My Experience at the MVP Summit 2024

How I traveled from Switzerland to Seattle, learned about security, and had fun with fellow MVPs

Hello everyone, first: I’m not a travel blogger. Hovever, I’m excited to share with you my experience at the MVP Summit 2024, which took place in Seattle from March 11th to March 14th. It was an amazing opportunity to learn from Microsoft Product Group members, network with other MVPs and have some fun in the beautiful city of Seattle and surrounding. In this blog post, I’ll tell you how I traveled from Switzerland to Seattle, what I learned at the entire event, and how I enjoyed the fun part of the summit with some pictures.

Traveling from Switzerland to Seattle

I started my journey on Saturday, March 9th, from Zurich, where I boarded a flight to London. After a couple of hours hanging at the Terminal 5 at London Heathrow, I boarded a direct flight to Seattle. The flight was about 11 hours long, but I managed to get some sleep and watch some movies on the plane. I arrived in Seattle around 5pm and took a shuttle to the rental car area and drove to Bellevue to the hotel where I checked in and met some of the other MVPs who had arrived earlier. We decided to go for a drink and some dinner at Joe’s the very famous MVP bar down there.

Security Pre-Day

On Monday, March 11th, I attended the security pre-day at the Redmon campus, which was a full-day event dedicated to security topics, news to come and roadmap informations. I learned a lot from the discussions with the Product Groups, which covered topics such as Cloud security by Defender XDR, identity and access management, threat protection, and compliance. I also had the chance to interact with some of the Microsoft security experts and ask them questions about the latest security trends and challenges. I found the pre-day very informative and useful, as security is one of my main areas of interest and expertise as an MVP.

Summit Sessions

The summit sessions from Tuesday to Thursday were the highlight of the event for me, as they covered some of the most relevant and exciting topics for security professionals. I was especially interested in the sessions on MIcrosoft Defender XDR, Entra ID, Copilot for Security and Purview, which are some of the new and innovative solutions that Microsoft is offering to help customers protect their data and identities across different platforms and environments.

I also attended the keynote session, where I heard from some of the Microsoft leaders, such as Scott Guthrie, about the vision and direction of the company, and the latest innovations and trends in the industry with focus on AI. I also enjoyed the session from Mark Russinovich, who shared his top of mind content.

One of the highlights of the summit for me was meeting Alex Simons, the Corporate Vice President of Identity at Microsoft. He is one of the people that I admire and respect in the security field, and I was thrilled to have the opportunity to chat with him and ask him some questions. He also shared some of the upcoming features and improvements of Entra ID and as well on Active Directory, which I was very excited to hear about.

Another highlight of the summit for me was meeting Rob Lefferts, the Corporate Vice President of Threat Protection. He is another leader that I look up to and admire in the security field, and I was honored to have the chance to talk with him and other MVPs. He shared some of the challenges and opportunities that he faces in his role, and how he leads his team to deliver innovative and customer-centric solutions. He also gave us some sneak peeks of the upcoming features and enhancements of Defender XDR and Copilot for Security, which are some of the most advanced and comprehensive tools for threat detection and response.

Fun part

The fun part of the summit started already on Saturday when I met my fellows! I learned a lot from the speakers, who shared their insights and experiences on the latest technologies and solutions. I also had the opportunity to network with other MVPs from different regions and backgrounds, and exchange ideas and feedback. I made some new friends and contacts, and also met some of the MVPs that I had been following online for a long time.

The fun part included some social events and activities, such as the security welcome reception, the Adaptiva and the Patch-my party. These were great occasions to relax, have fun, and enjoy some food and drinks with the MVP community. I also took some time to explore Seattle and visit some of the attractions. I took some pictures of these places, which you can see below.

I hope you enjoyed reading about my experience at the MVP Summit 2024. It was a memorable and rewarding experience, and I’m very grateful to Microsoft and the MVP program for making it possible. I learned a lot, met some amazing people, and had a lot of fun. I’m looking forward to the next summit, and I hope to see you there.

MICROSOFT SENTINEL: Error while performing Azure DevOps repository fetch.

Microsoft Sentinel can currently be integrated with two different source control platforms (still in Preview) – Azure DevOps and GitHub. This allows you to manage Microsoft Sentinel resources such as analytic rules, hunting queries, playbooks and more via code. A very usefull option, especially if you have multiple customers to manage, for example as MMSP or as a large organization. There is also a great playbook available for designing Microsoft Sentinel as a MSSP. Follow this link to get the playbook as pdf file (latest version from November 2022).

