Category: App Categories within Intune

Add a Microsoft Store app – Manage applications

To add a Microsoft Store app, use the following procedure:

  1. Open the Microsoft Intune admin center and select Apps in the navigation pane.
  2. Select All apps, and then select Add.
  3. On the Select add type blade displayed in Figure 4-2, in the App Type list, under the Store app heading, select Microsoft Store app (new) and click Select.
  4. On the Add App blade, select Search the Microsoft Store app (new).

On the Search the Microsoft Store app (new) blade, search for an app and then choose Select. as displayed in Figure 4-3.

FIGURE 4-3 Adding a Microsoft Store app

To obtain the URL, visit the Appstore using a web browser, locate the app you want, and then copy the URL for the app’s page.

  1. Select Next, and on the Assignments tab select the appropriate groups for assignment, or select Add all users as displayed in Figure 4-4. Then select Next.

FIGURE 4-4 Assigning a Microsoft Store app

    1. On the Review + create tab, select Create.

    After you create the app, you can use the Device install status and User install status options in the Monitor section to monitor the installation of the selected app.

    Note Installing IOS and Android Store Apps
    Installing store apps for iOS and Android is fairly similar to this process.
    Note ARM64 APPS
    Microsoft Store apps do not support any app with an ARM64 installer.

    Configure Microsoft 365 Apps deployment by using the Microsoft Office Deployment Tool or Office Customization Tool (OCT)

    You can configure Microsoft 365 Apps by using specialist tools that allow you to customize and configure the Office installation for your company’s needs. Two tools are available:

    • Office Deployment Toolkit (ODT)
    • Office Customization Tool

    Using the Microsoft Office Deployment Tool

    The ODT is a command-line utility that can deploy Microsoft 365 Apps to client devices. The ODT provides granular control over how to install Office installation. For example, you can configure the following:

    • Which products are installed
    • Language options
    • Office updates
    • Whether the install experience is displayed to users

    Note ODT Download

    You can download the ODT at www.microsoft.com/download/details.aspx?id=49117.

    The installer file will create the setup.exe and the following sample configuration files:

    • configuration-Office365-x64.xml
    • configuration-Office365-x86.xml
    • configuration-Office2019Enterprise.xml
    • configuration-Office2021Enterprise.xml

    The configuration-Office365-x64.xml sample configuration file looks like this:

    Click here to view code image

    Manage Microsoft 365 Apps by using the Microsoft 365 Apps admin center – Manage applications

    Microsoft 365 includes Microsoft 365 Apps. Microsoft 365 Apps includes the following apps: Access, Excel, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, and Word. Microsoft 365 Apps installs as a single package, although you have some control over the details.

    Users who have an Office 365 license associated with their accounts can download and install Microsoft 365 Apps, depending on the subscription. To do this, they must sign in to www.office.com using their Microsoft 365 accounts. Then on the Microsoft 365 homepage, they can select the Install apps link, as shown in Figure 4-6).

    FIGURE 4-6 Installing Microsoft 365 Apps manually from the Microsoft 365 portal

    Users can select from these two options:

    • Microsoft 365 apps Installs the default apps. The defaults are configurable by the Microsoft 365 administrator.
    • Other install options Enables users to choose additional options, as shown in Figure 4-7.

    FIGURE 4-7 Choosing the Office 365 components for installation

    Users can choose to install Office in either 32-bit or 64-bit versions. Skype For Business can install the Basic (for Office 365) or 2015 versions. Optionally, users can also install Office on their iOS, Android, or Windows mobile devices and tablets. (As of June 11, 2019, Windows 10 Mobile is no longer supported.) Users can install Office on up to five PCs or Macs, five tablets, and five smartphones.

    Administrative control over deployment options

    As an administrator, you can control what users can install. Open the Microsoft 365 admin center by navigating to https://admin.microsoft.com and signing in using your Global Administrator account. On the Home page, search for and select Microsoft 365 installation options.

    On the Microsoft 365 app installation options blade shown in Figure 4-8, select the update interval for Microsoft 365 app updates. When you have finished configuring the options, select Save.

    FIGURE 4-8 Configuring Microsoft 365 App update interval settings

    Note After Installing Office

    After installation, if users open Control Panel and review the Programs and Features installed on their computer, Office is listed as Microsoft 365 Apps for Enterprise.

    Configure Microsoft Defender Application Guard – Manage, maintain, and protect devices

    You can configure Microsoft Defender Application Guard in one of two modes:

    • Standalone Mode In standalone mode, users can manage their own device settings.
    • Enterprise-Managed Mode With Enterprise mode, an administrator configures appropriate device settings using GPOs, MDM, or Windows PowerShell.

