Office 365 ProPlus.
Advanced Threat Protection Application Guard ATP mdatp Office 365 ProPlus Safe Attachments Safe Documents windows 10 Office ATP Safe Documents.
February 24, 2020.
No Comments on Office ATP Safe Documents
This is a new feature in Office 365 Advanced Threat Protection Plan 2 in addition to Safe Attachments.
Safe Documents at the time of writing is only available in US based Office 365 tenants and only used by Office 365 ProPlus 2002 Monthly Channel (Targeted) builds (build 12527.20092) and later.
When a user receives an Office document from an external source the document is marked as such and can only be opened in “protected mode”.
This stops editing and printing, but also (more importantly) stops macros and the like running as well.
This reduction in functionality of editing and printing is enough for the user to often just take the document out of protected mode and impact your network.
When the document is emailed to the user, Office 365 ATP Safe Attachments (a Plan 1 feature) will process the document, but if the document is obtained another way, such as via a download link or copied onto a local file share, but is an externally sourced document, then the Safe Attachments vector of protection over email no longer applies.
This is where this new feature of Safe Documents comes into play.
The entire document is uploaded to Microsoft’s datacentre and processed as if it where an attachment in email being processed via Safe Attachments.
An EU/UK datacentre version of this feature will come in due course.
What now happens is that the document is scanned in the cloud for “maliciousness” and the user is allowed to open the file and turn off “protected mode” only if the document is considered safe.
If the document is considered malicious then the user is not allowed to take the document out of “protected mode”.
This functionality was announced at Microsoft Ignite in November 2019 and is now in early preview at the time of writing this article.
Future updates to this functionality will include the ability to open “protected mode” documents in a virtual machine automatically so that if the document does go rogue then closing the document results in closing the virtual machine and the removal of the impact, as all the changes were confined to the virtual machine.
This feature is due Summer 2020 and is known as Application Guard for Office ProPlus.
Application Guard will be included in subscriptions that include Windows 10 E5 (Windows 10 + Microsoft Defender Advanced Threat Protection).
More info: https://techcommunity.microsoft.com/t5/office-365-blog/new-functionality-to-make-it-easier-to-customize-manage-and/ba-p/1003047 and https://www.microsoft.com/security/blog/2020/02/12/building-on-secure-productivity/ and the documentation at https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-docs calendar Exchange Server monthly channel Office 365 ProPlus Outlook semi-annual channel Save Time.
Have All Your Meetings End Early.
April 3, 2019.
6 Comments on Save Time.
Have All Your Meetings End Early.
I am sure you have been in a meeting, where the meeting end time rolls around and there is a knock at the door from the people who want the meeting room now, as their meeting time has started and yours has finished.
What if you could recover five, eight, ten or more minutes per meeting so that the next meeting party can get into the room on time, and you have time to get out and get to your next meeting, and be on time.
Well since the beginning of 2019, Microsoft have come to your rescue.
The above are the new calendar “End appointments and meetings early” option.
It is available in Outlook for Windows that is part of Office 365 ProPlus and you need to have a version of the software released new in 2019 for the feature to be available – more on the version and what to do in the technical section below.
The above option is found from File > Options > Calendar and then looking under Calendar Options as shown.
Check the option ”End appointments and meetings early” and then choose the time that a meeting under 1 hour will end early, and you can choose 5, 8 or 10 minutes, and then a second option for meetings over 1 hour – these can end 5, 10 or 15 minutes early.
You can also enter your own preferred end early time.
Click OK and go create a new meeting.
It should not matter how you create the meeting.
As you can see from my options above, my default meeting is 30 minutes – so on creating a new meeting I see the following: I’ve highlighted the new end time – its 25 minutes after the meeting starts.
The adjustment applies to the default meeting length and shortens it for me.
If for this meeting I want it to be the full 30 minutes, I can just write in the new time – all Outlook is doing is setting a new adjustable default for me.
For meetings where you drag out a custom duration in your calendar – it works here as well: As you can see I have dragged out 1pm to 4pm on Thursday.
Look what happens when I enter some text for the meeting subject: The meeting is created with an end time ten minutes early (my preferred time saving duration for meetings over one hour).
As with the above, I can adjust the time of this meeting to the full hour if I want to very easily – just drag the meeting block to the full hour and it is kept.
