Troubleshoot updates in Intune – Page 2 – MD-102 Explore endpoint management

Configure Microsoft Defender Application Guard – Manage, maintain, and protect devices

You can configure Microsoft Defender Application Guard in one of two modes:

Standalone Mode In standalone mode, users can manage their own device settings.
Enterprise-Managed Mode With Enterprise mode, an administrator configures appropriate device settings using GPOs, MDM, or Windows PowerShell.

You can enable and configure Microsoft Defender Application Guard from Windows Security. However, to configure the relevant settings in Intune, use the following procedure:

Open Microsoft Intune admin center.
Navigate to Devices and then select Windows.
Click Configuration profiles.
Click Create profile.
On the Create a profile page, select Windows 10 and later and then select Templates.
In the list of templates, select Endpoint protection and click Create.
Enter a Name and Description on the Basics tab, and then, on the Configuration settings page, expand Microsoft Defender Application Guard.
As shown in Figure 3-58, select Enabled for Edge in the Application Guard list, and then configure supplemental settings, such as clipboard behavior and printing. Click Next.

FIGURE 3-58 Enabling and configuring Application Guard

Configure scope tags and assignments as necessary, and then choose Create to create the profile.

To use Microsoft Defender Application Guard in standalone mode, select the ellipsis button in Microsoft Edge and then select New Application Guard window, as shown in Figure 3-59. The Microsoft Defender Application Guard service starts, and then a new instance of Microsoft Edge opens.

FIGURE 3-59 Opening a new Application Guard window

Need More Review? Configure Microsoft Defender Application Guard Policy Settings

To learn how to configure Microsoft Defender Application Guard policies, refer to the Microsoft website at https://learn.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.

Implement Microsoft Defender Application Control

Microsoft Defender Application Control enables you to determine precisely which apps your users are allowed to run by blocking any unsigned apps and scripts. You configure Microsoft Defender Application Control with policies that specify whether a code that runs in kernel mode, such as device drivers or apps, can run.

A policy typically includes rules that

Control options such as whether audit mode is enabled
Determine whether user mode code integrity (UMCI) is enabled
Specify the level at which apps are to be identified and/or trusted

Each Windows 11 device has a single Microsoft Defender Application Control policy defined for it. Typically, you configure this using GPOs in an AD DS environment or Intune for enrolled devices. Either way, the policy is stored as a local file called SIPolicy.p7b that resides in the C:\Windows\System32\CodeIntegrity folder; for UEFI-based computers, the file is <EFI System Partition>\Microsoft\Boot.

Manage Android updates by using configuration profiles – Manage, maintain, and protect devices

You can also use Intune to exert a degree of control over Android Enterprise updates. This only applies to devices with Android using the fully managed, dedicated, and corporate-owned work profile. Rather than using specific update rings like you would do with Windows, iOS, and macOS, Android updates are managed though a device configuration profile.

To create a profile that includes the update settings, use the following procedure:

Open Microsoft Intune admin center.
Select Devices and then select Android.
On the Android | Overview page, click Configuration profiles.
Click Create profile.
On the Create a profile page, select the Android Enterprise and then select Device restrictions under the Fully managed, Dedicated, and Corporate-Owned Work Profile heading.
Click Create.
On the Basics tab, enter a Name and Description and click Next.
On the Configuration settings page, shown in Figure 3-51, expand General and then click System update. This setting ensures that when over-the-air updates are available for targeted devices, those updates are installed based on this policy. Choose between Device Default, Automatic, Postponed, and Maintenance window.

FIGURE 3-51 Using a device restrictions profile to configure Android updates

9. Depending on the option selected determines what other settings must be configured. For example, selecting Automatic requires no other settings.

10. Complete the wizard by configuring Scope tags and Assignments, and then create the profile.

It’s important to realize that the application of updates depends on the hardware vendor of your users’ Android devices releasing those updates.

Monitor updates

Using the Intune admin center, you can review the current status of updates and monitor the application of those updates using the configured update rings. For Windows, use the following procedure:

Open Microsoft Intune admin center.
Navigate to Devices | Windows and then choose Update rings for Windows 10 and later.
Select the appropriate update ring. You can now review the application of update on the Overview tab. Select the Device status tab for details about specific device updates.

