Part 11 – Configure Microsoft Intune – Mobile Application Management Without Enrollment

Time for something different. I want to write about the MAM functionality on a Windows 10 bring your own device (BYOD). This device will not be enrolled into MS Intune but based on without enrollment. The app or application will get the protection policies from MS Intune.

To protect the corporate data and to separate the data from the personal data, Windows 10 uses Windows Information Protection (WIP). WIP is supported in MS Intune. So, based on WIP you can protect and manage your corporate data on a Windows 10 BYOD device.

More information on: https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip

You need an unmanaged Windows 10 device for this practice.

Let’s begin with MAM w/o Enrollment. They are also called MAM-WE, what’s mean: Mobile Application Management Without Enrollment. To test WIP we have to download Office from portal.office.com on the unmanaged Windows 10 device.

Download Office from https://portal.office.com

Click on the Run button to start the download and installation.

Office is installing.

The installation is done. Click Close to close the setup. Microsoft Edge is still open, close this one also.

We got now an unmanaged Windows 10 device with Office 2016 installed. So, we can test the MAM-WE functionality in MS Intune. Let’s continue with the MS Intune portal and from there you go to Mobile Apps – App Protection policies.

Click Add a policy.

Enter a name for the policy. Platform is Windows 10 and Enrollment state is Without enrollment. Click on Protected apps.

Click on the button Add apps.

Select these apps. These apps will also work with corporate data. Click on the Ok button. From here click again on Add app.

Change the option from recommended apps to Desktop apps.

Enter here the Office apps, like Outlook and Word. You need this as PUBLISHER “O=Microsoft Corporation, L=Redmond, S=Washington, C=US” Click on the Ok button. Now do the same for Outlook.


These apps will be protected by MS Intune based on the protection policy. Click on the Ok button. We skip exempt apps, for this not necessary.


Go to Required Settings and click on the Block button. This will block enterprise/corporate data to go outside the protected apps. This means you can’t copy text from the protected app to a unprotected app, like Notepad. Click on the Ok button.


Go to Advanced settings and click on Cloud resources. We have to edit this property. Add a | and after that add this outlook.office365.com. Click on the Ok button (twice) and then on the create button to create the policy.


Click on the created app. Click on Assignments to assign the group.

It’s time to test this policy on an unmanaged Windows 10 Device.


Go to your device and open Outlook. This is the first run for Outlook. You see this window and enter here an email address.


Click on Office 365.


Enter here the password. Click on Sign in.

Maybe the user must verify his login. Click Next.

Click Yes.

Click Create PIN.

Enter here the PIN, don’t use simple PIN, like 1234 or 8888.

Click Next.

Enter here the password of the logged in user. Click on the OK button. You can also check the MS Intune -> Device > Azure AD device. The machine will be Azure AD registered.

Deselect Set up Outlook Mobile and click on the Ok button.

Outlook is configured and ready to use. Click on the button Accept and start Outlook

Open Word. Type some text and go to the menu to save this document.

Save this document on a corporate storage, like OneDrive or SharePoint.

So, now is your document protected by Windows Information Protection. Let’s try to copy the text and paste into Notepad. We didn’t make a policy for Notepad, which means that the app is not protected.

You see that notepad is not a protected app and doesn’t allow to paste the text. Let’s try this in Outlook. Copy the text in Word again and try to paste into Outlook.

This action is allowed by WIP. This will work also vice versa. Make a new mail and type some text into it. Then copy the text and paste it into Notepad. You will get the same message as before with Word.

You can do this also with Microsoft Edge and Internet Explorer. They are also protected by WIP.

And if you go to your corporate (web)site, like SharePoint you will see this briefcase icon in the menu. This website is protected by WIP. Losing corporate data is now prevented by the policy.

This is how WIP in Internet Explorer looks like.

If you delete the work/school account from the BYOD device and you try to open the work-related document, you will get like this:

This will also work for Windows 10 Home Edition (1803). I think that the most BYOD windows 10 device are with Windows 10 Home Edition. I want to be sure if WIP also work on a Home Edition device.

So, this is what we did. We made a protection policy to protect corporate data in an app. We tested this on an unmanaged Windows 10 device with Office 2016. First, we saved the document on a corporate space/storage and later we copied the text from the document and paste it into an unprotected application, like Notepad. We did this also for Outlook, Microsoft Edge and Internet Explorer.

