You can implement Windows Defender Firewall rules and settings in Intune as follows:
Open Microsoft Intune admin center.
Navigate to Endpoint security and select Firewall.
In the details pane, select Create Policy.
On the Create a profile page, in Platform, select Windows 10, Windows 11, and Windows Server.
In the Profile, select Microsoft Defender Firewall, and then select Create.
In the Create a profile wizard, on the Basics tab, enter a Name and Description and click Next.
On the Configuration settings tab, configure the following settings, and click Next: • Firewall, which determines the fundamental state of the firewall for domain, private, and public network location profiles. • Auditing settings. • Network List Manager, which defines TLS endpoint settings.
Configure scope tags and assignments as needed, and then choose Create to create the profile.
You will also need to define firewall rules, as shown in Figure 3-60. Use the following procedure:
Open Microsoft Intune admin center.
Navigate to Endpoint security and select Firewall.
In the details pane, select Create Policy.
On the Create a profile page, in Platform, select Windows 10, Windows 11, and Windows Server.
In the Profile, select Microsoft Defender Firewall rules, and then select Create.
In the Create a profile wizard, on the Basics tab, enter a Name and Description and click Next.
On the Configuration settings tab, click Add to create and configure specific firewall rules. When you are done, click Next. When adding a rule, you must set numerous settings, including • State (enabled or disabled) • Name • Interface Types • Remote Port Ranges • Action (Allow or Block) • Protocol
Configure scope tags and assignments as needed, and then Create the profile.
FIGURE 3-60 Defining firewall rules You can also create an endpoint protection configuration profile in Devices and configure the required firewall settings in the Microsoft Defender Firewall section.
To enable Microsoft Defender Application Control in your organization, you must digitally sign all the trusted apps that you want to allow to run on your devices. You can do this in a number of ways, as listed below:
Publish your apps by using the Microsoft Store All apps in the Microsoft Store are automatically signed with signatures from a trusted certificate authority (CA).
Use your own digital certificate or public key infrastructure (PKI) You can sign the apps by using a certificate issued by a CA in your own PKI.
Use a non-Microsoft CA You can use a trusted non-Microsoft CA to sign your own desktop Windows apps.
Use the Microsoft Defender Application Control signing portal In Microsoft Store for Business, you can use a Microsoft web service to sign your desktop Windows apps.
Create a Default Microsoft Defender Application Control Policy To create a default policy, create a virus- and malware-free reference computer that contains the set of apps your users require to run. You might need to create several reference computers, each representing a typical device configuration within your organization. For example, you create a standard device for the research department, and perhaps you create a kiosk-type device for use in the library. Having created the reference computer, sign in and then complete the following procedure:
Open an elevated Windows PowerShell command prompt.
Create the required variables for the process by running the following three commands: Click here to view code image $CIPolicyPath=$env:userprofile+”\Desktop\” $InitialCIPolicy=$CIPolicyPath+”InitialScan.xml” $CIPolicyBin=$CIPolicyPath+”DeviceGuardPolicy.bin”
Scan the system for installed apps using the New-CIPolicy cmdlet: Click here to view code image New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy -UserPEs 3> CIPolicyLog.txt
Convert the WDAC policy to a binary format (for import) using the ConvertFrom- CIPolicy cmdlet: Click here to view code image ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
Enable Microsoft Defender Application Control
After creating the default WDAC policy, you can configure the settings with GPOs or Microsoft Intune. To use Intune, use the following procedure:
Open Microsoft Intune admin center.
Navigate to Devices and then select Windows.
Click Configuration profiles.
Click Create profile.
On the Create a profile page, select Windows 10 and later and then select Templates.
In the list of templates, select Endpoint protection and click Create.
Enter a Name and Description on the Basics tab, and then, on the Configuration settings page, expand Microsoft Defender Application Control.
In the Application control code integrity policies list, select Enforce or Audit only as appropriate.
