Latest Event Updates

M365 Endpoint Insights – February 2023 edition

Posted on Updated on

Hello community! I’m excited to announce the release of my #microsoft365 Endpoint Insights, February 2023 edition. This month’s release is packed with some pretty outstanding information, including an incredible over 30 items about deployment, management, and virtualization!

Nick’s top 9 things to know includes details about the new AI-powered #bing, big updates to #windows11, cloud-based LAPS for Windows, #microsoftintune troubleshooting, and more! Get your copy of the newsletter today at: M365 Endpoint Insights, February 2023


M365 Endpoint Insights – January 2023 edition

Posted on Updated on

Are you tired and weary of that long, cold winter month of January? [That is, if you live in the norther hemisphere] Well I’ve got the cure for you…. the latest digest of Microsoft 365 Endpoint Insights! How is this a cure, you may ask? OK, it probably isn’t, but go grab your copy and read it anyway!

Nick’s top 9 things to know for the month includes highlights such as how Microsoft (internal) achieved a speedy upgrade to Win11 and uses Zero Trust, new episodes of Unpacking Endpoint Management, how to improve you identity management/security strategy, and more. Plus, lots of new upcoming opportunities for learning that you want to check out and get on the calendar.

M365 Endpoint Insights, January 2023

Presentations for MEMUG in 2022

Posted on Updated on

Below 3 of the 4 sessions that I presented at MEMUG in 2022!

Endpoint Protection Against Ransomware

January 2022

In this session, we’ll reflect on our 2021 sessions and then Nick Moseley will pick up where he left off, doing part two on how Microsoft solutions in endpoint protection can help in ransomware defense. As part of this demo heavy presentation, you’ll get to experience: 1) Feature comparison of Microsoft Defender for Endpoint (MDE) Plan 1 (P1) vs. Plan 2 (P2). 2) Integration between Microsoft Endpoint Manager (MEM) and MDE for device security compliance. 3) Using conditional access policies in Azure AD to allow or deny access to company resources based on the device state.

Replay at

Identity Protection and Zero Trust

February 2022

Continuing on the topic of zero trust of devices (as requested by others during the January 2022 session), Nick Moseley will showcase identity protection features in Azure AD and demo zero trust of risky users.

Replay at

Ask Nick Almost Anything!

September 2022

Have some guidance you want to share? Something you want to discuss but you’ve been too afraid to Are you uncertain what is this “new” Microsoft Entra? Or how to configure endpoint security policies in Intune? Or what is the difference between Windows 365 and Azure Virtual Desktop and how to choose between the two? Or how they’re all integrated and related to each other? Then come for a session to ask Nick Moseley any questions about Microsoft Entra (Azure AD), Intune, Defender endpoint security, Windows 365, and more!  Just be prepared, he may ask you questions in return! Nick will also provide an overview of what’s new in Windows 11 2022 (aka 22H2).

Replay at:

M365 Endpoint Insights – December 2022

Posted on

Announcing my final M365 endpoint insights digest for 2022! There are some good articles this month that include topics such as building a strong identity foundation (and yes, endpoints have an identity too 😉), top 5 endpoint management predictions for 2023, what’s new in AVD Intune ConfigMgr, Microsoft’s latest Cyber Signals report. And so. Much. More…

Get your copy today!

Adding users in bulk to Microsoft DLP and retention policies for Microsoft Teams

Posted on

It is possible to perform a bulk addition of users to Microsoft DLP and retention policies for Microsoft Teams with PowerShell cmdlets. It’s actually pretty simple and straight forward, as you will see below.

A few tips:

  • This uses the Exchange Online Management V2 module – install the module before importing it.  Install the EXO V2 module | Microsoft Docs
  • To install and connect to EXO, follow the top 2 commands outlined at Connect to Security & Compliance Center PowerShell using the EXO V2 module | Microsoft Docs.
  • My observation is that the cmdlets will insert new records, not overwrite them.  Test this on a sample retention policy first! I recommend adding a second test user account immediately after, so that you can experience that the users are truly added to the existing list (i.e. the list is not overwritten with just that single user).
  • Remember to first connect using the Connect-IPPSSession cmdlet.

