Part 12 – Configure Microsoft Intune – Mobile Apps

Microsoft Intune is a Mobile Device/Applications Management solution, which is manages devices but also applications on Android, iOS, Mac OS and Windows devices. One of the functions is deploying an application to a device or user. MS Intune supports almost every (mobile) platform to push a store app or WIN32 application. It is just like System Center Configuration Manager. In this blogpost I will talk more about how to add an app into MS intune and deploy it to a device. More information about Mobile apps in MS Intune: https://docs.microsoft.com/en-us/intune/apps-add

MS Intune supports different types of apps, which are:

App types Installation Updates
Apps from the store (store apps) Intune installs the app on the device. App updates are automatic.
Apps written in-house (line-of-business) Intune installs the app on the device (you supply the installation file). You must update the app.
Apps that are built-in (built-in apps) Intune installs the app on the device. App updates are automatic.
Apps on the web (web link) Intune creates a shortcut to the web app on the device home screen. App updates are automatic.

Specific type of apps:

App Type General Type
Android store apps Store app
iOS store apps Store app
Windows Phone 8.1 store apps Store app
Microsoft store apps Store app
Android for Work apps Store app
Office 365 apps for Windows 10 Store app (Office 365)
Office 365 apps for macOS Store app (Office 365)
Android line-of-business (LOB) apps LOB app
iOS LOB apps LOB app
Windows Phone LOB apps LOB app
Windows LOB apps LOB app
Built-in iOS app Built-in app
Built-in Android app Built-in app
Web apps Web app

An EXE installation isn’t support in MS Intune, just only MSI. There is a workaround to deploy EXE via MS Intune. You have to use PowerShell scripts to deploy and install an EXE on a Windows device. There is an option to push a PowerShell script to a device with MS Intune. This workaround is not in this blogpost.

Let’s begin with importing an app in MS Intune. We got Microsoft 365 license, so we can deploy the full Office365 to a Windows 10 device.

Go to the MS Intune portal -> Mobile apps -> Apps. Click on the Add button.

App Type is Office 365 suite for Windows 10.

Click on Configure App Suite. You get more options. Select the one which you want to test. I choose only for OneDrive, Outlook and Word. Click on the OK button.

Click on App Suite information. Give this deployment a name and some more information about the app. Click on the Ok button.

Click on App Suite Settings and choose your settings. I also added some languages. Click on OK and on the Add button to create the Office 365 deployment.

Click on Assignment to assign this deployment to the users. Click on the Add group button.

Assignment type is Required. This will push Office to the devices without an action from the user. Search for the group and click Select. Click on the Ok button (twice). Click on the save button. Now you have to wait for the deployment. Office 365 will be deployed to the users which are in the group that you have chosen for the assignment.

This is optional >> I want to test Outlook, but the test user hasn’t a mailbox yet. For this you have the give the user Office365 license. Without this license the user has limited of functionality and the user doesn’t have a mailbox. To give the user a license, you have to go to https://portal.office.com and login with your admin credentials.

Click on the Admin app.

Go to Users -> Active users. You will get a list of all users which are in the Azure AD. Search for the user who has already have an enrolled device.

You get more options after clicking on the user. Click Edit next to Product licenses.

Turn on Office 365 Enterprise E5 license and click on the Save button. You are done and go back to the MS Intune portal. <<<

Go to your Windows 10 device and check if Office is installed. Open the start menu and search for Word or Outlook. Or just look at Recently Added, like mine.

You could also check the status in the MS Intune portal. You have to your app deployment and click on Device Install status. Here you can see on which computer Office is done with installation.

Go back to your Windows 10 device. Office is installed, so we can open Outlook. Outlook is at first run, so you have to add the mailbox.

Enter here the email address of the logged in user. Click Connect.

Outlook will get the correct information from Exchange Online, so you don’t have to enter extra more information. Account setup is complete. Click on the OK button.

Click Microsoft Edge, we don’t need this. Go back to Outlook.

So, Outlook is configured and working. We can use this for testing the MAM policies, but this is for another blogpost.

We can test also a LOB application, like 7zip for example. Follow these steps. Download the MSI file from the 7zip website. Go to MS Intune – > Mobile Apps -> Apps

Click on the Add button.

Choose Line-of-business app. Click on App Package file.

Browse to the MSI file and click on the Open button. Click on the Ok button.

Click on App information.

Enter the required fields with some information. Click on the OK button. Then Click on the Add button.

Click on the app, we need to assignment this app to a group.

Make this assignment type required. You can make also the assignment available. The app will appear in the company portal available for installation. Required pushes the application to the device without user’s action. Click Ok.

Click on the Save button. After few minutes the application is installed on the device.

Check the status at Device install status.