    You can enable and configure Microsoft Defender Application Guard from Windows Security. However, to configure the relevant settings in Intune, use the following procedure:

    1. Open Microsoft Intune admin center.
    2. Navigate to Devices and then select Windows.
    3. Click Configuration profiles.
    4. Click Create profile.
    5. On the Create a profile page, select Windows 10 and later and then select Templates.
    6. In the list of templates, select Endpoint protection and click Create.
    7. Enter a Name and Description on the Basics tab, and then, on the Configuration settings page, expand Microsoft Defender Application Guard.
    8. As shown in Figure 3-58, select Enabled for Edge in the Application Guard list, and then configure supplemental settings, such as clipboard behavior and printing. Click Next.

    FIGURE 3-58 Enabling and configuring Application Guard

    1. Configure scope tags and assignments as necessary, and then choose Create to create the profile.

    To use Microsoft Defender Application Guard in standalone mode, select the ellipsis button in Microsoft Edge and then select New Application Guard window, as shown in Figure 3-59. The Microsoft Defender Application Guard service starts, and then a new instance of Microsoft Edge opens.

    FIGURE 3-59 Opening a new Application Guard window

    Need More Review? Configure Microsoft Defender Application Guard Policy Settings

    To learn how to configure Microsoft Defender Application Guard policies, refer to the Microsoft website at https://learn.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.

    Implement Microsoft Defender Application Control

    Microsoft Defender Application Control enables you to determine precisely which apps your users are allowed to run by blocking any unsigned apps and scripts. You configure Microsoft Defender Application Control with policies that specify whether a code that runs in kernel mode, such as device drivers or apps, can run.

    A policy typically includes rules that

    • Control options such as whether audit mode is enabled
    • Determine whether user mode code integrity (UMCI) is enabled
    • Specify the level at which apps are to be identified and/or trusted

    Each Windows 11 device has a single Microsoft Defender Application Control policy defined for it. Typically, you configure this using GPOs in an AD DS environment or Intune for enrolled devices. Either way, the policy is stored as a local file called SIPolicy.p7b that resides in the C:\Windows\System32\CodeIntegrity folder; for UEFI-based computers, the file is <EFI System Partition>\Microsoft\Boot.

    Implement endpoint protection for all supported device platforms – Manage, maintain, and protect devices

    Windows 11 contains a number of built-in features that are part of the Microsoft Defender suite of security apps. It’s important that you are familiar with each of these, you can determine what they do, you know how they can help secure your organization’s devices, and you know how you can enable and configure these features. You must also understand how to implement, configure, and manage these security features by using Microsoft Intune.

    This skill covers how to:

    Create and manage configuration policies for Endpoint security

    In this section, you’ll learn how to secure your Windows 11 devices. You’ll also learn about the various security features in Windows 11.

    Implement enterprise-level disk encryption

    It’s important to be able to protect your computers against data loss and data leakage. One way in which you can do this is to enable disk encryption. Windows 11 supports BitLocker.

    BitLocker enables you to encrypt an entire hard disk, including the operating system drive. BitLocker is available in Windows 11 Pro, Enterprise, and Education editions.

    With BitLocker enabled, the drive is no longer susceptible to data theft. On a system that is not encrypted simply removing the drive from the PC and attaching it as a slave to another PC allows the data to be read, bypassing all NTFS security.

    Trusted Platform Modules

    Most modern computers contain a security component known as a Trusted Platform Module (TPM). This component securely stores cryptographic information, such as BitLocker’s encryption keys.

    BitLocker supports versions 1.2 and 2.0 of the TPM specification, and information contained on the TPM is more secure from external software attacks and physical theft.

    If a device has been tampered with, such as removing the hard drive from the original computer, BitLocker prevents the drive from being unlocked. BitLocker will seek remediation from the user by entering BitLocker recovery mode and requiring the user to enter a 48-digit recovery key.

    While a TPM is the most secure option, BitLocker can also be used on devices without a TPM. To enable this capability, you must configure the appropriate settings in Intune, and we’ll discuss those shortly.

    Troubleshoot updates in Intune – Manage, maintain, and protect devices

    Updates are necessary to maintain the security and reliability of Windows 11. You should ensure that devices are receiving updates, know how to review installed updates, and find more information regarding an update.