Two example commands to get you started:

Scoping Office 365 ATP Policies

Posted on

Policies within Office 365 ATP can be applied to (or scoped) in several ways, as in the screenshot below. By far the simplest method, and most secure, is to protect the entire domain. But what if your organization doesn’t own the licensing to cover everyone in the domain? This post will walk through an example of how to setup and configure the policies to be scoped to a specific group along with a couple of the configuration best practices.

Aside from applying O365 ATP policies to all users of a domain, applying to groups requires using an Exchange Online (EXO) distribution list (DL) or Microsoft 365 group. The challenge with using either of these, as you might suspect, is that users can send/receive messages and/or collaborate in that shared DL/group. So we need to further limit and restrict the actions that users can take. My examples/process below will focus on using an M365 Group.

  1. In Azure AD > Groups, create a new Microsoft 365 group. Create this group without any members since we’ll need to make other changes and test before adding production users.

Second, we need to configure this group to limit interactions/notifications with users . Before running these commands, there are a couple notes that are of great importance.

  • The latest preview version of the EXO module needs to be used.
  • To get these commands to function, it may be necessary to update [Windows 10] with the latest package management and PowerShellGet modules in order to have the latest Install-Module cmdlets that support newer parameters such as “AllowPrerelease”.
  • After updating PowerShellGet, restart the PowerShell/ISE app.
Install-Module -Name PackageManagement -Repository PSGallery -Force
Install-Module -Name PowerShellGet -Repository PSGallery -Force
  1. Install and import the Exchange Online PowerShell v2 module (if not already done). The abbreviated version of these instructions are as follows.
Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3-Preview -AllowPrerelease
Import-Module -Name ExchangeOnlineManagement
  1. Connect to Exchange Online instance (with admin user).
  1. Configure the group to be hidden in Office clients and in the GAL.
Set-UnifiedGroup -Identity "Group Name" -HiddenFromExchangeClientsEnabled:$true
  1. Disable notifications to users about being added to the group.
Set-UnifiedGroup -Identity "Group Name" -UnifiedGroupWelcomeMessageEnable:$false 

Next, the group needs to be updated to restricted to accept only messages from a specific list of users.

  1. Update group settings in Exchange Online Admin Center > Recipients > Groups.

Finally, update the M365 group to:

  1. Update group to use a dynamic membership – single user to test and confirm settings as desired.
  2. Update group to use a dynamic membership – users assigned O365 ATP licenses.
  3. Scope O365 ATP policies (Safe Links, Safe Attachments, etc.) to the new M365 group.

List guest users of Microsoft Teams

Posted on Updated on

Imagine for a moment that your organization deployed Microsoft Teams through the business so as to advance user productivity, but the organization wasn’t quite ready to address the governance, security, or potential data exfiltration of Teams. That decision to postpone security and compliance may have occurred simply due to awareness of the risk, desire or resources to plan and implement, the knowledge of the technology to use, ability to use the technology (i.e. licenses), or even the capability to reinforce the organizational stance.

Now imagine that your Teams deployment has reached thousands of users and their productivity is on the rise, which is great….but now that you have found there are also thousands of “guest” users in your Azure AD users list which have likely been invited into Teams from within your company. Even guest users from the likes of Gmail, Yahoo, and the various Microsoft consumer domains.

The risk of data exfiltration or even device and user identity security is much higher – and now you need to really truly address it. What can be done? Assuming that you had already identified that there are guest users in your organization via the Azure AD users list, then you may want to further refine which of those guest users are part of a Team within Microsoft Teams. To do that, use the following PowerShell script to grab this information. Note that this script relies upon having installed the PS module for MicrosoftTeams (Install-Module MicrosoftTeams) and also logged into Azure AD (Connect-MicrosoftTeams).