Its just the default time when I first create the meeting that is adjusted.
Note that existing meetings are not changed – but if you go into an existing meeting and look at the end time drop down, you will see suggestions for the duration that take the early end time into consideration: So, that’s how you can save time on your meetings (or at least one way, being prepared for them is another and technology cannot help there – yet!).
Changing The Defaults For Everyone.
But what if you are the HR department or the representative of the department for digital change – what if you want to try and improve company culture and change these defaults across the board – well this is a job for IT, but they can easily roll out a setting to all your computers that set a end early time for both short and longer meeting durations.
They need to deploy a group policy setting that changes the registry at HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Options\Calendar and updates both EndEarlyShort and EndEarlyLong values as well as the EndEventsEarly key.
EndEarlyShort is of course the value that affects meetings under one hour – and you do not need to accept the Microsoft suggested durations of 5, 8 and 10 minutes.
For example if I edit this DWORD registry key and set the value to 3, upon restarting Outlook my new meetings under one hour end three minutes early: The EndEventsEarly value is the setting that turns the feature on.
So as well as setting the end early times, you need to set this value to 1 as well.
If you want to roll out this change centrally and ensure that the end user cannot set their own custom end early time then you can change the registry key policy settings via HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\Options\Calendar.
Changes in this registry location mean the user cannot adjust the end early times.
You can disable this option centrally as well by setting EndEventsEarly DWORD value to 0 – this has the effect of disabling the check box and so users cannot turn the option on.
All these three settings are included in the latest update to the Office365 Administrative Templates, available on Microsoft Download Center: https://www.microsoft.com/en-us/download/details.aspx?id=49030 as well.
Checking Your Outlook Version.
Version 1812 or later in use on the Monthly Channel is required before you can use this feature.
In most businesses you are probably using the Semi-Annual channel, and this has features deferred by at least six months.
So to check, click File > Office Account in any Office application (shown below).
To the right hand side you will see the below.
You need to check you are running the Subscription Product and that under About Outlook (or whatever Office app you are checking), it reads Version 1812 or later and Monthly Channel.
The Semi-Annual Channel is released in January and July each year and is deferred by at least six months, so as this feature was released in Dec 2018, this feature will not appear in the Semi-Annual Channel until at least July 2019 – build 1812 of the Semi-Annual Channel (and possibly not until build 1907).
More on this release cycle can be found at https://docs.microsoft.com/en-us/deployoffice/overview-of-update-channels-for-office-365-proplus add-in EOP Exchange Online Protection Office Office 365 ProPlus phish phishing spam Enable Report Message Add-In For Office 365.
December 19, 2017.
No Comments on Enable Report Message Add-In For Office 365
There is a new add-in available for Outlook and OWA in Office 365 that can simplify spam and phishing reporting to Microsoft for content in your mailbox.
I recommend rolling this add-in out to everyone in your Office 365 tenant and for Office 365 consultants to add this as part of the default steps in deploying a new tenant.
This can be done with the following steps: In the Exchange Control Panel at https://outlook.office365.com/ecp/ go to the Organization > Add-Ins section Click the + icon and choose “Add From Office Store”.
In the new tab that appears, search for “Report Message” via the search bar top right: I’ve noticed that a set of search results appear, then the website notices I am logged in, logs me in and presents a second smaller list of results.
It is in this small list that you should see Report Message by Microsoft Corporation I’ve noticed that clicking “Get it now” does not seem to work all the time (the popup has a Continue button that does nothing).
So if that happens, cancel the popup, click the card for the app and install the add from the Get it now button rather than the get it now link on the card.
The Report Message app page is shown below with a “Get It Now” button to the left: Either the link or the button should work, and you should get this popup: Click Continue.
You are taken to Office 365 to continue.
This is the step I eluded to above that sometimes does not work You are asked to confirm the installation of the App into Office 365 Click Yes and wait a while.
I’ve noticed also that sometimes you need to refresh this page manually for the process to continue, though waiting (with no indication that anything is happening for one or two minutes is usually enough as well) The message above says that the add-in is now visible in the gray bar above your messages.
For this add-in this is not correct as this add-in extends the menu in Outlook (2013 and later, as add-ins are not supported in Outlook 2010) and also the app is disabled by default.