Advertisements

Part 10 – Configure Microsoft Intune – Windows Defender Advanced Threat Protection

Microsoft has announced ago a new feature in MS Intune few months. You can now use Windows Defender ATP as a compliance for your environment. This means you can give the device access to your corporate resource by the status of Windows Defender ATP, based on risk scores. If the device is not healthy or has to high risk score in ATP then the access to the resources will be blocked by MS Intune. Windows Defender ATP help prevent security breaches, and help limit the impact within in your organization. For more information: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection

You need Windows Defender ATP subscription. This subscription has to be connected with MS Intune. These are the steps how to connect with Windows Defender ATP. If you don’t have a Windows Defender ATP subscription, you can create a trail subscription and use this one to connect with your MS Intune environment. Link: https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp

Go to MS Intune portal -> Device compliance -> Windows Defender ATP

Click on the link Connect Windows Defender AP to Microsoft Intune in the Windows Defender Security Center.

Turn on Microsoft Intune connection and click on the Save preference button.

You get this message.

Go back to the MS Intune portal and click on the refresh button. Connection has been made and the status is available. The status will change to Connected later.

Turn on the options Connect Windows devices version… and Block unsupported OS versions. Click on the save button.

The next step is to onboard your test device into Windows Defender ATP. Go to the Windows ATP dashboard/portal: https://securitycenter.windows.com/

Click Settings in the menu.

Click Onboarding

You have to change Deployment method to Mobile Device Management/Microsoft Intune. Click on the Download Package. Save the Zip in Downloads.

Open the ZIP file and extract/copy the XML file and paste it Documents or somewhere else.

Now go to the MS Intune portal. We need to create a new device configuration profile. MS Intune portal -> Device Configuration -> Profiles

Click on the button Create profile.

Name the profile. Platform is Windows 10 and later. Profile type is Windows Defender ATP (Windows 10 Desktop). You get more settings at the right side.

Click on the folder upload a signed configuration… and browse to the XML file.

Enable the other options. Click on the OK button and then on the create button.

Click Assignments, search for the group and click on the select button. Click the save button. The profile is ready and will deployed to your device in few minutes.

Then we have to make a new compliance policy based on device health. Go back and go to Device compliance -> Policies. Click on the Create Policy button.

You have to give the policy a name. Platform is Windows 10 and later. Click on Device health.

You got few options to choose:

  • Secured: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant.
  • Low: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant.
  • Medium: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
  • High: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant.

Choose level and click on the Ok button (twice). Click create to create the policy.

Click Assignments and search for the group. Select the group and click on the save button. The policy will over few minutes applied on the devices.

Go back to the Windows Defender ATP portal. Click Machines list in the menu. Here you have to see your device. If not, then you have to wait longer. The devices must be in this list. The device is now also managed by Windows Defender ATP.

It’s time to test Windows ATP. You can go to this site for testing Windows ATP. Go to Help in Windows ATP dashboard and click on Simulations & tutorials.

Click on the button Copy Simulation script of Scenario 2.

Go back to your device and open Windows PowerShell with administrative privileges.

Copy the script into the PowerShell window on your device. If you are using Hyper-V. Click in the menu on Clipboard -> Type clipboard text.

Hit enter to run the script. You see in few seconds starting Notepad and automatically closed.

The attack is done, injected and running.

Go back to the Windows Defender ATP dashboard and go to Alerts. You see new alerts, these alerts are because of  your action. So, you see how Windows Defender ATP work.

Click on the computer name to get an overview of the machine.

From here you can do some actions to cure the machine from viruses. You can do some action, investigate and review the activity. To go too depth in details I save this for a new blog post later. It’s too much for this blog post right now.

To see more information about the device health state in the All devices view, you can add a column.

Go the Devices -> All Devices. Click on the button Column to add a new column to the view.

Select Device Health State and click on the apply button.


Scroll to the right and you see the new column based on the health level from Windows Defender ATP.

Check your compliances if the machine is compliant or not.

This blog was about the integration with MS Intune and Windows Defender ATP. Now you can use compliance policy based on risk score or level. A machine with a high risk score are not allowed to use corporate resources. And so, your organization is prevent for spreading out the viruses to your others clients by blocking the infected one based on compliance policy and conditional access.

What we did is:
– integrate Windows Defender ATP with MS Intune;
– test Windows Defender ATP and check the alerts;
– made a compliance policy based on Device health state.

The last one, the compliance policy, will be used for Conditional Access to block the device based on the status of the compliance. But that, I will write this in another blog post.

