Category: Attack Surface Reduction Rules

Troubleshoot updates in Intune – Manage, maintain, and protect devices

Updates are necessary to maintain the security and reliability of Windows 11. You should ensure that devices are receiving updates, know how to review installed updates, and find more information regarding an update.

After you have created your Windows 11 Update Rings, you can manage them with Intune. Select the appropriate update ring, and on the Overview page, you can view the assignment status, showing that the ring has been successfully assigned to one group, and take the following actions to manage the ring:

  • Delete Stops enforcing the settings of the Update Ring and removes its configuration from Intune. The settings on devices that were assigned to the Update Ring remain in place.
  • Pause Prevents assigned devices from receiving either Feature Updates or Quality Updates for up to 35 days from the time you pause the ring. Pause functionality automatically expires after 35 days.
  • Resume Used to restore an Update Ring that was paused.
  • Extend When an Update Ring is paused, you can select Extend to reset the pause period.
  • Uninstall Use Uninstall to uninstall (roll back) the latest Feature Update or Quality Update on a device running Windows 11.

You can also modify the settings contained within an Update Ring by selecting Properties under the Manage heading and then amending the settings.

View update history

You can also review and remove any specific updates on an individual computer. Follow these steps to view your update history and see which Windows updates failed or were successfully installed on your Windows 11 device:

  1. Open the Settings app and click Windows Update.
  2. In Windows Update, click Update History.
  3. On the Update History page, as shown in Figure 3-52, you can see a list of your installed Windows updates.

FIGURE 3-52 View Update History

  1. Click one of the successfully installed updates to see more details about it.
  2. In the bottom part of the screen, you can view Definition Updates, which relate to Microsoft Defender Antivirus and threat protection, and Other Updates.

Each update contains a summary of the payload. If you click the Update link, you are directed to the detailed Knowledge Base description on the Microsoft support pages relating to the update, which allows you to review the details about the update. You can also remove any updates you want. Click Uninstall updates, and then review the returned list. Choose Uninstall for any updates you want to remove.
Need More Review? Windows 11 Update History
Microsoft publishes the contents of each Windows 11 update for you to review and understand what is contained in each periodic software update. View this list at https://support.microsoft.com/en-us/topic/windows-11-version-22h2-update-history-ec4229c3-9c5f-4e75-9d6d-9025ab70fcce.

Implement Windows Defender Firewall – Manage, maintain, and protect devices

You can implement Windows Defender Firewall rules and settings in Intune as follows:

  1. Open Microsoft Intune admin center.
  2. Navigate to Endpoint security and select Firewall.
  3. In the details pane, select Create Policy.
  4. On the Create a profile page, in Platform, select Windows 10, Windows 11, and Windows Server.
  5. In the Profile, select Microsoft Defender Firewall, and then select Create.
  6. In the Create a profile wizard, on the Basics tab, enter a Name and Description and click Next.
  7. On the Configuration settings tab, configure the following settings, and click Next:
    • Firewall, which determines the fundamental state of the firewall for domain, private, and public network location profiles.
    • Auditing settings.
    • Network List Manager, which defines TLS endpoint settings.
  8. Configure scope tags and assignments as needed, and then choose Create to create the profile.

You will also need to define firewall rules, as shown in Figure 3-60. Use the following procedure:

  1. Open Microsoft Intune admin center.
  2. Navigate to Endpoint security and select Firewall.
  3. In the details pane, select Create Policy.
  4. On the Create a profile page, in Platform, select Windows 10, Windows 11, and Windows Server.
  5. In the Profile, select Microsoft Defender Firewall rules, and then select Create.
  6. In the Create a profile wizard, on the Basics tab, enter a Name and Description and click Next.
  7. On the Configuration settings tab, click Add to create and configure specific firewall rules. When you are done, click Next. When adding a rule, you must set numerous settings, including
    • State (enabled or disabled)
    • Name
    • Interface Types
    • Remote Port Ranges
    • Action (Allow or Block)
    • Protocol
  8. Configure scope tags and assignments as needed, and then Create the profile.

FIGURE 3-60 Defining firewall rules
You can also create an endpoint protection configuration profile in Devices and configure the required firewall settings in the Microsoft Defender Firewall section.

Sign APPS – Manage, maintain, and protect devices

To enable Microsoft Defender Application Control in your organization, you must digitally sign all the trusted apps that you want to allow to run on your devices. You can do this in a number of ways, as listed below:

  • Publish your apps by using the Microsoft Store All apps in the Microsoft Store are automatically signed with signatures from a trusted certificate authority (CA).
  • Use your own digital certificate or public key infrastructure (PKI) You can sign the apps by using a certificate issued by a CA in your own PKI.
  • Use a non-Microsoft CA You can use a trusted non-Microsoft CA to sign your own desktop Windows apps.
  • Use the Microsoft Defender Application Control signing portal In Microsoft Store for Business, you can use a Microsoft web service to sign your desktop Windows apps.