The application is installed on the device. Now you can use the application.

In this blogpost we did a deployment with MS Intune to a Windows 10 device. We have installed Office and 7Zip. So, with few clicks you can deploy an application to multiple devices if you want.

It is also an option to use Microsoft Windows Store for Business (WfSB) for deploying UWP apps. But, also for this I will write a blogpost about this feature in MS Intune later.

Advertisements

Part 10 – Configure Microsoft Intune – Windows Defender Advanced Threat Protection

Microsoft has announced ago a new feature in MS Intune few months. You can now use Windows Defender ATP as a compliance for your environment. This means you can give the device access to your corporate resource by the status of Windows Defender ATP, based on risk scores. If the device is not healthy or has to high risk score in ATP then the access to the resources will be blocked by MS Intune. Windows Defender ATP help prevent security breaches, and help limit the impact within in your organization. For more information: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection

You need Windows Defender ATP subscription. This subscription has to be connected with MS Intune. These are the steps how to connect with Windows Defender ATP. If you don’t have a Windows Defender ATP subscription, you can create a trail subscription and use this one to connect with your MS Intune environment. Link: https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp

Go to MS Intune portal -> Device compliance -> Windows Defender ATP

Click on the link Connect Windows Defender AP to Microsoft Intune in the Windows Defender Security Center.

Turn on Microsoft Intune connection and click on the Save preference button.

You get this message.

Go back to the MS Intune portal and click on the refresh button. Connection has been made and the status is available. The status will change to Connected later.

Turn on the options Connect Windows devices version… and Block unsupported OS versions. Click on the save button.

The next step is to onboard your test device into Windows Defender ATP. Go to the Windows ATP dashboard/portal: https://securitycenter.windows.com/

Click Settings in the menu.

Click Onboarding

You have to change Deployment method to Mobile Device Management/Microsoft Intune. Click on the Download Package. Save the Zip in Downloads.

Open the ZIP file and extract/copy the XML file and paste it Documents or somewhere else.

Now go to the MS Intune portal. We need to create a new device configuration profile. MS Intune portal -> Device Configuration -> Profiles

Click on the button Create profile.

Name the profile. Platform is Windows 10 and later. Profile type is Windows Defender ATP (Windows 10 Desktop). You get more settings at the right side.

Click on the folder upload a signed configuration… and browse to the XML file.

Enable the other options. Click on the OK button and then on the create button.

Click Assignments, search for the group and click on the select button. Click the save button. The profile is ready and will deployed to your device in few minutes.

Then we have to make a new compliance policy based on device health. Go back and go to Device compliance -> Policies. Click on the Create Policy button.

You have to give the policy a name. Platform is Windows 10 and later. Click on Device health.

You got few options to choose:

  • Secured: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant.
  • Low: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant.
  • Medium: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
  • High: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant.

Choose level and click on the Ok button (twice). Click create to create the policy.

Click Assignments and search for the group. Select the group and click on the save button. The policy will over few minutes applied on the devices.

Go back to the Windows Defender ATP portal. Click Machines list in the menu. Here you have to see your device. If not, then you have to wait longer. The devices must be in this list. The device is now also managed by Windows Defender ATP.

It’s time to test Windows ATP. You can go to this site for testing Windows ATP. Go to Help in Windows ATP dashboard and click on Simulations & tutorials.

Click on the button Copy Simulation script of Scenario 2.

Go back to your device and open Windows PowerShell with administrative privileges.

Copy the script into the PowerShell window on your device. If you are using Hyper-V. Click in the menu on Clipboard -> Type clipboard text.

Hit enter to run the script. You see in few seconds starting Notepad and automatically closed.

The attack is done, injected and running.

Go back to the Windows Defender ATP dashboard and go to Alerts. You see new alerts, these alerts are because of  your action. So, you see how Windows Defender ATP work.

Click on the computer name to get an overview of the machine.

From here you can do some actions to cure the machine from viruses. You can do some action, investigate and review the activity. To go too depth in details I save this for a new blog post later. It’s too much for this blog post right now.

To see more information about the device health state in the All devices view, you can add a column.

Go the Devices -> All Devices. Click on the button Column to add a new column to the view.

Select Device Health State and click on the apply button.


Scroll to the right and you see the new column based on the health level from Windows Defender ATP.

Check your compliances if the machine is compliant or not.

This blog was about the integration with MS Intune and Windows Defender ATP. Now you can use compliance policy based on risk score or level. A machine with a high risk score are not allowed to use corporate resources. And so, your organization is prevent for spreading out the viruses to your others clients by blocking the infected one based on compliance policy and conditional access.