Part 9 – Configure Microsoft Intune – Windows Defender Application Control

Windows Defender Application Control is one of the security features in Windows 10. Windows Defender Application Control (WDAC) can help mitigate security threats by restricting the applications that users are allowed to run and the code that runs in the kernel. WDAC policies also block unsigned scripts and MSIs. WDAC is like AppLocker. WDAC is can be managed by MS Intune. By default Windows components and all apps from Windows store are trusted to run. So if you enable this feature Windows 10 will still running without crashing or blocking the important apps/components. So, it’s safe to enable this. With AppLocker is this different. You had to be very careful with blocking files and processes with AppLocker. Requirement for this feature is you must use Windows 10 Enterprise only.

More information about Windows Defender Application Control: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control

Before deploying this profile to your test device, download and install 7zip on the device. We need this application to test WDAC.

Open MS Intune portal -> Device configuration -> Profiles

Click on the button Create Profile

Enter a name. Platform is Windows 10 and later. Profile type is Endpoint Protection. Click on Windows Defender Application Control. You will get more settings at the right side.

Change the setting Application control code integrity policies to Enforce. You can also enable Trust apps with good reputation, but then you can’t test the simple famous applications like 7Zip anymore. So I have this one on not configured. I’m going to test 7Zip with this profile. Click Ok (twice) and click on Create to create the profile.

Click on assignment and search for the group. Select the group and click on the Save button. The policies will now deployed on the device. You have to wait few seconds. To check the status of the deployment go to the MS Intune portal -> Devices -> All Devices -> Name of the devices -> Device Configuration.

Go to your Windows 10 device and try to start 7zip from the start menu. You get this message.

WDAC is working and is blocking unknowing applications or Store apps. Only the default Windows applications and Windows store apps are trusted and will not block by WDAC.

Part 8 – Configure Microsoft Intune – Windows Defender Exploit Guard

Another security feature in Windows 10 is Windows Defender Exploit Guard. This feature can also be managed by MS Intune. Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your users.

There are four features in Windows Defender EG:

  • Exploit protection can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV).
  • Attack surface reduction rules can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV.
  • Network protection extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization’s devices. Requires Windows Defender AV.
  • Controlled folder access helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV.

More information about Windows Defender EG: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard

You have to make a new device configuration in MS Intune. Go to MS Intune portal -> Device configuration -> Profiles

Click on create profile

Enter a name for the profile. Platform is Windows 10 and later and Profile type is Endpoint Protection. Click on Windows Defender Exploit Guard to get more settings.

Click on Attack Surface Reduction and enable this feature. I have changed all settings to Block for testing this function. For production you have to check which Line of Business (LOB) application will be blocked or not. To check this you could change some or all settings to audit only. If you audit some functions in WDEG, you have to check the eventlog which LOB application or process is suspicious. If your LOB application is suspicious then you can exclude this LOB from WDEG.

Here you can exclude files or folders in WDEG.

Click Ok and change also the other features of WDEG. After that click Ok (thrice) and on the create button to create the profile.

Click on Assignments and search for the group. Select the group and click on the save button. Now you have to wait for few minutes. The profile is now in pending for deployment to your device.

Now the profile is applied, we have to test the settings. Everything is in blocking, so we should see some block messages. To test the working of Windows Defender EG, Microsoft has some test files and tools available. You can find it on this website: https://demo.wd.microsoft.com/

Open the website on your managed device and click on the link.

You have to login in with your Microsoft account. After that you are on this site.

You have to download some files, these files are test files for testing the function of WDEG.

Download these files and save them in a folder like Demo on the C: drive.

If you run/open this VBS script: TestFile_PsexecAndWMICreateProcess_D1E49AAC-8F56-4280-B9BA-993A6D77406C you will get this notification. You have to click on the popups to end the VBS script.

For more information you could use the eventlog. First you have to download the eventlog from this website: https://aka.ms/mp7z2w

Open de ZIP file and copy the eventlogs; asr-events, cfa-events, ep-events, np-events.xml and save them in Documents or somewhere else.

Open eventlog via Run in the start menu or by pressing WIN+R.

Right click on Custom Views and click on Import Custom View from the menu.

Browse to the copied events in Documents, select the first one and click on the Ok button. Repeat this for the others.

Click on Attack Surface Reduction view. You see the logs which are generated by WDEG. You see also a warning which says that an operation is blocked by Windows Defender Antivirus. So with other words, WDEG is working on the Windows 10 device.

This is how Windows Defender Exploit Guard work. One of the features of the Windows 10 security stack. Enjoy..