#Login to Azure AD manually

# Define log file
$OutFile = "C:\TeamsGuestUsers.txt"

# Get a collection / array of all Teams
$AllTeams = Get-Team

# Process each Team
ForEach ($Team in $AllTeams) {
# Do not process $Team if it is null
If (($Team).GroupID -ne $null) {
# Get all the Guest users of a Team
$GuestUsers = Get-TeamUser -Role Guest -GroupID ($Team).GroupID

# If no guest users exist in Team, skip logging
If ($GuestUsers -ne $null) {
# Log the Team and GroupID
Write-Output ("Team: " + ($Team).DisplayName + ", GroupID: " + ($Team).GroupID ) | Out-File $OutFile -Append
# Log each guest user in the Team
ForEach ($User in $GuestUsers) {
Write-Output (" => Guest user: " + ($User).User) | Out-File $OutFile -Append

With this information, you can next develop your plan guest access. Including for which domains to restrict or allow with Azure AD B2B controls. A good place to get started with your planning is:

Windows 10 Endpoint Security Matrix

Posted on Updated on

Microsoft has a good matrix and comparison chart of the security product features built-in with Windows 10 Professional and Enterprise.  Along with that matrix is a downloadable full comparison chart. What I really like about that full chart is that it compares Pro vs. Enterprise as a security function and capability, not just as a product name.  Recently, I was asked if I could map the capability to the product name.  As best as I could, below is the table that I created which marries those two by mapping the functionality to the product.  Minus the licensing portion (Pro vs. Enterprise E3 vs. Enterprise E5) that is.


Product feature(s)

Attack Surface Reduction controls
Integrity enforcement of operating system boot up process System Guard
Integrity enforcement of sensitive operating system components System Guard
Advanced vulnerability and zero-day exploit mitigations Exploit Guard + WDAV
Reputation based network protection for Microsoft Edge, Internet Explorer and Chrome SmartScreen
Host based firewall Firewall
Ransomware mitigations Exploit Guard + WDAV (with controlled folder access)
Hardware based isolation for Microsoft Edge Application Guard
Application control powered by the Intelligent Security Graph Application Control
Device Control (e.g.: USB) Exploit Guard (hypervisor code integrity), MDATP (additional security)
Network protection for web-based threats Exploit Guard
Enterprise management of hardware-based isolation for Microsoft Edge Application Guard enterprise controls defined for internal/external sites
Host intrusion prevention rules Exploit Guard (HIPS)
Customizable allow/deny lists (e.g.: IP/URL, Files, Certificates) Exploit Gard (network protection) using MDATP
Device-based conditional access MDATP integration with Intune device management
Centrally manageable tamper protection of operating system MDATP
Next Generation Protection
Pre-execution emulation executables and scripts WDAV
Runtime behavior monitoring WDAV
In memory anomaly and behavior monitoring WDAV + Exploit Guard
Machine learning and AI based protection from viruses and malware threats WDAV
Cloud protection for fastest responses to new/unknown webbased threats WDAV (block at first sight)
Protection from fileless based attacks WDAV + Exploit Guard
