Implement Microsoft Defender Antivirus – Manage, maintain, and protect devices

Malicious software can do many things to your computer, such as allowing unauthorized parties remote access to your computer or collecting and transmitting information that is sensitive or confidential to unauthorized third parties.

Some types of malware include:

  • Computer viruses Replicating malware, normally with email attachments or files.
  • Computer worms Replicate, without direct intervention, across networks.
  • Trojan horses Trick the user into providing an attacker with remote access to the infected computer.
  • Ransomware Harms the user by encrypting user data. A ransom (fee) needs to be paid to the malware authors to recover the data.
  • Spyware Tracking software that reports to the third party how a computer is used.

The most common attack vector for malware is still by email, although attacks from websites, pirated software, video, and music files are becoming increasingly common.

You can help protect against malware infection by following these guidelines:

  • All software should be from a reputable source.
  • All software and operating system updates are applied.
  • Antimalware software is installed and enabled on your devices.
  • Antimalware definitions are up to date.
  • Avoid using or accessing pirated software or media-sharing sites.
  • Be suspicious of out-of-the-ordinary email attachments, and don’t open links in spam or phishing emails.

Although no antimalware solution can provide 100 percent safety, modern solutions can reduce the probability that malware compromises your device.

Microsoft Defender Antivirus can help protect your device by actively detecting spyware, malware, and viruses in the operating system and on Windows 11 installed on Hyper-V virtual machines. Windows Defender runs in the background and automatically installs new definitions as they are released, often daily.

You can use Microsoft Defender Antivirus manually to check for malware with various scan options listed in Table 3-18.

TABLE 3-18 Microsoft Defender Antivirus scan options

Scan optionsDescription
QuickChecks the most likely areas that malware, including viruses, spyware, and software, commonly infect.
FullScans all files on your hard disk and all running programs.
CustomEnables users to scan specific drives and folders to target specific areas of their computers, such as removable drives.
Microsoft Defender Offline ScanAllows users to find and remove difficult-to-remove malicious software. The system must reboot, and the scan can take about 15 minutes.

You should routinely check your system for malware. If it becomes infected or you suspect malware is on your system, you can run a full scan.

Configure Microsoft Defender Application Guard – Manage, maintain, and protect devices

You can configure Microsoft Defender Application Guard in one of two modes:

  • Standalone Mode In standalone mode, users can manage their own device settings.
  • Enterprise-Managed Mode With Enterprise mode, an administrator configures appropriate device settings using GPOs, MDM, or Windows PowerShell.

You can enable and configure Microsoft Defender Application Guard from Windows Security. However, to configure the relevant settings in Intune, use the following procedure:

  1. Open Microsoft Intune admin center.
  2. Navigate to Devices and then select Windows.
  3. Click Configuration profiles.
  4. Click Create profile.
  5. On the Create a profile page, select Windows 10 and later and then select Templates.
  6. In the list of templates, select Endpoint protection and click Create.
  7. Enter a Name and Description on the Basics tab, and then, on the Configuration settings page, expand Microsoft Defender Application Guard.
  8. As shown in Figure 3-58, select Enabled for Edge in the Application Guard list, and then configure supplemental settings, such as clipboard behavior and printing. Click Next.

FIGURE 3-58 Enabling and configuring Application Guard

  1. Configure scope tags and assignments as necessary, and then choose Create to create the profile.

To use Microsoft Defender Application Guard in standalone mode, select the ellipsis button in Microsoft Edge and then select New Application Guard window, as shown in Figure 3-59. The Microsoft Defender Application Guard service starts, and then a new instance of Microsoft Edge opens.

FIGURE 3-59 Opening a new Application Guard window

Need More Review? Configure Microsoft Defender Application Guard Policy Settings

To learn how to configure Microsoft Defender Application Guard policies, refer to the Microsoft website at https://learn.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.