Close this tab in your browser and return to the add-in page in Exchange Control Panel that is open in a previous tab.
Refresh the list of apps to see the new app: From here you can enable the app, select a pilot audience, though this app is quite silent in the users view of Outlook and OWA so a pilot is not needed for determining impact to users, but can be useful for putting together quick documentation or informing the help desk of changes.
Select the app and click the edit button: I recommend choosing “Mandatory, always enabled.
Users can’t disable this add-in” and deploying to all users.
Unchecking the option to make it available for all users makes it available for none.
For a pilot choose “Optional, disabled by default”.
You are now done installing the add-in.
Users will now see the add-in in Outlook near the Store icon when a message is selected open: Clicking the icon allows you to mark a messages as “junk”, “phishing” or “not junk” and options and help.
Options gives the following: Where the default is to ask before sending info to Microsoft.
Selecting Junk or Phishing will result in the message being moved to Junk Email folder in Outlook, and if in the Junk Email folder, marking a message “Not Junk” will return it to the inbox.
All options will send info on the message, headers and other criteria to Microsoft to help adjust their machine learning algoriths for spam and phishing detection.
This add-in replaces the need to email the message as an attachment to Microsoft.
For a pilot, users need to add the add-in themselves to Outlook.
Mandatory deployment means it is rolled out to users (usually within a few days).
To enable the add-in in OWA, click the options cog to the top right of the OWA interface: Then click Manage Add-Ins and scroll down until you find the Report Message add-in (or search for it) And turn the add-in on to view it in OWA as shown: And also it will appear automatically in Outlook for iOS and Outlook for Android and Outlook (desktop, classic).
Once the app is enabled for all users, and recall the above where it takes a while to appear for all users, then your spam and phish reporting in Office 365 is very simple and easy to do and easy to remove from a helpdesk call and on to the end user directly to report and move messages.
Advanced Threat Protection ATP malware Office Office 365 ProPlus Proof Of Concept Safe Attachments Safe Links How To Run an Advanced Threat Protection Proof of Concept.
August 14, 2017.
No Comments on How To Run an Advanced Threat Protection Proof of Concept.
I put the following post together as I was asked this question from Microsoft themselves.
This post covers what you need to put in place, and how you can test some of it (as testing the blocking of malware involves sending malware first!) First, lets take a look at the Advanced Threat Protection steps for a proof of concept (PoC), and then later we will look at the new Office Smart Links feature.
You need to put the following in place: Exchange Online Protection managed tenant.
That is MX to EOP is required for simple PoC.
Hybrid with MX on-premises and then mail flow to cloud is possible for an advanced PoC, but here it depends upon what the customer has in-front of on-premises.
If this is the case, then a simple PoC with a new email namespace and MX to EOP is recommended before transitioning to protecting their actual mailbox.
Create ATP rules in wizard in Exchange Control Panel for both Safe Attachments and Safe Links.
PowerShell is pointless for this, as there is not a lot to do, and there are more steps if do it via PowerShell.
Enable ATP for a selected mailbox(es) and not an entire domain.
Mailboxes can be cloud or on-premises.
Enable Smart Links for same mailboxes.
Mailboxes can be cloud or on-premises.
Do not enable Smart Links for Office documents (as this is a global setting) (see later).
Check if org has rules to block .exe attachments.
If they do then exe’s will be blocked by this rule and not processed by ATP.
I have sent the.
NET Framework installer .exe in email before to test this.
But at any given day or time the rules could change as to what is blocked or not.
I used to have a “fake macro virus” document (see below), but OneDrive’s built in AV started detecting it and now I do not have the file anymore.
The doc I used to test with had an autorun macro that set a regkey that included the words “I download stuff and drop files” or something like that.
It might be possible to create your own document, but watch out for AV software and the like blocking it and/or deleting it, or it being filtered out before it arrives at the target mailbox.
I did say above this PoC is quite hard to do when trying to send malware for detection!.
For SafeLinks, send an email from external that contains a URL with www.spamlink.contoso.com in it.
The link will be rewritten.
Some common links are never rewritten (I think www.google.com falls into this category) and you can whitelist URLs as well company wide.
So if you whitelist a URL, send an email from the internet containing that link.