Advanced machine learning and AI based protection for apex level viruses and malware threats WDAV + MDATP
Advanced cloud protection that includes deep inspection and detonation MDATP
Emergency outbreak protection from the Intelligent Security Graph WDAV + MDATP
Monitoring, analytics and reporting for Next Generation Protection capabilities WDAV + MDATP
Endpoint Detection and Response
Behavioral-based detection for advanced and targeted attacks (post-breach) MDATP
Centralized security operations management with Windows Defender Security Center MDATP
Rich investigation tools MDATP
Forensic collection MDATP
Response actions MDATP
Advanced detonation service with deep file analysis MDATP
Upload of Indicators of Compromise (IOC) for custom alerts MDATP
Flexible hunting queries over historical data MDATP
Custom alerts via powerful advanced hunting queries MDATP
Discover and report SaaS app usage to MCAS MDATP
Machine risk level to trigger conditional access MDATP
Monitoring, analytics and reporting MDATP
Automatic Investigation and Remediation
Automated alert investigations using Artificial Intelligence MDATP
Automated remediation of advanced threats MDATP
Monitoring, analytics and reporting MDATP
Security Score
Assess and improve your organization security posture using Microsoft Secure Score for Windows MDATP
Threat Analytics shows your organizations exposure to threats MDATP
Security Management
Monitoring, analytics and reporting MDATP
Rich Power BI dashboards and reports MDATP
Enterprise-grade Extensibility and Compliance
Integrated endpoint protection for 3rd party platforms (macOS,Linux, iOS, Android) MDATP (Note that Microsoft now has a client for macOS)
Open Graph APIs to integrate with your solutions MDATP
Integration with Microsoft Advanced Threat Protection (ATP) products MDATP
ISO 27001 compliance MDATP
Geolocation and sovereignty of sample data MDATP
Sample data retention policy MDATP
Multi Factor and password-less Authentication
Industry standards based multifactor authentication Windows Hello for Business
Support for biometrics (Facial and Fingerprints) Windows Hello for Business
Support for Microsoft Authenticator Windows Hello for Business
Support for Microsoft compatible security key Windows Hello for Business
Supports for Active Directory and Azure Active Directory Windows Hello for Business
Credential Protection
Hardware isolation of single sign-in tokens Credential Guard
Centralized management, analytics, reporting, and operations Credential Guard + MDATP
Full Volume Encryption
Automatic encryption on capable devices Win10
Advanced encryption configuration options BitLocker
Removable storage protection BitLocker to Go
Direct Access & Always On VPN device Tunnel Win10
Centralized configuration mgmt, analytics, reporting, and security operations MBAM (standalone, SCCM, Intune, MEM) + MDATP
Data Loss Prevention
Personal and business data separation Windows Information Protection
Application access control Windows Information Protection
Copy and paste protection Windows Information Protection
Removable storage protection Windows Information Protection
Integration with Microsoft Information Protection Windows Information Protection