Create a Default Microsoft Defender Application Control Policy
To create a default policy, create a virus- and malware-free reference computer that contains the set of apps your users require to run. You might need to create several reference computers, each representing a typical device configuration within your organization. For example, you create a standard device for the research department, and perhaps you create a kiosk-type device for use in the library.
Having created the reference computer, sign in and then complete the following procedure:

  1. Open an elevated Windows PowerShell command prompt.
  2. Create the required variables for the process by running the following three commands:
    Click here to view code image
    $CIPolicyPath=$env:userprofile+”\Desktop\”
    $InitialCIPolicy=$CIPolicyPath+”InitialScan.xml”
    $CIPolicyBin=$CIPolicyPath+”DeviceGuardPolicy.bin”
  3. Scan the system for installed apps using the New-CIPolicy cmdlet:
    Click here to view code image
    New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy -UserPEs
    3> CIPolicyLog.txt
  4. Convert the WDAC policy to a binary format (for import) using the ConvertFrom- CIPolicy cmdlet:
    Click here to view code image
    ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin

Enable Microsoft Defender Application Control

After creating the default WDAC policy, you can configure the settings with GPOs or Microsoft Intune. To use Intune, use the following procedure:

  1. Open Microsoft Intune admin center.
  2. Navigate to Devices and then select Windows.
  3. Click Configuration profiles.
  4. Click Create profile.
  5. On the Create a profile page, select Windows 10 and later and then select Templates.
  6. In the list of templates, select Endpoint protection and click Create.
  7. Enter a Name and Description on the Basics tab, and then, on the Configuration settings page, expand Microsoft Defender Application Control.
  8. In the Application control code integrity policies list, select Enforce or Audit only as appropriate.
  9. Then in the Trust apps with good reputation list, select Enable. Click Next.
  10. Configure scope tags and assignments as necessary, and then Create the profile.

Need More Review? Planning and Getting Started on the Microsoft Defender Application Control Deployment Process

To review further details about deploying Microsoft Defender Application Control, refer to the Microsoft website at https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.

Implementing Microsoft Defender Exploit Guard – Manage, maintain, and protect devices

Having learned about each of the elements of Exploit Guard, it’s important that you know how to enable and configure these settings in Intune. Use the following procedure:

  1. Open Microsoft Intune admin center.
  2. Navigate to Devices and then select Windows.
  3. Click Configuration profiles.
  4. Click Create profile.
  5. On the Create a profile page, select Windows 10 and later and then select Templates.
  6. In the list of templates, select Endpoint protection and click Create.
  7. Enter a Name and Description on the Basics tab, and then, on the Configuration settings page, expand Microsoft Defender Exploit Guard.
  8. As shown in Figure 3-57, configure the required settings in the following folders:
    • Attack Surface Reduction Select the desired protections.
    • Controlled folder access Enable the setting and define apps and folders.
    • Network filtering Enable the setting or enable in Audit mode.
    • Exploit protection Browse and locate a previously created XML file that contains exploit settings you exported from the Windows Security app on a properly configured device.

FIGURE 3-57 Configuring Exploit Guard settings

  1. Click Next, configure scope tags and assignments as necessary, and then Create the profile.

Implement Microsoft Defender Application Guard

Microsoft Defender Application Guard isolates browser sessions from the local device by running those sessions in a virtual machine environment; this helps prevent malicious apps or content from accessing the local device.

Requirements

The requirements for Microsoft Defender Application Guard are as follows:

  • 64-bit version of Windows 11 Enterprise, Education, or Professional.
  • 8 GB of physical memory is recommended.
  • Support for Virtualization-based security.
  • Secure Boot.
  • Virtualization features: Intel VT-x, AMD-V, and SLAT must be enabled.
  • An Intel VT-d or AMD-Vi input-output memory management unit.

Manage Android updates by using configuration profiles – Manage, maintain, and protect devices

You can also use Intune to exert a degree of control over Android Enterprise updates. This only applies to devices with Android using the fully managed, dedicated, and corporate-owned work profile. Rather than using specific update rings like you would do with Windows, iOS, and macOS, Android updates are managed though a device configuration profile.

To create a profile that includes the update settings, use the following procedure:

  1. Open Microsoft Intune admin center.
  2. Select Devices and then select Android.
  3. On the Android | Overview page, click Configuration profiles.
  4. Click Create profile.
  5. On the Create a profile page, select the Android Enterprise and then select Device restrictions under the Fully managed, Dedicated, and Corporate-Owned Work Profile heading.
  6. Click Create.
  7. On the Basics tab, enter a Name and Description and click Next.
  8. On the Configuration settings page, shown in Figure 3-51, expand General and then click System update. This setting ensures that when over-the-air updates are available for targeted devices, those updates are installed based on this policy. Choose between Device Default, Automatic, Postponed, and Maintenance window.

FIGURE 3-51 Using a device restrictions profile to configure Android updates

9. Depending on the option selected determines what other settings must be configured. For example, selecting Automatic requires no other settings.