You can also use the Intune reporting node:

In the Microsoft Intune admin center, select Reports and then select Windows updates.
Click Refresh to generate reports.

From this page, you can review the following:

Windows Feature updates:
- In progress
- Success
- Error
- Rollback initiated
- Canceled
- On hold
- Total
Windows Expedited Quality updates:
- In progress
- Success
- Error
- Canceled
- Total

Implement Microsoft Defender Exploit Guard – Manage, maintain, and protect devices

You can use Microsoft Defender Exploit Guard to help to reduce the attack surface of your users’ apps. Microsoft Defender Exploit Guard consists of four components:

Exploit protection Uses Microsoft Defender Antivirus or, if installed, third-party antivirus software to help mitigate exploit techniques used against your organization’s apps.
Attack surface reduction rules Uses rules to help prevent attack vectors implemented by scripts, email, and Office-based malware. Based on Microsoft Defender Antivirus.
Network protection Extends Microsoft Defender SmartScreen protection in Microsoft Edge to other applications to prevent access to Internet domains that might host phishing scams, exploits, and other malicious content. Requires Microsoft Defender Antivirus and cloud-delivered protection enabled.
Controlled folder access Helps protect against ransomware and malware by preventing changes to files in protected folders if the app attempting to make changes is malicious or exhibits suspicious behavior. It also requires Microsoft Defender Antivirus.

Note that different features are available in different Windows 11 edition, as shown in Table 3-15.

TABLE 3-15 Windows Defender Exploit Guard features

Edition of Windows 11	Features supported
Windows 11 Home	Exploit protectionControlled folder access
Windows 11 Pro	Exploit protectionControlled folder access
Windows 11 Enterprise E3 Windows 11 Education E3	Exploit protectionControlled folder accessNetwork protection
Windows 11 Enterprise E5 Windows 11 Education E5	Exploit protectionControlled folder accessNetwork protectionAttack surface reduction rules

Exploit Protection

Exploit Protection helps to protect your users’ devices against malware that uses exploits to spread through your organization. Exploit Protection consists of a number of specific mitigations that you must enable and configure separately.

By default, Exploit Protection already enables several mitigations that apply to the operating system and specific apps. However, if you want to configure these and other mitigations, use the following procedure:

Open the Windows Security app.
Select the App & browser control tab.
Scroll down and select the Exploit protection settings link.
Configure the required settings on the Exploit protection page, shown in Figure 3-56. You can configure System settings and also specific Program settings. Review Table 3-16 for an overview of available settings.

FIGURE 3-56 Configuring exploit protection settings

TABLE 3-16 Exploit protection mitigations

Mitigation	Explanation
Control Flow Guard (CFG)	Control Flow Guard combats memory corruption vulnerabilities.
Data Execution Prevention (DEP)	Helps to prevent executable code from being run from pages that contain data.
Force Randomization For Images (Mandatory ASLR)	Helps prevent attacks by putting processes into memory at random locations.
Randomize Memory Allocations (Bottom-Up ASLR)	Helps prevent attacks by putting processes into memory at random locations.
High-Entropy ASLR	Helps prevent attacks by increasing variability when using Randomize memory allocations.
Validate Exception Chains (SEHOP)	Helps prevent the use of a structured exception-handler attack.
Validate Heap Integrity	Helps to prevent attacks that seek to use memory corruption.
Arbitrary code guard (ACG)	Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Optionally, it can allow thread opt-out and remote downgrade (configurable only with PowerShell).
Block low integrity images	Prevents the loading of images marked with Low Integrity.
Block remote images	Prevents loading of images from remote devices.
Block untrusted fonts	Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web.
Code integrity guard	Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images.
Disable extension points	Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers.
Disable Win32k system calls	Prevents an app from using the Win32k system call table.
Do not allow child processes	Prevents an app from creating child processes.
Export address filtering (EAF)	Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits.
Import address filtering (IAF)	Detects dangerous operations being resolved by malicious code.
Simulate execution (SimExec)	Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG
Validate API invocation (CallerCheck)	Ensures that legitimate callers invoke sensitive APIs. Only configurable for 32-bit (x86) applications. Not compatible with ACG
Validate handle usage	Causes an exception to be raised on any invalid handle references.
Validate image dependency integrity	Enforces code signing for Windows image dependency loading.
Validate stack integrity (StackPivot)	Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG

Select the Export settings link to export the settings to an XML file.
Distribute the XML file to other devices by using Microsoft Intune.

