Microsoft : “What needs your attention” displays during a Windows Upgrade
I'm experiencing an issue during a Windows upgrade where a message from Microsoft appears stating "What needs your attention." This notification seems to interrupt the upgrade process, and I'm unsure what specific actions are required to resolve it. It’s causing delays and uncertainty about whether the upgrade will complete successfully or if there are underlying problems that need addressing.Support tip: Upcoming Microsoft Intune network changes
We know many customers don’t always check their service change messages in the Microsoft 365 admin center or the corresponding Message Center content in the Microsoft Intune admin center, so in this blog post we’re highlighting an important upcoming change to Intune network service endpoints. Starting on or shortly after December 2, 2025, Intune will also use Azure Front Door IP addresses to improve security and simplify firewall management. If your organization uses outbound traffic policies based on IP addresses or service tags, you’ll want to review and update your firewall rules to avoid service disruptions. We’ll keep you updated if the timeline shifts. In the meantime, here’s the service change communication that posted to all Intune customers: MC1147982 - Action Required: Update firewall configurations to include new Intune network endpoints As part of Microsoft’s ongoing Secure Future Initiative (SFI), starting on or shortly after December 2, 2025, the network service endpoints for Microsoft Intune will also use Azure Front Door IP addresses. This improvement supports better alignment with modern security practices and over time will make it easier for organizations using multiple Microsoft products to manage and maintain their firewall configurations. As a result, customers may be required to add these network (firewall) configurations in third-party applications to enable proper function of Intune device and app management. This change will affect customers using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags. Do not remove any existing network endpoints required for Microsoft Intune. Additional network endpoints are documented as part of the Azure Front Door and service tags information referenced in the files linked below: Public clouds: Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center Government clouds: Download Azure IP Ranges and Service Tags – US Government Cloud from Official Microsoft Download Center The additional ranges are those listed in the JSON files linked above and can be found by searching for “AzureFrontDoor.MicrosoftSecurity”. How this will affect your organization If you have configured an outbound traffic policy for Intune IP address ranges or Azure service tags for your firewalls, routers, proxy servers, client-based firewalls, VPN or network security groups, you will need to update them to include the new Azure Front Door ranges with the “AzureFrontDoor.MicrosoftSecurity” tag. Intune requires internet access for devices under Intune management, whether for mobile device management or mobile application management. If your outbound traffic policy doesn’t include the new Azure Front Door IP address ranges, users may face login issues, devices might lose connectivity with Intune, and access to apps like the Intune Company Portal or those protected by app protection policies could be disrupted. What you need to do to prepare Ensure that your firewall rules are updated and added to your firewall’s allowlist with the additional IP addresses documented under Azure Front Door by December 2, 2025. Alternatively, you may add the service tag “AzureFrontDoor.MicrosoftSecurity” to your firewall rules to allow outbound traffic on port 443 for the addresses in the tag. If you are not the IT admin who can make this change, notify your networking team. If you are responsible for configuring internet traffic, refer to the following documentation for more details: Azure Front Door Azure service tags Intune network endpoints US government network endpoints for Intune If you have a helpdesk, inform them about this upcoming change. If you need additional assistance, contact Microsoft Intune Support and refer to this Message Center post. Note: The above post went to all customers in our public cloud. Customers in Microsoft Intune for US Government GCC High and DoD received the following post (the only difference is the focus on US government network endpoints): MC1147978 - Action Required: Update firewall configurations to include additional Intune network endpoints If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn.
Advice for setting up a new windows computer
Hell0 – I’m sure this topic has been covered before but I’d appreciate a pointer to the right spot. I am primarily a Mac user but am about to purchase a new Windows desktop computer to run some apps that are only available on Windows. I don’t want to mess with a dual boot type solution, and won’t do much if any important work on this computer, so advanced security measures or cloud integration, etc. aren’t that important. Assuming this computer comes preloaded with Windows 11, what is the recommended procedure for configuring the new system – such as removing Microsoft (or other) bloatware, disabling Copilot, etc.