Getting Help and Support for the Microsoft Store for Business

Posted on

Are you looking to get some help and support with the Microsoft Store for Business?  One route that you can go through is directly in the business store portal (  Just as seen in the image below.


Windows 10 News You Can Use – August 2019

Posted on

Win10NewsLogo Windows 10 news you can use, August 2019 edition
Insights into Windows 10 deployment & management, security & compliance, and productivity & accessibility.
Also see other news related to Windows 10.


Deployment & Management
  1. Evolving Windows 10 servicing and quality: the next steps. As part of our commitment to transparency, we are providing an overview of how we plan to further optimize the delivery of our next feature update. The next feature update for Windows 10 (known in the Windows Insider Program as 19H2) will be a scoped set of features for select performance improvements, enterprise features and quality enhancements.
  2. The next feature update for Windows 10 (internal code name: 19H2) will have a new update option that will be available to devices running Windows 10, version 1903. 19H2 will be a scoped release with a smaller set of enhancements focused primarily on select performance improvements, enterprise features, and quality enhancements. For commercial customers, read the article to understand the impacts.
  3. Windows Autopilot for existing devices now supports Hybrid Azure AD Join.
  4. Improving the Office app experience in virtual environments, including Windows 10 VDI and Windows Virtual Desktop.
  5. Use Desktop Analytics and machine learning to get current and stay current, now available in public preview. With Desktop Analytics, it’s easier to deploy with confidence and keep your PCs up to date with the latest Windows 10 capabilities your employees need.
  6. The blog for Windows Analytics has been retired. Visit the new Tech Community site for Desktop Analytics!
  7. Guide to try out Windows Autopilot white glove pre-provisioning with Windows 10, version 1903.
  8. MSIX Packaging Tool update – the July 2019 release includes popular customer asks, such as (1) support for apps that require restarts, (2) signing certification information as a global setting, and (3) setting the minimum version for converted apps to 1709 when you turn off enforce store versioning requirements.
  9. Getting started with FSLogix profile containers on Azure Files in Windows Virtual Desktop.
  10. Tactical considerations for creating Windows 10 deployment rings.
  11. Microsoft Intune is excited to announce the general availability of administrative templates support for Windows 10 device configuration profiles. This feature received wide adoption during the public preview because it helps Windows administrators use the settings they are familiar with in group policy editor when they transition to cloud-attached management.
  12. The Microsoft Mechanics team has published a series of video tutorials to show you how to prepare, deploy, and optimize Windows Virtual Desktop.
  13. Administrative Templates (.admx) for Windows 10 May 2019 Update (1903) now available.
  14. MSIX Labs and Training Videos – Now Available! The MSIX Training Labs contain a series of hands-on exercises geared at enabling people to become more familiar with different aspects of MSIX. From the MSIX packaging tool, to adding a package support framework, or just becoming familiar with some of the command line tools, the labs are a great place to get started for folks looking to learn more about MSIX.
  15. Upgrading Windows 10 devices with installation media different than the original OS install language. In this post, we will look at a scenario where a hypothetical multilingual organization wants to deploy Windows 10 to devices across multiple geographies in multiple languages. We’ll then outline the options that can be used to work around device install language issues and successfully deploy a Windows 10 feature update.
  16. Improvements for enterprises signing MSIX packages (Insider Preview). MSIX requires packages to be signed in order to be deployed. This helps us to offer integrity on the package being deployed and to ensure the contents being deployed are what was packaged from the developer or IT Pro.  While this is great, some customers found it problematic acquiring certificates within their enterprise.  In an upcoming Windows release will improve the tooling to enable signing of MSIX packages from your Azure Active Directory tenant.
Security & Compliance
  1. Microsoft Defender ATP alert categories are now aligned with MITRE ATT&CK framework tactics.
  2. Delivering major enhancements in Windows Defender Application Control with the Windows 10 v1903.
  3. Dismantling a fileless campaign: Microsoft Defender ATP next-gen protection exposes Astaroth attack.
  4. Microsoft Intune is excited to announce general availability of Windows MDM Security Baselines. A new version of security baselines is also being released at the same time, identified as MDM Security Baseline for Spring 2019 Update (19H1). This is a new template that includes several new settings and some other updates.
  5. Upgrading Windows 10 devices with installation media different than the original OS install language. In this post, we will look at a scenario where a hypothetical multilingual organization wants to deploy Windows 10 to devices across multiple geographies in multiple languages. We’ll then outline the options that you can use to work around device install language issues and successfully deploy a Windows 10 feature update.
  6. Microsoft Defender ATP (MDATP) supports network connection monitoring from different levels of the operating system network stack. A challenging case is when the network uses a forward proxy as a gateway to the internet. The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. MDATP supports advanced HTTP level sensor. By enabling this sensor, MDATP will expose a new type of events that surfaces the real target domain names.