Part 7 – Configure Microsoft Intune – Windows Defender SmartScreen

Windows Defender SmartScreen can also be managed by MS Intune. With a device configuration you can enable the SmartScreen. SmartScreen is a Windows 10 feature for browsing on the Internet. SmartScreen has been designed to warn users when unsafe websites are accessed in the web browser. This covers outright malicious sites that attack the browser or underlying system directly. More information about this feature: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview

Go to the MS Intune portal -> Device configuration -> Profile

Click on Create profile

Give the profile a name. Choose for Windows 10 and later. Profile type is Endpoint Protection. Click on Windows Defender SmartScreen on the right to get more settings.

Enable SmartScreen and click on Ok (twice). Click on Create to create the profile.

Click assignment and search for the group to apply this profile. Click on the save button. Wait for few minutes. Check the status via Devices -> All Devices -> Click on the device -> Device Configuration.

To verify if the profile work, go to your device and open Internet Explorer. Mostly if you run IE for the first time, you will get a popup with the question if you want to turn on SmartScreen. If you don’t get this window and you run IE for the first time, then the profile is doing its work.

Let’s check, open Internet Explore and go the menu Tools -> Safety -> Turn on Windows Defender SmartScreen..

You see that SmartScreen is turned on by MS Intune. And also for Microsoft Edge..

Ok, great… Now we have to test this feature. Open Microsoft Edge and go to this website: https://secure.eicar.org/eicar.com.txt. This will download a txt file. Click Open. You will get this message

Or you can try this website: https://demo.smartscreen.msft.net/ and click on the links on the website.

You will get this message from SmartScreen.

This is a nice test and as you see SmartScreen is working. This will block unsafe websites for the users.

Part 6 – Configure Microsoft Intune – Windows Defender Firewall

This blog is all about Windows Defender Firewall. Also in MS Intune you can manage the Windows Firewall on a Windows 10 device. Let’s begin with enabling the firewall on a Windows 10 device.

Go to the MS Intune portal -> Device Configuration -> Profiles

Create Profile.

Enter a name for the profile. Platform is Windows 10 and later. Profile type is Endpoint Protection. You see more settings, click on Windows Defender Firewall.

Click on Domain network

Enable the firewall and change the other settings. Click Ok. Do this the same for Private and Public network. Click Ok (twice) and then create for creating the profile.

Click on assignments and search for the group. Select the group and click on the save button.

After few minutes the firewall is changed. Check the status on your Windows 10 device. Go to the control panel -> Windows Defender Firewall

This configuration is simple and it will turn on or off the firewall. For this configuration there are no requirements except you have to use Windows 10 1709 and later for the fully support of Firewall CSP, for more information about Firewall CSP: https://docs.microsoft.com/en-us/windows/client-management/mdm/firewall-csp

Part 5 – Configure Microsoft Intune – Windows Defender Application Guard

 

This part is all about Windows Defender Application Guard. Windows Defender Application Guard (WDAG) is a security feature in Windows 10 and Microsoft Edge/Internet Explorer. This feature can be also managed by Microsoft Intune.

This feature allows your users to secure browsing on the Internet. Protecting your company while your employees browse the Internet. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V enabled container, which is separate form the host operating system. More information: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview

Before we are going to configure this, there are some requirements for this feature to enable. The device must at least have:

  • 4 CPUs (CPU virtualization extensions enabled),
  • 8GB of memory
  • 5GB of space.
  • You will need Windows 10 Enterprise, version 1709 or higher (I use 1803) or
  • Windows 10 Professional edition, version 1803.

If you are testing this on a virtual machine you must enable nested Hyper-V. Run this PowerShell on the host of you Hyper-V:

Set-VMProcessor -VMName “The name of your Virtual Machine” -ExposeVirtualizationExtensions $true

This will enable Hyper-V in a virtual machine.

More information: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard

Let’s give this a try. Go to the Microsoft Intune portal and go to Device configuration -> Profiles

Create Profile

Give the profile a name. Platform is Windows 10 and later. Profile type is Endpoint protection. You will get more settings and go to Windows Defender Application Guard.

Enable some settings and click on Ok (twice). Then you have to create the profile by clicking the create button.

Go to assignments and search for the group. Select the group and click on the save button.

About few minutes this profile is deployed on the device. On the background Intune installs Hyper-V and Windows Defender Application Guard.

Let’s look at the device. You have to restart the machine first, otherwise it wont work.

Open Microsoft Edge and click on the dots to expand the menu. Click New Application Guard Window

You have now opened a new Microsoft Edge window in an isolated in a Hyper-V container. This is secure browsing.