Implement Microsoft Defender Application Control

Microsoft Defender Application Control enables you to determine precisely which apps your users are allowed to run by blocking any unsigned apps and scripts. You configure Microsoft Defender Application Control with policies that specify whether a code that runs in kernel mode, such as device drivers or apps, can run.

A policy typically includes rules that

  • Control options such as whether audit mode is enabled
  • Determine whether user mode code integrity (UMCI) is enabled
  • Specify the level at which apps are to be identified and/or trusted

Each Windows 11 device has a single Microsoft Defender Application Control policy defined for it. Typically, you configure this using GPOs in an AD DS environment or Intune for enrolled devices. Either way, the policy is stored as a local file called SIPolicy.p7b that resides in the C:\Windows\System32\CodeIntegrity folder; for UEFI-based computers, the file is <EFI System Partition>\Microsoft\Boot.

Attack Surface Reduction Rules – Manage, maintain, and protect devices

Attack Surface Reduction rules can help prevent actions and apps often used by exploit-seeking malware from infecting your organization’s devices. Each rule is identified by a unique identity known as a GUID. Table 3-17 lists and describes the available Attack Surface Reduction rules and their respective GUIDs.

TABLE 3-17 Attack Surface Reduction rules

Rule and descriptionGUID
Block executable content from email client and webmail.be9ba2d9-53ea-4cdc-84e5-9B1eeee46550
Block all Office applications from creating child processes.d4f940ab-401b-4efc-aadc-ad5f3c50688a
Block Office applications from creating executable content.3b576869-a4eC-4529-8536-b80a7769e899
Block Office applications from injecting code into other processes.75668c1f-73b5-4Cf0-bb93-3ecf5cb7cc84
Block JavaScript or VBScript from launching downloaded executable content.d3e037e1-3eb8-44c8-a917-57927947596d
Block execution of potentially obfuscated scripts.5beb7efe-fd9A-4556-801d-275e5ffc04cc
Block Win32 API calls from Office macro.92e97fa1-2edf-4476-bdd6-9dd0B4dddc7b
Block executable files from running unless they meet a prevalence, age, or trusted list criteria.01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware.c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe).9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands.d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB.b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes.26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes.7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

Need More Review? Enable Attack Surface Reduction Rules

To review further details about configuring Attack Surface Reduction rules, refer to the Microsoft website at https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide.

Network Protection

Network Protection helps prevent your users from using apps to access Internet-based domains that might present a risk of malware, scams, or other malicious content. You can use GPOs, Microsoft Intune, or Windows PowerShell to enable network protection.

Need More Review? Enable Network Protection

To review further details about enabling and configuring Network Protection, refer to the Microsoft website at https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/network-protection.

Controlled Folder Access

You can use Controlled Folder Access to help prevent the spread of malicious software. Specifically, controlled folder access helps protect valuable data stored in specific folders. You can use Windows PowerShell, GPOs, or MDM to configure controlled folder access.

Need More Review? Enable Controlled Folder Access

To review further details about configuring folder access, refer to the Microsoft website at https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.

Implement endpoint protection for all supported device platforms – Manage, maintain, and protect devices

Windows 11 contains a number of built-in features that are part of the Microsoft Defender suite of security apps. It’s important that you are familiar with each of these, you can determine what they do, you know how they can help secure your organization’s devices, and you know how you can enable and configure these features. You must also understand how to implement, configure, and manage these security features by using Microsoft Intune.

This skill covers how to:

Create and manage configuration policies for Endpoint security

In this section, you’ll learn how to secure your Windows 11 devices. You’ll also learn about the various security features in Windows 11.

Implement enterprise-level disk encryption

It’s important to be able to protect your computers against data loss and data leakage. One way in which you can do this is to enable disk encryption. Windows 11 supports BitLocker.

BitLocker enables you to encrypt an entire hard disk, including the operating system drive. BitLocker is available in Windows 11 Pro, Enterprise, and Education editions.