    After you have created your Windows 11 Update Rings, you can manage them with Intune. Select the appropriate update ring, and on the Overview page, you can view the assignment status, showing that the ring has been successfully assigned to one group, and take the following actions to manage the ring:

    • Delete Stops enforcing the settings of the Update Ring and removes its configuration from Intune. The settings on devices that were assigned to the Update Ring remain in place.
    • Pause Prevents assigned devices from receiving either Feature Updates or Quality Updates for up to 35 days from the time you pause the ring. Pause functionality automatically expires after 35 days.
    • Resume Used to restore an Update Ring that was paused.
    • Extend When an Update Ring is paused, you can select Extend to reset the pause period.
    • Uninstall Use Uninstall to uninstall (roll back) the latest Feature Update or Quality Update on a device running Windows 11.

    You can also modify the settings contained within an Update Ring by selecting Properties under the Manage heading and then amending the settings.

    View update history

    You can also review and remove any specific updates on an individual computer. Follow these steps to view your update history and see which Windows updates failed or were successfully installed on your Windows 11 device:

    1. Open the Settings app and click Windows Update.
    2. In Windows Update, click Update History.
    3. On the Update History page, as shown in Figure 3-52, you can see a list of your installed Windows updates.

    FIGURE 3-52 View Update History

    1. Click one of the successfully installed updates to see more details about it.
    2. In the bottom part of the screen, you can view Definition Updates, which relate to Microsoft Defender Antivirus and threat protection, and Other Updates.

    Each update contains a summary of the payload. If you click the Update link, you are directed to the detailed Knowledge Base description on the Microsoft support pages relating to the update, which allows you to review the details about the update. You can also remove any updates you want. Click Uninstall updates, and then review the returned list. Choose Uninstall for any updates you want to remove.
    Need More Review? Windows 11 Update History
    Microsoft publishes the contents of each Windows 11 update for you to review and understand what is contained in each periodic software update. View this list at https://support.microsoft.com/en-us/topic/windows-11-version-22h2-update-history-ec4229c3-9c5f-4e75-9d6d-9025ab70fcce.

    Sign APPS – Manage, maintain, and protect devices

    To enable Microsoft Defender Application Control in your organization, you must digitally sign all the trusted apps that you want to allow to run on your devices. You can do this in a number of ways, as listed below:

    • Publish your apps by using the Microsoft Store All apps in the Microsoft Store are automatically signed with signatures from a trusted certificate authority (CA).
    • Use your own digital certificate or public key infrastructure (PKI) You can sign the apps by using a certificate issued by a CA in your own PKI.
    • Use a non-Microsoft CA You can use a trusted non-Microsoft CA to sign your own desktop Windows apps.
    • Use the Microsoft Defender Application Control signing portal In Microsoft Store for Business, you can use a Microsoft web service to sign your desktop Windows apps.

    Create a Default Microsoft Defender Application Control Policy
    To create a default policy, create a virus- and malware-free reference computer that contains the set of apps your users require to run. You might need to create several reference computers, each representing a typical device configuration within your organization. For example, you create a standard device for the research department, and perhaps you create a kiosk-type device for use in the library.
    Having created the reference computer, sign in and then complete the following procedure:

    1. Open an elevated Windows PowerShell command prompt.
    2. Create the required variables for the process by running the following three commands:
      Click here to view code image
      $CIPolicyPath=$env:userprofile+”\Desktop\”
      $InitialCIPolicy=$CIPolicyPath+”InitialScan.xml”
      $CIPolicyBin=$CIPolicyPath+”DeviceGuardPolicy.bin”
    3. Scan the system for installed apps using the New-CIPolicy cmdlet:
      Click here to view code image
      New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy -UserPEs
      3> CIPolicyLog.txt
    4. Convert the WDAC policy to a binary format (for import) using the ConvertFrom- CIPolicy cmdlet:
      Click here to view code image
      ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin

    Enable Microsoft Defender Application Control

    After creating the default WDAC policy, you can configure the settings with GPOs or Microsoft Intune. To use Intune, use the following procedure:

    1. Open Microsoft Intune admin center.
    2. Navigate to Devices and then select Windows.
    3. Click Configuration profiles.
    4. Click Create profile.
    5. On the Create a profile page, select Windows 10 and later and then select Templates.
    6. In the list of templates, select Endpoint protection and click Create.
    7. Enter a Name and Description on the Basics tab, and then, on the Configuration settings page, expand Microsoft Defender Application Control.
    8. In the Application control code integrity policies list, select Enforce or Audit only as appropriate.
    9. Then in the Trust apps with good reputation list, select Enable. Click Next.
    10. Configure scope tags and assignments as necessary, and then Create the profile.

    Need More Review? Planning and Getting Started on the Microsoft Defender Application Control Deployment Process

    To review further details about deploying Microsoft Defender Application Control, refer to the Microsoft website at https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.

