Part 1: Improve your endpoint security /w Windows Defender ATP & Microsoft Intune: Windows Defender Antivirus & Application Guard
Remark: Some information relates to pre-released product (Windows 10 Insiders Preview build) which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
In my previous blog I highlighted some of the new (preview) features – Security Analytics Dashboard – of Windows Defender Advanced Threat Protection (WDATP). In this blog I’ll go into more details how you can improve your organizations endpoint security posture by translating the actionable recommendations into Microsoft Intune device restrictions profiles (aka policies).
Windows Defender Advance Threat Protection
Windows Defender ATP sheds light on configuration issues and provide insights to machines where security features are not configured or out of date. It does provide actionable recommendations to improve your endpoint security. The actual actionable improvement must be performed by your administrator. In this blog I’ll explain how to improve the security baseline of your endpoints by using Microsoft Intune.
In this blog we’ll focus on two out of five improvement area’s: Windows Defender Antivirus and Windows Defender Application Guard. By configuring the Windows Defender ATP preferences setup you can determine which topics are relevant to your organization and start to implement improvements in a phased approach.
Note: Changes according the preferences setup might take up to a few hours to reflect on the security analytics dashboard.
Windows Defender Antivirus
Windows Defender Antivirus doesn’t need any introduction, it’s Microsoft’s built-in antivirus solution part of the Windows 10 client and Windows Server 2016 OS. Taking advantage of Microsoft’s Security Graph, Windows Defender stack provides a unique and powerful solution that copes with the most sophisticated cyberattacks, organizations currently facing.
The score of Windows Defender Antivirus is measured against the improvement areas shown left, including cloud-based protection. Make sure Windows Defender Antivirus Cloud-based protection is enabled. Why? As it’s provide you real-time protection. Read this article for more background information.
Windows Defender Antivirus catagory is part of the Windows 10 Device Restrictions profile (previously known as configuration policies) in Microsoft Intune.
Note: Potentially Unwanted Application (PUA) can be configured in not configured, block or audit mode (0/1/2). By default PUA is enabled by in System Center Configuration Manager CB (1606 and higher).
Windows Defender Application Guard
What is Application Guard in a nutshell? Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet.
When browsing an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system.
This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can’t get to your enterprise data.
The score of Windows Defender Application Guard is measured against the improvement areas at the right. Further make sure you met the (hardware) prerequisites to be able using Application Guard.
Note: At time of writing there is no Windows Defender Application Guard UI available in Microsoft Intune. Expect this profile UI will become available later this year when Windows 10 Fall Creators Update is general available.
Configuration Service Provider (CSP)
The configuration of Windows Defender Application Guard is currently documented for using PowerShell and Group Policies. However there is a Configuration Service Provider (CSP) for Windows Defender Application Guard which make it’s possible to configure Application Guard using modern management (Microsoft Intune or other MDM solutions).
The WindowsDefenderApplicationGuard configuration service provider (CSP) can be used (by absence of UI) to configure the settings in the Application Guard. This CSP is added and applies from Windows 10, version 1709 and higher.
|Installs Windows Defender Application Guard. Value type is string.||Install (case sensitive)|
|AllowWindowsDefenderApplicationGuard||Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete. Value type is integer.||0 – Stops Application Guard in Enterprise Mode.
1 – Enables Application Guard in Enterprise Mode.
|ClipboardFileType||Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer.||0 – Allow text copying.
1 – Allow text and image copying.
|ClipboardSettings||This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer.||0 (default) – Completely turns Off the clipboard functionality for the Application Guard.
1 – Turns On the clipboard functionality and lets you choose whether to additionally enable copying of certain content from Application Guard into Microsoft Edge and enable copying of certain content from Microsoft Edge into Application Guard.
|PrintingSettings||This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer.||0 – Disables all print functionality (default)
1 – Enables only XPS printing
2 – Enables only PDF printing
3 – Enables both PDF and XPS printing
4 – Enables only local printing
5 – Enables both local and XPS printing
6 – Enables both local and PDF printing
7 – Enables local, PDF, and XPS printing
8 – Enables only network printing
9 – Enables both network and XPS printing
10 – Enables both network and PDF printing
11 – Enables network, PDF, and XPS printing
12 – Enables both network and local printing
13 – Enables network, local, and XPS printing
14 – Enables network, local, and PDF printing
15 – Enables all printing
|BlockNonEnterpriseContent||This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer.||0 – Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard.
1 (default) – Non-enterprise sites can open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
|AllowPersistence||This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer.||0 – Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
1 – Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
|AuditApplicationGuard||This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type is integer.||0 (default) – Audit event logs aren’t collected for Application Guard.
1 – Application Guard inherits its auditing policies from Microsoft Edge and starts to audit system events specifically for Application Guard.
Based on the above settings we created a Windows Defender Application Guard, we created a custom profile which contains the minimal settings to use Application Guard.
Note: Microsoft Intune doesn’t support “Exec” operations using custom profiles – therefore you may consider other mechanism (PowerShell, Group Policy, Control Panel UI etc.) to install Application Guard. The full MDM scenario will be enabled when WDAG UI is integrated in Intune.
In a full managed mode Windows Defender Application Guard uses both network isolation and application-specific settings. Network Isolation, help you define and manage your company’s network boundaries (equally to WIP). Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
So make sure you’ve configured your enterprise boundaries whether by Network Isolation CSP of by using Windows Information Protection. Please check out one of my previous blog posts how to define your enterprise data boundaries here. Use App Protection Policies to configure Windows Information Protection for your organization.
Note: Windows Defender Application Guard won’t work if the pre-requisite checks and mandatory network isolation policies aren’t configured.
I’ll write up the modern management (MDM) road to get Windows Defender Application Guard end-to-end running a dedicated blog post later on.
Based on the Windows Defender Antivirus and Windows Defender Application Guard improvements area’s we configured device restriction profiles in Microsoft Intune.
The results speak for themselves, within a very short timeframe we’re able to improves the organizations security score.
The profiles which contains the settings of Windows Defender Antivirus and Windows Defender Application Guard ensures our managed endpoints complies to the new security posture. We can zoom in per improvement area and see the security score over time.
The Security Analytics dashboard provide organizations valuable insights of there endpoint security and enables to easily enhances and maximize their security potential.
Where Windows Defender Advanced Threat Protection provides organization continues valuable insides of there current security operations- and analytics performance, Microsoft Intune enables you to translate the useful insights into enforceable measures. Special thanks to Chintan Patel (MSFT) for providing valuable insights.
In the following blog – part 2 – I’ll cover the other improvement area’s Windows Defender Exploit Guard & SmartScreen.
Windows Defender Advanced Threat Protection Security analytics dashboard
Windows Defender Antivirus optimization
Configure Windows Defender Antivirus features
Detect and block Potentially Unwanted Applications
Policy – NetworkIsolation CSP
as i said in a previous comment, you should specify which licence we need to use it. For all this serie of blog post you’ve made.
what are the benefits of using windows defender antivirus policy through Intune over anti malware policy from SCCM , we are in a co managed environment and planning to configure defender AV policy from Intune but not sure what additional benefits intune will offer or what all we will loose with this move.. Appreciate your response
Hi Ravi, moving workloads to Intune give you many benefits which surpasses the scope of Microsoft Defender AV. You’re presorting to a feature proof approach whereby latest Cloud capabilities enhances your on-premise infrastructure. Concrete Intune provides Microsoft Defender AV Temper protection which is not (yet) available via SCCM. Something to consider is your alerting and reporting (response) which now in CfgMgr and limited in Intune, however this will be extended soon.