With BitLocker enabled, the drive is no longer susceptible to data theft. On a system that is not encrypted simply removing the drive from the PC and attaching it as a slave to another PC allows the data to be read, bypassing all NTFS security.

Trusted Platform Modules

Most modern computers contain a security component known as a Trusted Platform Module (TPM). This component securely stores cryptographic information, such as BitLocker’s encryption keys.

BitLocker supports versions 1.2 and 2.0 of the TPM specification, and information contained on the TPM is more secure from external software attacks and physical theft.

If a device has been tampered with, such as removing the hard drive from the original computer, BitLocker prevents the drive from being unlocked. BitLocker will seek remediation from the user by entering BitLocker recovery mode and requiring the user to enter a 48-digit recovery key.

While a TPM is the most secure option, BitLocker can also be used on devices without a TPM. To enable this capability, you must configure the appropriate settings in Intune, and we’ll discuss those shortly.

BitLocker Recovery – Manage, maintain, and protect devices

If your users’ computers experience a situation where BitLocker will not unlock their operating system drive, they must enter a recovery key, as mentioned earlier. You can store and access the keys using Intune.

To access the BitLocker key for a user, use the following procedure:

  1. In the Microsoft Intune admin center, navigate to Devices and select Windows devices.
  2. Locate the device in the list of Windows devices and then select it.
  3. In the navigation pane, select Recovery keys.
  4. In the details pane, select Show Recovery Key.
  5. Provide the key to the user to unlock their drive.

Implement and manage Microsoft Defender Credential Guard

When users sign in, they provide their user credentials via the Local Security Authority subsystem (LSA) to an authentication service. These user credentials are stored temporarily in memory in the LSA as hashes. Certain malicious software can access the LSA and exploit the stored hashes.

To help protect against this possibility, Windows 11 Enterprise and Windows 11 Education editions have a feature called Microsoft Defender Credential Guard, which implements virtualization-assisted security technology, enabling Microsoft Defender Credential Guard to block access to credentials stored in the Local Security Authority.

Requirements

In addition to requiring the appropriate edition of Windows 11, the following are the requirements for implementing Microsoft Defender Credential Guard:

  • Support for Virtualization-based security.
  • UEFI 2.3.1 or greater.
  • Secure Boot.
  • TPM 1.2 or 2.0, either discrete or firmware.
  • UEFI (firmware) lock preferred.
  • Virtualization features: Intel VT-x or AMD-V; SLAT must be enabled.
  • Windows hypervisor, although Hyper-V doesn’t need to be installed.

Implement Microsoft Defender Credential Guard

After verifying that your computer meets the requirements, you can enable Microsoft Defender Credential Guard by using Group Policy or Microsoft Intune. To use Intune, perform the following steps:

  1. Open Microsoft Intune admin center.
  2. Navigate to Endpoint security and select Account protection.
  3. In the details pane, select Create Policy.
  4. On the Create a profile page, displayed in Figure 3-55, in Platform, select Windows 10 and later, and in the Profile list, choose Account protection.

FIGURE 3-55 Enabling Microsoft Defender Credential Guard

  1. Click Create.
  2. In the Create profile wizard, on the Basics tab, enter a Name and Description and click Next.
  3. On the Configuration settings page, select Enable with UEFI lock in the Turn on Credential Guard list and click Next.
  4. Complete the wizard by defining scope tags and assignments and click Create on the Review + create page.

You can also use a configuration profile of type Endpoint protection:

  1. Select Devices, select Windows, and then select Configuration profiles.
  2. Select Create profile, and in the Platform list, select Windows 10 and later.
  3. In the Profile type list, select Templates.
  4. In the list of templates, select Endpoint protection, and click Create.
  5. On the Configuration settings page, expand Microsoft Defender Credential Guard and configure the desired settings.

Need More Review? Manage Microsoft Defender Credential Guard

To review further details about how Microsoft Defender Credential Guard works, refer to the Microsoft website at https://learn.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage.