You can also enable mitigations in audit mode; this allows you to determine the effect of enabling a specific mitigation without affecting the user’s device usage.
Need More Review? Enable Exploit Protection
To review further details about enabling and configuring Exploit Protection, refer to the Microsoft website at https://learn.microsoft.com/en-gb/microsoft-365/security/defender-endpoint/customize-exploit-protection?view=o365-worldwide.

Understand BitLocker Authentication Options – Manage, maintain, and protect devices

It’s important to consider the available authentication options. You can use the following methods:

TPM + startup PIN + startup key This is the most secure combination. The encryption key is stored on the TPM chip. The user might find this option cumbersome because this requires multiple authentication tasks.
TPM + startup key The encryption key is stored on the TPM chip. The user must insert a USB flash drive containing a startup key.
TPM + startup PIN The encryption key is stored on the TPM chip. The user needs to enter a PIN to unlock the device.
Startup key only The user needs to insert a USB flash drive with the startup key on it. The device doesn’t need to have a TPM chip. The BIOS must support access to the USB flash drive before the operating system loads.
TPM only The encryption key is stored on the TPM chip, and no user action is required.

With all the BitLocker authentication methods, the drive is encrypted until unlocked. When the BitLocker encrypted drive is in recovery mode, you can also unlock the drive by using either the recovery password or recovery key:

Recovery password This is a 48-digit number typed on a regular keyboard or by using the function keys (F1-F10) to input the numbers.
Recovery key This is an encryption key created when the BitLocker is first employed and is for recovering data encrypted on a BitLocker volume. Often the encryption key is stored on removable media.

Because the TPM chip and BitLocker protect the hard drive, administrators can also configure BitLocker to operate without additional unlock steps, so long as the device (and TPM) recognize the drive, it will be unlocked.

Configure BitLocker with Intune

If you have many devices on which you want to enable and manage BitLocker, you can use Microsoft Intune. To configure BitLocker, use the following procedure:

Open Microsoft Intune admin center.
Navigate to Endpoint security and select Disk encryption.
In the details pane, select Create Policy.
On the Create a profile page, displayed in Figure 3-53, in Platform, select Windows 10 and later.

FIGURE 3-53 Creating a BitLocker profile in Intune

In the Profile, select BitLocker, and then select Create.
On the Create profile page, on the Basics tab, enter a Name and Description, and then select Next.
On the Configuration settings tab, shown in Figure 3-54, configure the following settings, and then select Next:
• BitLocker – Base Settings Including whether to enable full disk encryption for OS and fixed data drives.
• BitLocker – Fixed Drive Settings Including drive recovery settings and encryption methods for fixed data drives.
• BitLocker – OS Drive Settings Including whether Startup authentication is required, such as TPM startup options as discussed earlier. You can also define the system drive recovery options.
• BitLocker – OS Drive Settings Including blocking write access to removable data drives not protected by BitLocker.

FIGURE 3-54 Configuring BitLocker – OS Drive Settings in an Intune profile

Optionally, configure scope tags, and then, in the Assignments tab, assign the profile to the required groups.
Finally, on the Review + create tab, select Create.

You can also configure BitLocker settings in Intune by using Configuration Profiles in the Devices node. Use the following procedure:

Select Devices, select Windows, and then select Configuration profiles.
Select Create profile, and in the Platform list, select Windows 10 and later.
In the Profile type list, select Templates. You can now choose either:
• Administrative templates Choose this option to use an interface that’s broadly similar to that used when configuring GPO settings. Create the profile as usual, and on the Configuration Settings tab, expand Computer Configuration > Windows Components > BitLocker Drive Encryption > Operating System Drives and configure the required values. Then complete the process of configuring and assigning the profile. The advantage of configuring BitLocker this way is that you can combine settings with others which are also configurable in the Administrative Template profile.
• Endpoint protection You can use Endpoint Protection profiles to configure a range of security settings, including those for BitLocker. Create the profile in the usual way, and on the Configuration settings tab, in addition to any other settings, make sure to expand Windows Encryption. You can then require BitLocker encryption and go on to configure BitLocker base settings, OS drive settings, and fixed data-drive settings. Complete the process of configuring and assigning the profile.