What we did is:
– integrate Windows Defender ATP with MS Intune;
– test Windows Defender ATP and check the alerts;
– made a compliance policy based on Device health state.

The last one, the compliance policy, will be used for Conditional Access to block the device based on the status of the compliance. But that, I will write this in another blog post.

Part 9 – Configure Microsoft Intune – Windows Defender Application Control

Windows Defender Application Control is one of the security features in Windows 10. Windows Defender Application Control (WDAC) can help mitigate security threats by restricting the applications that users are allowed to run and the code that runs in the kernel. WDAC policies also block unsigned scripts and MSIs. WDAC is like AppLocker. WDAC is can be managed by MS Intune. By default Windows components and all apps from Windows store are trusted to run. So if you enable this feature Windows 10 will still running without crashing or blocking the important apps/components. So, it’s safe to enable this. With AppLocker is this different. You had to be very careful with blocking files and processes with AppLocker. Requirement for this feature is you must use Windows 10 Enterprise only.

More information about Windows Defender Application Control: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control

Before deploying this profile to your test device, download and install 7zip on the device. We need this application to test WDAC.

Open MS Intune portal -> Device configuration -> Profiles

Click on the button Create Profile

Enter a name. Platform is Windows 10 and later. Profile type is Endpoint Protection. Click on Windows Defender Application Control. You will get more settings at the right side.

Change the setting Application control code integrity policies to Enforce. You can also enable Trust apps with good reputation, but then you can’t test the simple famous applications like 7Zip anymore. So I have this one on not configured. I’m going to test 7Zip with this profile. Click Ok (twice) and click on Create to create the profile.

Click on assignment and search for the group. Select the group and click on the Save button. The policies will now deployed on the device. You have to wait few seconds. To check the status of the deployment go to the MS Intune portal -> Devices -> All Devices -> Name of the devices -> Device Configuration.

Go to your Windows 10 device and try to start 7zip from the start menu. You get this message.

WDAC is working and is blocking unknowing applications or Store apps. Only the default Windows applications and Windows store apps are trusted and will not block by WDAC.

Part 8 – Configure Microsoft Intune – Windows Defender Exploit Guard

Another security feature in Windows 10 is Windows Defender Exploit Guard. This feature can also be managed by MS Intune. Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your users.

There are four features in Windows Defender EG:

  • Exploit protection can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV).
  • Attack surface reduction rules can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV.
  • Network protection extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization’s devices. Requires Windows Defender AV.
  • Controlled folder access helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV.

More information about Windows Defender EG: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard

You have to make a new device configuration in MS Intune. Go to MS Intune portal -> Device configuration -> Profiles

Click on create profile

Enter a name for the profile. Platform is Windows 10 and later and Profile type is Endpoint Protection. Click on Windows Defender Exploit Guard to get more settings.

Click on Attack Surface Reduction and enable this feature. I have changed all settings to Block for testing this function. For production you have to check which Line of Business (LOB) application will be blocked or not. To check this you could change some or all settings to audit only. If you audit some functions in WDEG, you have to check the eventlog which LOB application or process is suspicious. If your LOB application is suspicious then you can exclude this LOB from WDEG.

Here you can exclude files or folders in WDEG.

Click Ok and change also the other features of WDEG. After that click Ok (thrice) and on the create button to create the profile.

Click on Assignments and search for the group. Select the group and click on the save button. Now you have to wait for few minutes. The profile is now in pending for deployment to your device.

Now the profile is applied, we have to test the settings. Everything is in blocking, so we should see some block messages. To test the working of Windows Defender EG, Microsoft has some test files and tools available. You can find it on this website: https://demo.wd.microsoft.com/

Open the website on your managed device and click on the link.

You have to login in with your Microsoft account. After that you are on this site.

You have to download some files, these files are test files for testing the function of WDEG.

Download these files and save them in a folder like Demo on the C: drive.

If you run/open this VBS script: TestFile_PsexecAndWMICreateProcess_D1E49AAC-8F56-4280-B9BA-993A6D77406C you will get this notification. You have to click on the popups to end the VBS script.

For more information you could use the eventlog. First you have to download the eventlog from this website: https://aka.ms/mp7z2w

Open de ZIP file and copy the eventlogs; asr-events, cfa-events, ep-events, np-events.xml and save them in Documents or somewhere else.

Open eventlog via Run in the start menu or by pressing WIN+R.

Right click on Custom Views and click on Import Custom View from the menu.

Browse to the copied events in Documents, select the first one and click on the Ok button. Repeat this for the others.

Click on Attack Surface Reduction view. You see the logs which are generated by WDEG. You see also a warning which says that an operation is blocked by Windows Defender Antivirus. So with other words, WDEG is working on the Windows 10 device.