Troubleshoot updates in Intune – Manage, maintain, and protect devices

Updates are necessary to maintain the security and reliability of Windows 11. You should ensure that devices are receiving updates, know how to review installed updates, and find more information regarding an update.

After you have created your Windows 11 Update Rings, you can manage them with Intune. Select the appropriate update ring, and on the Overview page, you can view the assignment status, showing that the ring has been successfully assigned to one group, and take the following actions to manage the ring:

  • Delete Stops enforcing the settings of the Update Ring and removes its configuration from Intune. The settings on devices that were assigned to the Update Ring remain in place.
  • Pause Prevents assigned devices from receiving either Feature Updates or Quality Updates for up to 35 days from the time you pause the ring. Pause functionality automatically expires after 35 days.
  • Resume Used to restore an Update Ring that was paused.
  • Extend When an Update Ring is paused, you can select Extend to reset the pause period.
  • Uninstall Use Uninstall to uninstall (roll back) the latest Feature Update or Quality Update on a device running Windows 11.

You can also modify the settings contained within an Update Ring by selecting Properties under the Manage heading and then amending the settings.

View update history

You can also review and remove any specific updates on an individual computer. Follow these steps to view your update history and see which Windows updates failed or were successfully installed on your Windows 11 device:

  1. Open the Settings app and click Windows Update.
  2. In Windows Update, click Update History.
  3. On the Update History page, as shown in Figure 3-52, you can see a list of your installed Windows updates.

FIGURE 3-52 View Update History

  1. Click one of the successfully installed updates to see more details about it.
  2. In the bottom part of the screen, you can view Definition Updates, which relate to Microsoft Defender Antivirus and threat protection, and Other Updates.

Each update contains a summary of the payload. If you click the Update link, you are directed to the detailed Knowledge Base description on the Microsoft support pages relating to the update, which allows you to review the details about the update. You can also remove any updates you want. Click Uninstall updates, and then review the returned list. Choose Uninstall for any updates you want to remove.
Need More Review? Windows 11 Update History
Microsoft publishes the contents of each Windows 11 update for you to review and understand what is contained in each periodic software update. View this list at https://support.microsoft.com/en-us/topic/windows-11-version-22h2-update-history-ec4229c3-9c5f-4e75-9d6d-9025ab70fcce.

Implement Windows Defender Firewall – Manage, maintain, and protect devices

You can implement Windows Defender Firewall rules and settings in Intune as follows:

  1. Open Microsoft Intune admin center.
  2. Navigate to Endpoint security and select Firewall.
  3. In the details pane, select Create Policy.
  4. On the Create a profile page, in Platform, select Windows 10, Windows 11, and Windows Server.
  5. In the Profile, select Microsoft Defender Firewall, and then select Create.
  6. In the Create a profile wizard, on the Basics tab, enter a Name and Description and click Next.
  7. On the Configuration settings tab, configure the following settings, and click Next:
    • Firewall, which determines the fundamental state of the firewall for domain, private, and public network location profiles.
    • Auditing settings.
    • Network List Manager, which defines TLS endpoint settings.
  8. Configure scope tags and assignments as needed, and then choose Create to create the profile.

You will also need to define firewall rules, as shown in Figure 3-60. Use the following procedure:

  1. Open Microsoft Intune admin center.
  2. Navigate to Endpoint security and select Firewall.
  3. In the details pane, select Create Policy.
  4. On the Create a profile page, in Platform, select Windows 10, Windows 11, and Windows Server.
  5. In the Profile, select Microsoft Defender Firewall rules, and then select Create.
  6. In the Create a profile wizard, on the Basics tab, enter a Name and Description and click Next.
  7. On the Configuration settings tab, click Add to create and configure specific firewall rules. When you are done, click Next. When adding a rule, you must set numerous settings, including
    • State (enabled or disabled)
    • Name
    • Interface Types
    • Remote Port Ranges
    • Action (Allow or Block)
    • Protocol
  8. Configure scope tags and assignments as needed, and then Create the profile.