  7. Comprehensive protection for your credentials with Credential Guard and HVCI. The goal of Windows Defender Credential Guard is to make it incredibly difficult for malware to move laterally in an enterprise network and gain higher privileges. The theory is simple: prevent malware from stealing passwords, hopping boxes, and elevating privileges. An attacker is dead in the water if they can’t get credentials in the first place.
  8. Yet another step in building a world without passwords. Now announcing that you can go passwordless with the Public Preview of FIDO2 security keys support in Azure Active Directory. It means that you can now try out passwordless capabilities that allow you to roll out, at scale, FIDO2 security keys that will authenticate a user on a Windows 10 Azure AD joined device.
  9. Oftentimes, organizations require better control over their raw data. To answer this need, Microsoft Defender Advanced Threat Protection (MDATP) allows you to stream Advanced hunting events to Azure Event Hubs or to an Azure storage account. In this blog, I am going to demonstrate how to stream your Advanced hunting events to Azure storage account and set an Azure blob storage lifecycle rule to move old data to low-cost storage.
  10. Microsoft Defender ATP (MDATP) Evaluation lab is now available in public preview! The evaluation lab allows you to create up to three machines with a click of a button. Each machine is provisioned for you by Microsoft Defender ATP and is available for all your testing needs for three days. They’ll come with the latest and greatest Windows 10 installed, they’ll be onboarded to your environment, and configured with all the Microsoft security baseline settings in place in audit mode.
  11. Most machine learning models are trained on a mix of malicious and clean features. Attackers routinely try to throw these models off balance by stuffing clean features into malware. Monotonic models are resistant against adversarial attacks because they are trained differently: they only look for malicious features. The magic is this: Attackers can’t evade a monotonic model by adding clean features. To evade a monotonic model, an attacker would have to remove malicious features. One of the latest innovations in our protection technology is the addition of a class of hardened malware detection machine learning models called monotonic models to Microsoft Defender ATP‘s Antivirus.
  12. Protect your device from malware with Windows Sandbox. Have you ever downloaded a program from a website or opened an email attachment thinking it was from someone you know, only to find out it was infected with a virus? Such actions can wreak serious havoc. Windows Sandbox allows you to run a program or open a file while keeping it apart from your device—almost as if it were on a totally separate computer.
  13. Modern security teams need to proactively, efficiently, and effectively hunt for threats across multiple attack vectors. To address this need, we’re giving a glimpse of new capabilities coming soon to threat hunting technology currently available in Microsoft Defender Advanced Threat Protection (MDATP).
  14. How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection. Recently, the Microsoft Defender ATP (MDATP) research team found a malicious system driver enabling a token swap attack that could lead to privilege escalation. In this blog, we’ll share our analysis of the said attack and discuss how Windows Defender Antivirus uses its unique visibility into system behaviors to detect dangerous kernel threats.
  15. Microsoft Defender ATP (MDATP) includes a sandbox in each customer tenant, to detonate files in a safe environment and provides a rich and readable report of what the file can do – gain persistence, communicate to IP addresses, change the registry, etc… but in some case you want to run such analyses in your own sandbox or do reverse engineering work, with MDATP you can now download and inspect any file found on your network.
Productivity & Accessibility
  1. Video (0:58) – It’s easy to forget what we were working on, especially when it was days or weeks ago. Timeline for Windows 10 PCs helps you jump back into something you were doing – like working on a document or browsing a website.
  2. Sync your settings in Windows 10 allows some of the common personalization preferences to be synced to the cloud and applied to any PC you sign in to with your Microsoft account. By letting Windows 10 sync your settings, you can have a more consistent experience no matter which device you happen to be using.
  3. Windows 10 Tip: Your Phone app gives you more to do with messages and photos.
  4. Video (1:52) – Microsoft is moving past old ideas of sound design and designing sound with all senses in mind. Recognizing the way sound moves us, emotionally and physically, we are taking a different path to designing for sound holistically.
  5. Thanks to the Windows 10 May 2019 Update, you’ll be able to take full advantage of the newest version of the Sticky Notes app. With this most recent version, you can sync and backup notes across your phone, laptop and desktop — all your devices.
  6. Video (2:17) – Windows 101: Four simple ways to switch between Windows apps.
  7. Video (0:43) – Introduction to Dictation in Windows 10.Use dictation to convert spoken words into text anywhere on your PC. Dictation uses speech recognition, which is built into Windows 10, so there’s nothing you need to download or install to use it.
  8. Video (2:04) – Making the mouse pointers easier to see. These new settings aren’t just for users with low vision, learn the different ways you can use these settings.
  9. Windows 10 Tip: The release of Emoji version 12.0 aims to better represent people with disabilities. You’ll now see mechanical limbs, sign language and hearing aids; as well as manual and motorized wheelchairs and two different versions of service animals.
  10. Capture and share videos with Game bar. Did you know that you could do more than just gaming? Videos are everywhere. We watch them for instruction and entertainment. With Windows 10, it has become super easy to take screenshots of your screen using the Snip & Sketch tool. But what if you want to record live video action? Game bar can do that too.
In other news related to Windows 10…