However, if you want to integrate Azure DevOps into Microsoft Sentinel, you need to configure some prerequisites. In general, it is straigth forward. Make sure you have the following configured before you start the create a new connection wizard under Repositories (Preview) in Sentinel:
– Your Azure DevOps organization
– At least one Azure DevOps Project with a logical name
– A reopsitory where you can store your code
– And an inizialzed repo with, for example a main branch

During th connection setup I was facing some errors in some tenants. The error was:

Error while creating connection.

Error: Error while performing Azure DevOps repository fetch. Details: [TF400813: The user is not authorized to access this resource. ], Correlation ID: 826b7a23-dcbe-xyzy-8f9c-d1f2a4f327e3

Microsoft Sentinel uses OAuth for authenicatiing with Azure DevOps. By default, Azure DevOps does not anymore allow 3rd party apps to connect on new organizations, For DevOps, Sentinel is a 3rd party app. This means, you need to allow OAuth 3rd party apps in Azure DevOps via OAuth.

An extract from Microsoft Learn
Third-party application via OAuth – Enable third-party applications to access resources in your organization through OAuth. This policy is defaulted to off for all new organizations. If you want access to third-party applications, enable this policy to make sure these apps can gain access to resources in your organization.”

When you deny access to an authentication method, no application can access your organization through this method. Any application that previously had access will get authentication errors and no longer have access to your organization.

FIX
To fix the error “Error while creating connection“, login as an organization admin to your DevOps Org, then select Security, select Policies, look for Application connection policies and toggle Third-party application via OAuth to On. Retry to configure the connection within Microsoft Sentinel to Azure DevOps.

More content on that topic:
Change application connection & security policies for your organization

CALL FOR SPEAKERS: MICROSOFT CLOUD SECURITY & MODERN WORK #16

Für das kommende Microsoft Cloud Security & Modern Work Meetup #16 am 30. März 2023 suchen wir noch Speakers! Neu könnt ihr euch via Sessionize bei uns melden und euere Session(s) eingeben. Wir suchen Speakers mit oder ohne Erfahrung, Microsoft MVPs oder Microsoft-affine Leute. Wenn es im März in Bern nicht klappt, dann vielleicht beim nächsten Event. Gib doch deine Session via Sessionize ein:
 https://sessionize.com/microsoft-cloud-security16/

Neuer Name, bewährtes Format
In den letzten drei Jahren haben wir insgesamt 15 Cloud Workplace Meetups durchgeführt. Seither hat sich nicht nur die Technologie verändert, sondern auch der inhaltliche Fokus unseres Formats. Dies spiegeln wir im neuen Namen “Microsoft Cloud Security & Modern Work” wieder. Wie bisher werden wir einen Mix aus Online-Meetings und Vor-Ort-Events anbieten – ab diesem Jahr auch verstärkt hybrid.
Aktuelle Events und Infos zum Microsoft Cloud Security & Modern Work Meetup findest du hier.

Folgende Events sind in diesem Jahr geplant:
30.03.2023 vor Ort in Bern & Hybrid
08.06.2023 vor Ort in Bern oder Zürich & Hybrid
22.08. Veranstaltungsort wird noch bekannt gegeben
12.10. Veranstaltungsort wird noch bekannt gegeben
21.11. Veranstaltungsort wird noch bekannt gegeben (Special zur Microsoft Ignite)

Jetzt anmelden!

SPEAKING AT WORKPLACE NINJA USER GROUP SWITZERLAND EDITION 2204

I’m excited to speak at the in-person event Workplace Ninja User Group Switzerland | Edition 2204 | #WPNinjaCH. The Usergroup event will be held this Friday April 1th in Zürich (Switzerland) at Digicomp. We drive the User Group since a while with the main focus on Endpoint Management, Microsoft Security, Identity and PowerShell. Check out the event website.

Delivering a session in front of “real” people changes a lot again. The nervousness rises a few days earlier than at a virtual event. You want to do it especially well and be well prepared. Not that you don’t do the same in a virtual session, but it’s different. Because of the pandemic, the event could no longer take place in person. Now we are of course super happy that this has changed (at least for this event).

MY SESSION

I will speak about Microsoft Information Protection and some more topics. Make sure to bring your use cases for MIP.

TITLE

Microsoft Information Protection – Getting started and keep an eye on your data! Session 1, 8:15 AM – yes, 8:15 AM

DESCRIPTION

“You started with Microsoft 365, great! A lot of your data now moved to the cloud, so what’s next? This session will show you how to get a good start on data protection using Microsoft Information Protection (MIP). Get the full overview of what Microsoft Information Protection is and how it can help protect our data at rest. Covering everything you need to know, to get started with data classification and how to use Sensitivity Labels on file and group levels to protect your data. And one of the most important: Know where your data is stored, even if data is travelling!”

