Hi, We all have hybrid joined windows devices. W always have problems with devices that need to transfer to a new user. What is the best practice to transfer a windows laptop to a new user?
Thanks Chris. My company has several new laptops and I am actually following the steps you showed to do the Device Join. But these new laptops, they do not have the option to log in with company or school account, it only shows the personal account log in option. What should I do now?
Hi John and whoever is in the know, I will refrain from claiming expertise in Microsoft security technologies and but do have some (20y +) security experience. I attended to a company which just moved many reasonably complex systems to Azure and deployed Defender and Sentinel. They engaged Microsoft partner company which had done everything ‘rather quickly’… I looked at findings and proved that 80% of what Microsoft calls ‘incidents’ while everyone else uses term ‘security events’ were false positives. Nobody investigated anything at all. I failed to figure out what remaining 20% was all about. ‘Partner company’ pointed me to Microsoft website. Microsoft promised to send somebody in a month or so.. I don’t want to blame anybody except myself. So, what went wrong there? Is it possible to get it to work? If yes, than how?
It sounds like a combination of several issues might have contributed to the situation: Rushed Deployment: Moving complex systems to Azure and deploying Defender and Sentinel quickly may have caused configuration issues. Security technologies like Microsoft Defender and Sentinel require careful tuning to match the specific environment, which takes time. Lack of Tuning and Customization: Microsoft Sentinel and Defender come with default settings, which can often generate a high number of alerts. These "incidents" are typically based on predefined rules and might not account for the nuances of your environment. If the deployment was rushed, it’s likely that the security rules weren't properly tuned, leading to a high number of false positives. No Incident Triage Process: Not having a process in place to investigate and triage alerts might have led to those incidents being neglected. Even if the tools work, human oversight is crucial to filtering out false positives and focusing on real threats. Lack of Expertise in Investigation: If the partner company didn't have enough expertise or resources for detailed investigations, that might explain why they pointed you to general Microsoft documentation instead of offering tailored assistance. Steps to Improve Tuning Sentinel and Defender: You can significantly reduce false positives by tuning Sentinel’s analytics rules and creating custom detection rules that align with your environment. This involves: Reviewing Default Rules: Disable or modify rules that generate too many false positives. Threshold Adjustments: Adjust thresholds or conditions for specific detection rules. Adding Whitelists: Set up exclusions for known and trusted traffic or behaviors to avoid redundant alerts. Machine Learning & User Behavior Analytics: Use more advanced features in Defender and Sentinel to adapt to typical behaviors and detect true anomalies. Incident Response Playbooks: Implement automatic playbooks for handling certain types of incidents. For example, if a certain pattern of behavior is always a false positive, you can automate a response to mark it as such and focus on higher-priority alerts. Train or Involve Your Security Team: A well-trained internal security team should manage the investigation of the remaining 20% of alerts. They will need access to detailed log data and will need to know how to use the tools. Leverage Microsoft’s Security Experts: Since Microsoft has promised assistance, work with them to conduct a proper assessment of your configuration and guide you through improving the alerting system. Their experience in tuning Sentinel for specific environments can be valuable. Engage a Better-Qualified Partner: If you feel the current partner didn't provide adequate support, it might be worth engaging another partner with proven expertise in Sentinel/Defender and Azure security best practices. The key to success is ongoing tuning, automation, and having a dedicated team to analyze incidents. With proper configuration, both Defender and Sentinel can become effective tools in identifying and responding to real threats.
@@examlabpractice Thanks a lot John.. I am sure it is a pleasure working with you. I agree with you 100%. My approach was quite similar.. I wanted to start from scratch and do everything properly or alternatively use battle proven Palo Alto. The second option was purely theoretical. As for the first one I honestly didn’t know how long it could take and whether it would deliver any value by the end of the day. Your message kind of indicates that it is possible and my good friends from Palo, CRWD and Thales just had to be ‘loyal to their flags’. So, is there a reference site where things just work’?? (I am seeking YES or NO to that.).. I mean two months of password spray investigation cannot be considered as a reference site particularly when it was done by folks who thought that executive email accounts could be protected by ordinary passwords and environments segregation was an unnecessary luxury.. (I assume it is well-known story)
what can company control on joined device that is not managed by intune? I cant find a simple comparison breakdown of registered vs joined in terms of data and app restriction, Access control, compliance as it pertains to unmanaged devices
@examlabpractice I have this course and I'm almost finished with the AZ-800 one. Any chance of getting some practice exams? Or can you point us to some if you aren't going to do any?
Sure, unenroll it from Intune MDM management if its in there, same with autopilot. Then unjoin the device from Entra ID and then join it to local domain.
i took this test recently and failed by 2 questions, it was a very strange test. it didn't seem to test your knowledge of the material, but interpreting abstract questions and answers. there were several questions that were not complete and you had to fill in the blank first of the question, then try to answer with strange abstract answers. this test was listed as beginner but it is not, it is a test that you have to use ESP on. until MS correct the testing material best to skip this one and take a test that you can pass based on knowing the material
@@cjthelegend1997 they asked about the material but the questions were cryptic, it was like you had to fill in the blank to about a third of the questions. it was like the questions were harder to understand than the answers. also i had 45 mins to answer 37 questions, most of the questions were select more than 1 answer, so each question took more than a minute to answer having to go through all the possibilities. very strange test it was, it only partially tested me on the material.