That is a useful addition to the PoC as well.
ATP now quarantines (or at least its coming soon) the failed attachments, so include that on a demo.
I have found that forwarding failed attachments to another mailbox (like a shared mailbox) is a bit temperamental – hasn’t for at least a year in one of my tenants but does in another tenant.
If users are on-premises (EOP before an on-premises mailbox) then do not enable dynamic delivery.
If PoC mailboxes are both on-premises and cloud then create two ATP rule sets, one rule for each type of mailbox, and enable dynamic delivery for cloud mailboxes only.
Dynamic delivery sends the message without attachment to the cloud mailbox and later writes the attachment into the message body.
This works in the cloud as Microsoft manage ATP and Mailbox.
It cannot work on-premises as Office 365 cannot write the modified message into Exchange Server at a later time.
Dynamic delivers the body but not the attachment instantly.
Attachment, if safe, follows later (7 or so minutes I tend to find).
I understand an option to view the content of the attachment in a web browser but not the attachment is coming, but I have not seen that yet) – suspect the link to this will be inside the “pending attachment notification” in the dynamic email, but am guessing at this.
Do not dynamic deliver to on-premises mailboxes.
Demo that internal emails do not SafeLink rewrite and attachments are not processed.
That is, send an email between two internal mailboxes and show that it is not processed.
In hybrid mode, if the connectors to the cloud are set up correctly then internal email from on-premises to cloud should not rewrite links.
External emails are marked as such when they arrive on the first Exchange Server and so an external email to on-premises and then via the hybrid connectors to Exchange Online should be processed, as Exchange Online knows it is external!.
Attachments are always scanned when sent between senders, even in hybrid mode (on-premises to cloud) or within two mailboxes the cloud.
Enable ATP for direct attachment links (i.e.
link directly to an exe, pdf etc.).
Then email and click that link.
ATP with a yellow background will popup saying the file needs to be scanned.
After a while (7 minute or so) click the link again and you will get to the file directly.
Safelink URLs are geo based.
So EMEA tenant (or UK tenant) will get emea01.safelinks.protection.outlook.com rewritten URLs.
UK tenants have EOP in EMEA, so the links for UK tenants are the same as EMEA tenants (at this time, not sure if this is changing).
Send emails that are both HTML based and Text based, and use the range of clients that the end customer users to see experiences.
Rewriting text formatted emails appears different than html formatted emails.
SafeLinks for Office Once you/client is happy enable SafeLinks for Office option.
This is a global setting.
Though this only works if you have Office Click-to-Run June 2017 Current Branch and later in use.
For this create a new document that was never emailed: On a Win10 AAD joined machine, save the file anywhere or just create a new Word doc and do not save it.
On a Win10 not AAD or legacy Windows client then save the file to OneDrive for Business sync folders or SharePoint sync folders.
It needs to be saved to these folders to know that it is a cloud document.
Get a demo machine that syncs to multiple tenants and later save a copy of the file OneDrive sync folders for the unprotected tenant.
In this scenario you will see a protected document become unprotected (or visa versa) as you change the folder where it is saved to.
Once you have the file start creating content in it (typing “=Rand(20)” without quotes is a good way to do this in Word) and then start adding some links to the document.
Use the above mentioned test link as well.
Click each link.
If it is safe, then the webpage will open.
If it is not, then the alert page will open, or a dialog will popup saying its not safe (I have seen both behaviours).
Note that links are not rewritten (unlike in the email client, where you cannot be sure what client is in use, so the link needs rewriting).
In Office documents the link is checked at time of click, and only if the document is saved to a cloud location (sync folders included).
2016 Click To Run Group Policy Office Office 365 ProPlus Installing Office 365 ProPlus Click To Run Via Group Policy.
October 30, 2015.
125 Comments on Installing Office 365 ProPlus Click To Run Via Group Policy
Note: Article updated October 2018 to remove references to “Office 2016” and replace it with “Office 365 ProPlus” as the rollover to the 2019 release is seamless and does not change this products name.
Note: Article updated April 2018 to support the new Channel names and XML updates Office 365 ProPlus Click To Run (which comes with Office 365 subscriptions) can be deployed via Group Policy, but there are a few things that you need to know and do first.