Then in the Trust apps with good reputation list, select Enable. Click Next.
Configure scope tags and assignments as necessary, and then Create the profile.
Need More Review? Planning and Getting Started on the Microsoft Defender Application Control Deployment Process
You can use Microsoft Defender Exploit Guard to help to reduce the attack surface of your users’ apps. Microsoft Defender Exploit Guard consists of four components:
Exploit protection Uses Microsoft Defender Antivirus or, if installed, third-party antivirus software to help mitigate exploit techniques used against your organization’s apps.
Attack surface reduction rules Uses rules to help prevent attack vectors implemented by scripts, email, and Office-based malware. Based on Microsoft Defender Antivirus.
Network protection Extends Microsoft Defender SmartScreen protection in Microsoft Edge to other applications to prevent access to Internet domains that might host phishing scams, exploits, and other malicious content. Requires Microsoft Defender Antivirus and cloud-delivered protection enabled.
Controlled folder access Helps protect against ransomware and malware by preventing changes to files in protected folders if the app attempting to make changes is malicious or exhibits suspicious behavior. It also requires Microsoft Defender Antivirus.
Note that different features are available in different Windows 11 edition, as shown in Table 3-15.
Exploit Protection helps to protect your users’ devices against malware that uses exploits to spread through your organization. Exploit Protection consists of a number of specific mitigations that you must enable and configure separately.
By default, Exploit Protection already enables several mitigations that apply to the operating system and specific apps. However, if you want to configure these and other mitigations, use the following procedure:
Open the Windows Security app.
Select the App & browser control tab.
Scroll down and select the Exploit protection settings link.
Configure the required settings on the Exploit protection page, shown in Figure 3-56. You can configure System settings and also specific Program settings. Review Table 3-16 for an overview of available settings.
Control Flow Guard combats memory corruption vulnerabilities.
Data Execution Prevention (DEP)
Helps to prevent executable code from being run from pages that contain data.
Force Randomization For Images (Mandatory ASLR)
Helps prevent attacks by putting processes into memory at random locations.
Randomize Memory Allocations (Bottom-Up ASLR)
Helps prevent attacks by putting processes into memory at random locations.
High-Entropy ASLR
Helps prevent attacks by increasing variability when using Randomize memory allocations.
Validate Exception Chains (SEHOP)
Helps prevent the use of a structured exception-handler attack.
Validate Heap Integrity
Helps to prevent attacks that seek to use memory corruption.
Arbitrary code guard (ACG)
Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Optionally, it can allow thread opt-out and remote downgrade (configurable only with PowerShell).
Block low integrity images
Prevents the loading of images marked with Low Integrity.
Block remote images
Prevents loading of images from remote devices.
Block untrusted fonts
Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web.
Code integrity guard
Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images.
Disable extension points
Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers.
Disable Win32k system calls
Prevents an app from using the Win32k system call table.
Do not allow child processes
Prevents an app from creating child processes.
Export address filtering (EAF)
Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits.
Import address filtering (IAF)
Detects dangerous operations being resolved by malicious code.
Simulate execution (SimExec)
Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG
Validate API invocation (CallerCheck)
Ensures that legitimate callers invoke sensitive APIs. Only configurable for 32-bit (x86) applications. Not compatible with ACG
Validate handle usage
Causes an exception to be raised on any invalid handle references.
Validate image dependency integrity
Enforces code signing for Windows image dependency loading.
Validate stack integrity (StackPivot)
Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG
Select the Export settings link to export the settings to an XML file.
Distribute the XML file to other devices by using Microsoft Intune.
You can also enable mitigations in audit mode; this allows you to determine the effect of enabling a specific mitigation without affecting the user’s device usage. Need More Review? Enable Exploit Protection To review further details about enabling and configuring Exploit Protection, refer to the Microsoft website at https://learn.microsoft.com/en-gb/microsoft-365/security/defender-endpoint/customize-exploit-protection?view=o365-worldwide.