I would have loved to have found this video 18 months ago where I did not know nothing about domains. These first 43 minutes are the simplest yet fullest way I have seen domains explained
That was exactly the plan. Important for people to be able to test performing a backup. The video shows what you can do to test this in your own environment, as a lot of my videos do. Thanks for the feedback though.
-ExecutionPolicy Specifies the execution policy. If there are no Group Policies and each scope's execution policy is set to Undefined, then Restricted becomes the effective policy for all users. The acceptable execution policy values are as follows: AllSigned. Requires that all scripts and configuration files are signed by a trusted publisher, including scripts written on the local computer. Bypass. Nothing is blocked and there are no warnings or prompts. Default. Sets the default execution policy. Restricted for Windows clients or RemoteSigned for Windows servers. RemoteSigned. Requires that all scripts and configuration files downloaded from the Internet are signed by a trusted publisher. The default execution policy for Windows server computers. Restricted. Doesn't load configuration files or run scripts. The default execution policy for Windows client computers. Undefined. No execution policy is set for the scope. Removes an assigned execution policy from a scope that is not set by a Group Policy. If the execution policy in all scopes is Undefined, the effective execution policy is Restricted. Unrestricted. Beginning in PowerShell 6.0, this is the default execution policy for non-Windows computers and can't be changed. Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the internet, you're prompted for permission before it runs.
getting 'The coupon code entered is not valid for this course.' when used LABORDAY for Windows 365 course. I'd really love thiscourse. Thanks for your videos!
Unfortunately that coupon code won't work with that course. It's actually the only course it won't work with and its because I had used another coupon code with it earlier in the month. I do have a $12.99 coupon for you though. It will be valid just a couple of more days. Here it is: JCDISCOUNT11
In Microsoft Purview, there are specific roles that are unique to its governance and compliance capabilities and are not necessarily represented directly within Microsoft Entra ID (formerly Azure AD). These roles are designed to manage various aspects of data governance, such as data access, catalog management, and compliance settings. Here's how you handle roles specific to Microsoft Purview: 1. Understanding Purview-Specific Roles Microsoft Purview includes several specific roles that help manage and secure data across your environment. These roles include: Purview Data Curator: Responsible for managing and curating data sources within Purview. Purview Data Reader: Can read data maps and insights but cannot make changes. Purview Data Source Administrator: Can manage data sources, including adding and removing them. 2. Assigning Purview-Specific Roles These roles are managed through the Purview management portal, not directly through Entra ID. To assign these roles: Go to the Microsoft Purview portal. Navigate to the Data permissions or a similar section where you can manage access. Assign roles to users or groups as needed to ensure they have appropriate access to perform their tasks. 3. Integrating with Privileged Identity Management (PIM) While these roles are managed within Purview, the principles of least privilege and just-in-time access can still be applied by using a combination of Purview’s own access policies and broader PIM strategies: Conditional Access: Use Microsoft Entra conditional access policies to control when and how users can access the Microsoft Purview portal based on their current role status, location, device compliance, etc. Access Reviews: Regularly review who has access to these roles through Purview’s administrative controls and audit logs. 4. Monitoring and Compliance Even if PIM is not directly integrated: Audit Logs: Purview provides detailed audit logs that can be reviewed to understand who accessed what data and when. Activity Monitoring: Use activity monitoring tools within Purview to keep an eye on how data is accessed and managed, integrating these insights with broader security and compliance monitoring tools. 5. Best Practices Role Minimization: Regularly review roles and permissions to ensure that only necessary privileges are granted. Security Training: Train users on the importance of data governance and the specific responsibilities associated with their roles in Purview. By taking these steps, you can effectively manage Purview-specific roles and integrate them into your organization's broader security and governance framework.
@@examlabpractice ok so you're saying you can't control Purview admin roles through PIM (except those already available in Entra) so just use conditional access, thanks!!!
Because AZ-500 gives you a solid Azure resource security foundation before moving more into Microsoft 365 SC-300. SC-300 does include some Azure security but is more Microsoft 365 oriented.
Today I passed MS-900 exam, for associate level, some exams are not validate anymore. Which exams are still available and validate so far for associate level? Plz advice me, John @John Christopher. Additionally, your udemy course for MS-900 is really knowledgeable.
Hi John / Everyone, I have been in the IT-support for 4-5 years now with MS-900 and AZ-900 in the bag ( both this year ). Starting this year, I wanted grow out of the support and leaning towards Cloud: AZ-900 > AZ-104 > AZ-305. Would you say MD-102 might be a good idea to focus on right now? I've heard that MD-102 has a lot of Intune, or just go for AZ-104? Also, please note that I'm from support-level ( helpdesk), could it be that I would be missing some important/relevant information to know before going into Cloud Engineering? ( do you need some system engineering experiences first? ). Thanks and Regards, Robin :)
Kind of depends on what you really would rather focus on. There is the Azure resources focused path (AZ-900 > AZ-104 > AZ-305) and There is the Microsoft 365 focused path (MS-900 > MD-102 > MS-102) In a perfect world, you should do both paths. But you'll need to choose which to go after first.