Microsoft Entra: Building Trust in a Borderless Digital World
As nonprofits embrace hybrid work, multi-cloud environments, and digital transformation to better serve their missions, the need for secure, intelligent access has never been greater. Traditional identity solutions often fall short in protecting diverse user groups like staff, volunteers, donors, and partners. Microsoft Entra offers a unified family of identity and network access products designed to verify every identity, validate every access request, and secure every connection—helping nonprofits stay resilient, compliant, and mission-focused. What Is Microsoft Entra? Microsoft Entra offers a unified family of identity and network access products designed to verify every identity, validate every access request, and secure every connection—helping nonprofits stay resilient, compliant, and mission-focused. The suite includes: Microsoft Entra ID (formerly Azure Active Directory): A cloud-based identity and access management service that supports Single Sign-On (SSO), Multifactor Authentication (MFA), and Conditional Access policies to protect users, apps, and resources. Microsoft Entra ID Governance: Automates identity lifecycle management, ensuring users have the right access at the right time—and nothing more. It supports access reviews, role-based access control, and policy enforcement. Microsoft Entra External ID: Manages secure access for external users like customers, partners, and vendors. It enables personalized, secure experiences without compromising internal systems. Microsoft Entra Private Access: Provides secure, VPN-less access to private apps and resources across hybrid and multi-cloud environments. It’s ideal for remote work scenarios and legacy app support. Microsoft Entra Internet Access: Offers secure web access with identity-aware controls, helping protect users from malicious sites and enforcing compliance policies. Why Microsoft Entra Matters for Nonprofits Unified Identity Protection: Secures access for any identity—human or workload—to any resource, from anywhere. Zero Trust Enablement: Verifies every access request based on identity, device health, location, and risk level. Multi-cloud and Hybrid Ready: Works across Microsoft 365, Azure, AWS, Google Cloud, and on-premises environments. Compliance and Governance: Supports nonprofit regulatory needs with automated access reviews, audit trails, and policy enforcement. Getting Started with Microsoft Entra Assess your security posture through Microsoft Secure Score – Helps nonprofits monitor and improve identity, device, and app security posture. Building Conditional Access policies in Microsoft Entra – Create policies to protect users and data based on risk, location, and device health. Create a lifecycle workflow – Automate onboarding, role changes, and offboarding for staff, volunteers, and contractors. Microsoft Entra External ID documentation – Manage secure access for donors, partners, and community members. Real-World Impact A global nonprofit recently used Microsoft Entra to streamline access for volunteers, staff, and external partners. By automating identity governance and enabling secure access to cloud apps, they reduced administrative overhead and improved security posture—without sacrificing user experience. Conclusion Microsoft Entra empowers nonprofits to modernize identity and access management with a unified, secure, and intelligent approach. Whether you're enabling remote work, collaborating with external partners, or safeguarding sensitive donor data, Entra provides the tools to build trust, enforce least privilege, and stay compliant. By adopting Entra, nonprofits can focus more on their mission and less on managing risk—ensuring that every connection is secure, every identity is verified, and every access is governed.Comprehensive Identity Protection—Across Cloud and On-Premises
Hybrid IT environments, identity is the new perimeter—and protecting it requires visibility across both cloud and on-premises systems. While Microsoft Entra secures cloud identities with intelligent access controls, Microsoft Defender for Identity brings deep insight into your on-premises Active Directory. Together, they form a powerful duo for comprehensive identity protection. Why Hybrid Identity Protection Matters Most organizations haven’t fully moved to the cloud. Legacy systems, on-prem applications, and hybrid user scenarios are still common, and attackers know it. They exploit these gaps using techniques like: Pass-the-Hash and Pass-the-Ticket attacks Credential stuffing and brute-force logins Privilege escalation and lateral movement Without visibility into on-prem identity activity, these threats can go undetected. That’s where Defender for Identity steps in. What Is Microsoft Defender for Identity? Defender for Identity is part of Microsoft Defender XDR—a cloud-based solution that monitors on-premises Active Directory for suspicious behavior. It uses behavioral analytics and threat intelligence to detect identity-based attacks in real time. Key capabilities: Detects compromised accounts and insider threats Monitors lateral movement and privilege escalation Surfaces risky users and abnormal access patterns Integrates with Microsoft 365 Defender and Sentinel for unified response Why It Pairs Perfectly with Microsoft Entra Microsoft Entra (formerly