10. Complete the wizard by configuring Scope tags and Assignments, and then create the profile.

It’s important to realize that the application of updates depends on the hardware vendor of your users’ Android devices releasing those updates.

Monitor updates

Using the Intune admin center, you can review the current status of updates and monitor the application of those updates using the configured update rings. For Windows, use the following procedure:

  1. Open Microsoft Intune admin center.
  2. Navigate to Devices | Windows and then choose Update rings for Windows 10 and later.
  3. Select the appropriate update ring. You can now review the application of update on the Overview tab. Select the Device status tab for details about specific device updates.

You can also use the Intune reporting node:

  1. In the Microsoft Intune admin center, select Reports and then select Windows updates.
  2. Click Refresh to generate reports.

From this page, you can review the following:

  • Windows Feature updates:
    • In progress
    • Success
    • Error
    • Rollback initiated
    • Canceled
    • On hold
    • Total
  • Windows Expedited Quality updates:
    • In progress
    • Success
    • Error
    • Canceled
    • Total

Understand BitLocker Authentication Options – Manage, maintain, and protect devices

It’s important to consider the available authentication options. You can use the following methods:

  • TPM + startup PIN + startup key This is the most secure combination. The encryption key is stored on the TPM chip. The user might find this option cumbersome because this requires multiple authentication tasks.
  • TPM + startup key The encryption key is stored on the TPM chip. The user must insert a USB flash drive containing a startup key.
  • TPM + startup PIN The encryption key is stored on the TPM chip. The user needs to enter a PIN to unlock the device.
  • Startup key only The user needs to insert a USB flash drive with the startup key on it. The device doesn’t need to have a TPM chip. The BIOS must support access to the USB flash drive before the operating system loads.
  • TPM only The encryption key is stored on the TPM chip, and no user action is required.

With all the BitLocker authentication methods, the drive is encrypted until unlocked. When the BitLocker encrypted drive is in recovery mode, you can also unlock the drive by using either the recovery password or recovery key:

  • Recovery password This is a 48-digit number typed on a regular keyboard or by using the function keys (F1-F10) to input the numbers.
  • Recovery key This is an encryption key created when the BitLocker is first employed and is for recovering data encrypted on a BitLocker volume. Often the encryption key is stored on removable media.

Because the TPM chip and BitLocker protect the hard drive, administrators can also configure BitLocker to operate without additional unlock steps, so long as the device (and TPM) recognize the drive, it will be unlocked.

Configure BitLocker with Intune

If you have many devices on which you want to enable and manage BitLocker, you can use Microsoft Intune. To configure BitLocker, use the following procedure:

  1. Open Microsoft Intune admin center.
  2. Navigate to Endpoint security and select Disk encryption.
  3. In the details pane, select Create Policy.
  4. On the Create a profile page, displayed in Figure 3-53, in Platform, select Windows 10 and later.

FIGURE 3-53 Creating a BitLocker profile in Intune

  1. In the Profile, select BitLocker, and then select Create.
  2. On the Create profile page, on the Basics tab, enter a Name and Description, and then select Next.
  3. On the Configuration settings tab, shown in Figure 3-54, configure the following settings, and then select Next:
    • BitLocker – Base Settings Including whether to enable full disk encryption for OS and fixed data drives.
    • BitLocker – Fixed Drive Settings Including drive recovery settings and encryption methods for fixed data drives.
    • BitLocker – OS Drive Settings Including whether Startup authentication is required, such as TPM startup options as discussed earlier. You can also define the system drive recovery options.
    • BitLocker – OS Drive Settings Including blocking write access to removable data drives not protected by BitLocker.

FIGURE 3-54 Configuring BitLocker – OS Drive Settings in an Intune profile

  1. Optionally, configure scope tags, and then, in the Assignments tab, assign the profile to the required groups.
  2. Finally, on the Review + create tab, select Create.

You can also configure BitLocker settings in Intune by using Configuration Profiles in the Devices node. Use the following procedure:

  1. Select Devices, select Windows, and then select Configuration profiles.
  2. Select Create profile, and in the Platform list, select Windows 10 and later.
  3. In the Profile type list, select Templates. You can now choose either:
    • Administrative templates Choose this option to use an interface that’s broadly similar to that used when configuring GPO settings. Create the profile as usual, and on the Configuration Settings tab, expand Computer Configuration > Windows Components > BitLocker Drive Encryption > Operating System Drives and configure the required values. Then complete the process of configuring and assigning the profile. The advantage of configuring BitLocker this way is that you can combine settings with others which are also configurable in the Administrative Template profile.
    • Endpoint protection You can use Endpoint Protection profiles to configure a range of security settings, including those for BitLocker. Create the profile in the usual way, and on the Configuration settings tab, in addition to any other settings, make sure to expand Windows Encryption. You can then require BitLocker encryption and go on to configure BitLocker base settings, OS drive settings, and fixed data-drive settings. Complete the process of configuring and assigning the profile.