

Windows 365 Frontline is in public preview.

Read more about Windows 365 Frontline here:

Are you supporting Windows 10 or 11 desktops?

Wouldn’t it be great to receive an email when a significant known issue in Windows comes up?  There’s a new way to get those notices proactively!

imageToday, we’re announcing the availability of a much-requested feature for IT administrators planning and deploying Windows feature and quality updates—email alerts! Starting today, you can get notified about Windows known issues documented in the Windows release health section of the Microsoft 365 admin center. This enables you to easily and quickly learn about issues related to Windows updates and make informed decisions about rolling out an update across your environment.

When you sign up, you’ll receive emails about new issues for the versions of the Windows operating system you support, as well as updates to known issues such as:

  • Changes in issue status
  • New workarounds
  • Issue resolution

This new feature is available to IT admins with a Windows or Microsoft 365 tenant, a subscription that provides access to Windows release health in the Microsoft 365 admin center[1], and an eligible admin role.

Read about how to sign up for these alerts here:

imageTo get the most value from your Security solutions, you need to understand the business value of the different features they include to decide if, when, and how to go about turning them on. And when you’re ready to enable new features, you need clear guidance to make it happen.  

This is why we recently published new Microsoft Security solution feature guides on Microsoft Defender for Office 365 and Defender for Endpoint. Each guide briefly highlights five key product features and the value they provide, then points directly to step-by-step enablement instructions. 

  • Microsoft Security solution feature guide:
    Microsoft Defender for Office 365

    Defender for Office 365 provides integrated threat protection for your email and collaboration tools. With this guide, you can learn about and enable:
      1. Incident and alert management
      2. Attack simulations and training campaigns
      3. Automated investigation and response triggers
      4. Scanning with Safe Links
      5. Attachment checks with Safe Attachments
  • Microsoft Security solution feature guide:
    Microsoft Defender for Endpoint

    Defender for Endpoint helps you rapidly stop attacks, scale security resources, and evolve defenses across your operating systems and network devices. The guide covers the following features and links to instructions so you can: 

      1. Define manual response actions
      2. Explore automated investigations
      3. Enable endpoint reporting and policy settings
      4. Engage in advanced threat hunting
      5. Choose either active or passive mode for antivirus

Check out the Microsoft Defender for Office 365 and Microsoft Defender for Endpoint solution feature guides to learn how you can get more value from Microsoft Security and take your first steps toward enabling more features today.   

Organizations are securing their workstation & servers by randomizing their Local Administrator account passwords & storing them in Azure AD using the new public preview of Microsoft’s “Windows Local Administrator Password Solution”.

Kaido Järvemets, a Microsoft MVP has written a blog about using Microsoft Sentinel to collect events from the new “Windows Local Administrator Password Solution”.

imageWindows Local Administrator Password Solution (LAPS) is a crucial security feature that helps organizations manage local administrator passwords for their domain-joined computers. In this blog post, we will explore how to create Data Collection Rules (DCRs) for Sentinel that will collect LAPS events from your environment.

Before you continue read my previous blog posts:

Read the entire blog post here:

Older Posts »