Azure AD) protects cloud identities with features like Conditional Access, Multifactor Authentication, and Identity Governance. But Entra alone can’t see what’s happening in your on-prem AD. By combining Entra and Defender for Identity, you get: End-to-end visibility across cloud and on-prem environments Real-time threat detection for suspicious activities like lateral movement, privilege escalation, and domain dominance Behavioral analytics to identify compromised accounts and insider threats Integrated response capabilities to contain threats quickly and minimize impact Actionable insights that help strengthen your identity posture and reduce risk Together, they deliver comprehensive identity protection—giving you the clarity, control, and confidence to defend against modern threats. Real-World Impact Imagine a scenario where an attacker gains access to a legacy on-prem account and begins moving laterally across systems. Defender for Identity detects the unusual behavior and flags the account as risky. Entra then blocks cloud access based on Conditional Access policies tied to that risk signal—stopping the attack before it spreads. Getting Started Deploy Defender for Identity sensors on your domain controllers Install a sensor - step-by-step instructions to install Defender for Identity sensors on your domain controllers to begin monitoring on-premises identity activity. Activate the sensor on a domain controller - Guidance on activating the installed sensor to ensure it starts collecting and analyzing data. Deployment overview - A high-level walkthrough of the Defender for Identity deployment process, including prerequisites and architecture. Connect Defender for Identity to Microsoft 365 Defender Integration in the Microsoft Defender portal - Learn how to connect Defender for Identity to Microsoft 365 Defender for centralized threat detection and response. Pilot and deploy Defender for Identity - Best practices for piloting Defender for Identity in your environment before full-scale deployment. Enable risk-based Conditional Access in Entra Configure risk policies in Entra ID Protection - Instructions for setting up risk-based policies that respond to identity threats in real time. Risk-based access policies overview - An overview of how Conditional Access uses risk signals to enforce adaptive access controls. Use Entra ID Governance to enforce least privilege Understanding least privilege with Entra ID Governance - Explains how to apply least privilege principles using Entra’s governance tools. Best practices for secure deployment - Recommendations for securely deploying Entra ID Governance to minimize identity-related risks. Integrate both with Microsoft Sentinel for advanced hunting Microsoft Defender XDR integration with Sentinel - How to connect Defender for Identity and other Defender components to Microsoft Sentinel for unified security operations. Send Entra ID data to Sentinel - Instructions for streaming Entra ID logs and signals into Sentinel for deeper analysis. Microsoft Sentinel data connectors - A catalog of available data connectors, including those for Entra and Defender for Identity, to expand your threat detection capabilities. Final Thoughts It's the perfect time to evaluate your identity protection strategy. By pairing Microsoft Entra with Defender for Identity, you gain full visibility across your hybrid environment—so you can detect threats early, respond quickly, and protect every identity with confidence. Ready to strengthen your identity perimeter? Start by deploying Defender for Identity and configuring Entra policies today.Security Review for Microsoft Edge version 142
We have reviewed the new settings in Microsoft Edge version 142 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 139 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. Microsoft Edge version 142 introduced 5 new Computer and User settings; we have included a spreadsheet listing the new settings to make it easier for you to find. As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here. Please continue to give us feedback through the Security Baselines Discussion site or this post.Windows update active hours constraint
I’m trying to avoid my machine rebooting while I am not around to exercise a modicum of control. In my Windows Update settings I have disabled “get the latest updates as soon as they’re available” and I have “pause updates” set to 1 week. In the advanced settings I have disabled “get me up to date”, and I have enabled “Notify me when a restart is required”. Today I sat down to my PC to discover that it had terminated all my running programs and rebooted. Without any kind of prompt or warning. Which brings me to “Active Hours”. Active hours can be set automatically or manually and I thought I could set them to 00:00 to 23:59 to prevent updates running without me being around. But no, Microsoft absolutely prevents the active hours from covering a period longer than 18 hours. Why??? So far as I can tell, I have done everything available in the settings to prevent what nevertheless happened at some point in the last 24 hours. I am not aware of an urgent zero-day security problem that demanded an instant patch. Why did my machine do a forced restart when so far as I can tell I have clearly insisted that it not do so? I must be missing something! Any suggestions?