This is how Windows Defender Exploit Guard work. One of the features of the Windows 10 security stack. Enjoy..

Part 7 – Configure Microsoft Intune – Windows Defender SmartScreen

Windows Defender SmartScreen can also be managed by MS Intune. With a device configuration you can enable the SmartScreen. SmartScreen is a Windows 10 feature for browsing on the Internet. SmartScreen has been designed to warn users when unsafe websites are accessed in the web browser. This covers outright malicious sites that attack the browser or underlying system directly. More information about this feature: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview

Go to the MS Intune portal -> Device configuration -> Profile

Click on Create profile

Give the profile a name. Choose for Windows 10 and later. Profile type is Endpoint Protection. Click on Windows Defender SmartScreen on the right to get more settings.

Enable SmartScreen and click on Ok (twice). Click on Create to create the profile.

Click assignment and search for the group to apply this profile. Click on the save button. Wait for few minutes. Check the status via Devices -> All Devices -> Click on the device -> Device Configuration.

To verify if the profile work, go to your device and open Internet Explorer. Mostly if you run IE for the first time, you will get a popup with the question if you want to turn on SmartScreen. If you don’t get this window and you run IE for the first time, then the profile is doing its work.

Let’s check, open Internet Explore and go the menu Tools -> Safety -> Turn on Windows Defender SmartScreen..

You see that SmartScreen is turned on by MS Intune. And also for Microsoft Edge..

Ok, great… Now we have to test this feature. Open Microsoft Edge and go to this website: https://secure.eicar.org/eicar.com.txt. This will download a txt file. Click Open. You will get this message

Or you can try this website: https://demo.smartscreen.msft.net/ and click on the links on the website.

You will get this message from SmartScreen.

This is a nice test and as you see SmartScreen is working. This will block unsafe websites for the users.

Part 6 – Configure Microsoft Intune – Windows Defender Firewall

This blog is all about Windows Defender Firewall. Also in MS Intune you can manage the Windows Firewall on a Windows 10 device. Let’s begin with enabling the firewall on a Windows 10 device.

Go to the MS Intune portal -> Device Configuration -> Profiles

Create Profile.

Enter a name for the profile. Platform is Windows 10 and later. Profile type is Endpoint Protection. You see more settings, click on Windows Defender Firewall.

Click on Domain network

Enable the firewall and change the other settings. Click Ok. Do this the same for Private and Public network. Click Ok (twice) and then create for creating the profile.

Click on assignments and search for the group. Select the group and click on the save button.

After few minutes the firewall is changed. Check the status on your Windows 10 device. Go to the control panel -> Windows Defender Firewall

This configuration is simple and it will turn on or off the firewall. For this configuration there are no requirements except you have to use Windows 10 1709 and later for the fully support of Firewall CSP, for more information about Firewall CSP: https://docs.microsoft.com/en-us/windows/client-management/mdm/firewall-csp

Part 5 – Configure Microsoft Intune – Windows Defender Application Guard

 

This part is all about Windows Defender Application Guard. Windows Defender Application Guard (WDAG) is a security feature in Windows 10 and Microsoft Edge/Internet Explorer. This feature can be also managed by Microsoft Intune.

This feature allows your users to secure browsing on the Internet. Protecting your company while your employees browse the Internet. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V enabled container, which is separate form the host operating system. More information: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview

Before we are going to configure this, there are some requirements for this feature to enable. The device must at least have:

  • 4 CPUs (CPU virtualization extensions enabled),
  • 8GB of memory
  • 5GB of space.
  • You will need Windows 10 Enterprise, version 1709 or higher (I use 1803) or
  • Windows 10 Professional edition, version 1803.

If you are testing this on a virtual machine you must enable nested Hyper-V. Run this PowerShell on the host of you Hyper-V:

Set-VMProcessor -VMName “The name of your Virtual Machine” -ExposeVirtualizationExtensions $true

This will enable Hyper-V in a virtual machine.

More information: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard

Let’s give this a try. Go to the Microsoft Intune portal and go to Device configuration -> Profiles

Create Profile

Give the profile a name. Platform is Windows 10 and later. Profile type is Endpoint protection. You will get more settings and go to Windows Defender Application Guard.

Enable some settings and click on Ok (twice). Then you have to create the profile by clicking the create button.

Go to assignments and search for the group. Select the group and click on the save button.

About few minutes this profile is deployed on the device. On the background Intune installs Hyper-V and Windows Defender Application Guard.

Let’s look at the device. You have to restart the machine first, otherwise it wont work.

Open Microsoft Edge and click on the dots to expand the menu. Click New Application Guard Window

You have now opened a new Microsoft Edge window in an isolated in a Hyper-V container. This is secure browsing.