    Implement Microsoft Defender Exploit Guard – Manage, maintain, and protect devices

    You can use Microsoft Defender Exploit Guard to help to reduce the attack surface of your users’ apps. Microsoft Defender Exploit Guard consists of four components:

    • Exploit protection Uses Microsoft Defender Antivirus or, if installed, third-party antivirus software to help mitigate exploit techniques used against your organization’s apps.
    • Attack surface reduction rules Uses rules to help prevent attack vectors implemented by scripts, email, and Office-based malware. Based on Microsoft Defender Antivirus.
    • Network protection Extends Microsoft Defender SmartScreen protection in Microsoft Edge to other applications to prevent access to Internet domains that might host phishing scams, exploits, and other malicious content. Requires Microsoft Defender Antivirus and cloud-delivered protection enabled.
    • Controlled folder access Helps protect against ransomware and malware by preventing changes to files in protected folders if the app attempting to make changes is malicious or exhibits suspicious behavior. It also requires Microsoft Defender Antivirus.

    Note that different features are available in different Windows 11 edition, as shown in Table 3-15.

    TABLE 3-15 Windows Defender Exploit Guard features

    Edition of Windows 11Features supported
    Windows 11 HomeExploit protectionControlled folder access
    Windows 11 ProExploit protectionControlled folder access
    Windows 11 Enterprise E3 Windows 11 Education E3Exploit protectionControlled folder accessNetwork protection
    Windows 11 Enterprise E5 Windows 11 Education E5Exploit protectionControlled folder accessNetwork protectionAttack surface reduction rules

    Exploit Protection

    Exploit Protection helps to protect your users’ devices against malware that uses exploits to spread through your organization. Exploit Protection consists of a number of specific mitigations that you must enable and configure separately.

    By default, Exploit Protection already enables several mitigations that apply to the operating system and specific apps. However, if you want to configure these and other mitigations, use the following procedure:

    1. Open the Windows Security app.
    2. Select the App & browser control tab.
    3. Scroll down and select the Exploit protection settings link.
    4. Configure the required settings on the Exploit protection page, shown in Figure 3-56. You can configure System settings and also specific Program settings. Review Table 3-16 for an overview of available settings.

    FIGURE 3-56 Configuring exploit protection settings

    TABLE 3-16 Exploit protection mitigations

    MitigationExplanation
    Control Flow Guard (CFG)Control Flow Guard combats memory corruption vulnerabilities.
    Data Execution Prevention (DEP)Helps to prevent executable code from being run from pages that contain data.
    Force Randomization For Images (Mandatory ASLR)Helps prevent attacks by putting processes into memory at random locations.
    Randomize Memory Allocations (Bottom-Up ASLR)Helps prevent attacks by putting processes into memory at random locations.
    High-Entropy ASLRHelps prevent attacks by increasing variability when using Randomize memory allocations.
    Validate Exception Chains (SEHOP)Helps prevent the use of a structured exception-handler attack.
    Validate Heap IntegrityHelps to prevent attacks that seek to use memory corruption.
    Arbitrary code guard (ACG)Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Optionally, it can allow thread opt-out and remote downgrade (configurable only with PowerShell).
    Block low integrity imagesPrevents the loading of images marked with Low Integrity.
    Block remote imagesPrevents loading of images from remote devices.
    Block untrusted fontsPrevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web.
    Code integrity guardRestricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images.
    Disable extension pointsDisables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers.
    Disable Win32k system callsPrevents an app from using the Win32k system call table.
    Do not allow child processesPrevents an app from creating child processes.
    Export address filtering (EAF)Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits.
    Import address filtering (IAF)Detects dangerous operations being resolved by malicious code.
    Simulate execution (SimExec)Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG
    Validate API invocation (CallerCheck)Ensures that legitimate callers invoke sensitive APIs. Only configurable for 32-bit (x86) applications. Not compatible with ACG
    Validate handle usageCauses an exception to be raised on any invalid handle references.
    Validate image dependency integrityEnforces code signing for Windows image dependency loading.
    Validate stack integrity (StackPivot)Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG
    1. Select the Export settings link to export the settings to an XML file.
    2. Distribute the XML file to other devices by using Microsoft Intune.

    You can also enable mitigations in audit mode; this allows you to determine the effect of enabling a specific mitigation without affecting the user’s device usage.
    Need More Review? Enable Exploit Protection
    To review further details about enabling and configuring Exploit Protection, refer to the Microsoft website at https://learn.microsoft.com/en-gb/microsoft-365/security/defender-endpoint/customize-exploit-protection?view=o365-worldwide.