Part 8 – Configure Microsoft Intune – Windows Defender Exploit Guard

Another security feature in Windows 10 is Windows Defender Exploit Guard. This feature can also be managed by MS Intune. Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your users.

There are four features in Windows Defender EG:

  • Exploit protection can apply to exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV).
  • Attack surface reduction rules can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and email-based malware. Requires Windows Defender AV.
  • Network protection extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization’s devices. Requires Windows Defender AV.
  • Controlled folder access helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV.

More information about Windows Defender EG: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard

You have to make a new device configuration in MS Intune. Go to MS Intune portal -> Device configuration -> Profiles

Click on create profile

Enter a name for the profile. The platform is Windows 10 and later and Profile type is Endpoint Protection. Click on Windows Defender Exploit Guard to get more settings.

Click on Attack Surface Reduction and enable this feature. I have changed all settings to Block for testing this function. For production, you have to check which Line of Business (LOB) application will be blocked or not. To check this you could change some or all settings to audit only. If you audit some functions in WDEG, you have to check the eventlog which LOB application or process is suspicious. If your LOB application is suspicious then you can exclude this LOB from WDEG.

Here you can exclude files or folders in WDEG.

Click Ok and change also the other features of WDEG. After that click Ok (thrice) and on the create button to create the profile.

Click on Assignments and search for the group. Select the group and click on the save button. Now you have to wait for a few minutes. The profile is now in pending for deployment to your device.

Now the profile is applied, we have to test the settings. Everything is in blocking, so we should see some block messages. To test the working of Windows Defender EG, Microsoft has some test files and tools available. You can find it on this website: https://demo.wd.microsoft.com/

Open the website on your managed device and click on the link.

You have to login in with your Microsoft account. After that, you are on this site.

You have to download some files, these files are test files for testing the function of WDEG.

Download these files and save them in a folder like Demo on the C: drive.

If you run/open this VBS script: TestFile_PsexecAndWMICreateProcess_D1E49AAC-8F56-4280-B9BA-993A6D77406C you will get this notification. You have to click on the popups to end the VBS script.

For more information, you could use the eventlog. First, you have to download the eventlog from this website: https://aka.ms/mp7z2w

Open de ZIP file and copy the eventlogs; asr-events, cfa-events, ep-events, np-events.xml and save them in Documents or somewhere else.

Open eventlog via Run in the start menu or by pressing WIN+R.

Right click on Custom Views and click on Import Custom View from the menu.

Browse to the copied events in Documents, select the first one and click on the Ok button. Repeat this for the others.

Click on Attack Surface Reduction view. You see the logs which are generated by WDEG. You see also a warning which says that an operation is blocked by Windows Defender Antivirus. So with other words, WDEG is working on the Windows 10 device.

This is how Windows Defender Exploit Guard work. One of the features of the Windows 10 security stack. Enjoy…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.