These are: You cannot use the “Software Installation” features of GPO’s to deploy the Office 2016 click to run software as this is an exe file, and “Software Installation” runs MSI files.
You cannot run software with elevated installation rights, as the setup.exe shells out to other processes to run the installation (the officeclick2run.exe service).
You cannot just drop the latest versions of the files in an existing 2013 deployment folder and expect the clients to update automatically – you must install 2016 to upgrade it and install it for the first time.
This is not the case with the “2019” release.
An existing installation installed before the “2019” release in October 2018 will seamlessly move to this version at the next applicable update.
Therefore you need to deploy the software via a computer startup script.
But this is not simple either as startup scripts run each time the computer starts up (obviously!) but will run regardless of whether the software is already installed.
Therefore you need to run the installation by way of a startup script that first checks if Office 365 ProPlus click to run has already been installed or not.
To do this you need to following: A read only file share containing the Office 2016 click to run files.
Not this folder should not be the folder that already contains the Office 2013 files if you have them on your network.
A read/write file share to store log files on (the deployment script logs the start and completion of the installation in a central location).
An XML file to install Office 365 ProPlus click to run customised to your environment and the fact that you are using GPO deployment.
A batch file to detect an existing Office 365 ProPlus click to run deployment and if not present to install Office 365 ProPlus click to run from your file share.
And finally the Office Deployment Tool setup program.
This software has been updated a few times over the years, so ensure you download the current version before starting.
Steps 1 and 4 are part of a standard Office 365 ProPlus click to run deployment process and so not covered in this blog post.
But once you have downloaded the Office Deployment Tool and created the XML using the creator tool at https://config.office.com you have your configuration.xml file.
In step 3 you can run the deployment tool with setup.exe /download configuration.xml to download the Office binaries to the file share mentioned in step 1.
If you have Office 2013 already deployed via this method (see http://c7solutions.com/2014/09/installing-office-365-proplus-click-to-run-via-gpo-deployment for these steps) then make sure that this folder for the binaries is not the same folder as contains 2013 files.
The Office installer for Office 2013 Click To Run creates a subfolder called Office then another subfolder called Data.
Into this it places v32.cab (or v64.cab) and other files.
This cab file contains info relating to the version number of the software in this folder and if you download the current version to the same folder it will replace this file, but 2013 installed machines will still try and upgrade from this folder and fail.
Therefore create another folder.
This is shown in the example scripts below.
So here are the steps and details for doing all this for GPO deployment: Creating Deployment File Shares.
Create a software deployment file share that you have read/write access to and everyone else read only and create a folder called Office365ProPlus inside this to store the binaries.
Create a second file share that everyone has read/write access to (or CREATOR OWNER has write so that only the creator of the file can write it to the share and others can read or not see it at all).
Create a sub folder in InstallLogs called Office365ProPlus.
In my demo these two shares and subfolders are called \\server\Software\Office365ProPlus and \\server\InstallLogs\Office365ProPlus.
Create an XML File for Office 2016 Click to Run Deployment
This XML file is as follows and is saved to \\server\Software\Office365ProPlus root folder.
Call this file config.xml.
You can create this XML file using the wizard at https://config.office.com
Also see http://technet.microsoft.com/en-us/library/jj219426(v=office.15).aspx for the XML reference file for other settings you can contain here such as updates from the Internet (UpdatePath=””) or no updates (Updates Enabled=”FALSE”), the Channel value names and multiple languages (add more
Download the Office ProPlus Click to Run Binaries.
Download the Office Deployment Tool from http://www.microsoft.com/en-us/download/details.aspx?id=49117 and if you downloaded this a few months ago, download it again as it changes frequently and improves the setup process.
Install this software to get setup.exe and some example XML files.
Copy setup.exe to \\server\Software\OfficeProPlus.
Run \\server\Software\Office365ProPlus\setup.exe /download \\server\Software\Office365ProPlus\config.xml to download the latest version (or the specified version if you have added Version=”220.127.116.11″ to config.xml where 18.104.22.168 is the build number you want to install).
This will create the Office\Data folder in the \\server\Office365ProPlus share and download the binaries and any languages specified in the XML to that location – do not modify the folder structure as the Office Deployment Tool will expect this structure to find the files under during installation.
Create A CMD File To Script The Install.