MORE INFOS

We will cover those topics:

Hope to see you at the event!

EASY DETECT AND REMOVE AN APP USING PROACTIVE REMEDIATION IN ENDPOINT MANAGER

Often an app needs to be checked and/or uninstalled quickly or less quickly. This can be the case when a built-in app installs a component that is actually not wanted. I have made an example script here, which uses the Proactive Remediation of Endpoint Manager (MEM). I will not go into detail what MEM or Proactive Remediation is. Only, use Proactive Remediation :-)!

No matter if you use MEM or MEMCM, you will surely know the uninstall string of an app in the registry. I use this to query the details of the app. This has the advantage, if a version changes or is not 100% identical with the same parameters, that the remove still works.

So first I query the registry and search for the app in the uninstall keys. In this case I know that it was registered in the WOW6432Node. In this example it is about the “Intel Driver & Support Assistant”. As this software uses a new GUID for new versions, it make sense not to use the GUID as a parameter, only if you like to uninstall a specific version this maybe make sense.

DETECTION

Getting the app details. For sure you could use any property of the $appdtails to query. In my case I use the “InstallLocation” and the “DisplayName”

$appdetails = (Get-ItemProperty Registry::HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*) | Where-Object {$_.InstallLocation -eq "C:\Program Files (x86)\Intel\Driver and Support Assistant\" -and $_.DisplayName -eq "Intel Driver && Support Assistant"}

In a second detection step you can check if the app is present or not. If not,
Exit 0 is used. If available exit 1 is used. Exit 1 forces the remediation.

try {
    if ($appdetails.DisplayName -eq "Intel Driver && Support Assistant"){
    Write-Output "Intel Driver & Support Assistant is installed and will now be removed"
    Exit 1
    }

    else {
    Write-Output "Intel Driver & Support Assistant is not installed. No action required"
    Exit 0
}
}

 catch{
    $errMsg = $_.exeption.essage
    Write-Output $errMsg
 }

REMEDIATION

Now lets go to the remediation. As soon as the detection script is terminated with exit 1, the remediation script is started.

First I start with a view parameters such as argumentlist. This details can also be found in the regkey or our variable $appdetails. Again, I check the app details:

param (

    [string]$msiname ="Intel Driver and Support Assistant Installer.msi",
    [string]$pathsw = $appdetails.InstallLocation,
    [string]$argumentlist = "/X" + $appdetails.PSChildName + " /qn" + " /noreboot",
    [string]$uninstallsource = $appdetails.InstallSource + $msiname

)
$appdetails = (Get-ItemProperty Registry::HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*) | Where-Object {$_.InstallLocation -eq "C:\Program Files (x86)\Intel\Driver and Support Assistant\" -and $_.DisplayName -eq "Intel Driver && Support Assistant"}

Then I create a new region block with the remediation to uninstall the app. This is done with the start-process command.

#region Uninstalling Intel Driver & Support Assistant
try {
    if ($appdetails.DisplayName -eq "Intel Driver && Support Assistant") {
    Start-Process "msiexec.exe" -ArgumentList $argumentlist -Wait -NoNewWindow
    Write-Output "Intel Driver & Support Assistant removed"
    exit 0
    }

    else
    {
    Write-Output "Intel Driver & Support Assistant is not installed. No action required"
    exit 0
    }
} 
 catch{
    $errMsg = $_.exeption.essage
    Write-Output $errMsg
 }
 #endregion

PUTTING ALL TOGETHER

Save both scripts so that they can be imported into the MEM. Under endpoint.microsoft.comReports Proactive Remediation create a new script package and use the following properties:

Name: Detect and remediate Intel Driver & Support Assistant (or similar)
Settings: Detection script – select your saved detection script
Settings: Remediation script – select your saved remediation script
Run script in 64-bit PowerShell: Yes
Assignments: Select a group, all devices and/or filters (I love filters)
Schedule: I use “Hourly”, Repeats every hour

Deploy the package to your devices. As soon as the client has made an agent update via IME, the script packages will be executed and reports back to Endpoint Analytics.

To get more insights, use the “Columns” View. This will show you the Write-Output messages we have defined in the script earlier.

For example the Pre-remediation output message:

Let me know if this was helpful or leave a comment if you have any questions.