FIGURE 3-60 Defining firewall rules
You can also create an endpoint protection configuration profile in Devices and configure the required firewall settings in the Microsoft Defender Firewall section.

Sign APPS – Manage, maintain, and protect devices

To enable Microsoft Defender Application Control in your organization, you must digitally sign all the trusted apps that you want to allow to run on your devices. You can do this in a number of ways, as listed below:

  • Publish your apps by using the Microsoft Store All apps in the Microsoft Store are automatically signed with signatures from a trusted certificate authority (CA).
  • Use your own digital certificate or public key infrastructure (PKI) You can sign the apps by using a certificate issued by a CA in your own PKI.
  • Use a non-Microsoft CA You can use a trusted non-Microsoft CA to sign your own desktop Windows apps.
  • Use the Microsoft Defender Application Control signing portal In Microsoft Store for Business, you can use a Microsoft web service to sign your desktop Windows apps.

Create a Default Microsoft Defender Application Control Policy
To create a default policy, create a virus- and malware-free reference computer that contains the set of apps your users require to run. You might need to create several reference computers, each representing a typical device configuration within your organization. For example, you create a standard device for the research department, and perhaps you create a kiosk-type device for use in the library.
Having created the reference computer, sign in and then complete the following procedure:

  1. Open an elevated Windows PowerShell command prompt.
  2. Create the required variables for the process by running the following three commands:
    Click here to view code image
    $CIPolicyPath=$env:userprofile+”\Desktop\”
    $InitialCIPolicy=$CIPolicyPath+”InitialScan.xml”
    $CIPolicyBin=$CIPolicyPath+”DeviceGuardPolicy.bin”
  3. Scan the system for installed apps using the New-CIPolicy cmdlet:
    Click here to view code image
    New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy -UserPEs
    3> CIPolicyLog.txt
  4. Convert the WDAC policy to a binary format (for import) using the ConvertFrom- CIPolicy cmdlet:
    Click here to view code image
    ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin

Enable Microsoft Defender Application Control

After creating the default WDAC policy, you can configure the settings with GPOs or Microsoft Intune. To use Intune, use the following procedure:

  1. Open Microsoft Intune admin center.
  2. Navigate to Devices and then select Windows.
  3. Click Configuration profiles.
  4. Click Create profile.
  5. On the Create a profile page, select Windows 10 and later and then select Templates.
  6. In the list of templates, select Endpoint protection and click Create.
  7. Enter a Name and Description on the Basics tab, and then, on the Configuration settings page, expand Microsoft Defender Application Control.
  8. In the Application control code integrity policies list, select Enforce or Audit only as appropriate.
  9. Then in the Trust apps with good reputation list, select Enable. Click Next.
  10. Configure scope tags and assignments as necessary, and then Create the profile.

Need More Review? Planning and Getting Started on the Microsoft Defender Application Control Deployment Process

To review further details about deploying Microsoft Defender Application Control, refer to the Microsoft website at https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.

Implementing Microsoft Defender Exploit Guard – Manage, maintain, and protect devices

Having learned about each of the elements of Exploit Guard, it’s important that you know how to enable and configure these settings in Intune. Use the following procedure:

  1. Open Microsoft Intune admin center.
  2. Navigate to Devices and then select Windows.
  3. Click Configuration profiles.
  4. Click Create profile.
  5. On the Create a profile page, select Windows 10 and later and then select Templates.
  6. In the list of templates, select Endpoint protection and click Create.
  7. Enter a Name and Description on the Basics tab, and then, on the Configuration settings page, expand Microsoft Defender Exploit Guard.
  8. As shown in Figure 3-57, configure the required settings in the following folders:
    • Attack Surface Reduction Select the desired protections.
    • Controlled folder access Enable the setting and define apps and folders.
    • Network filtering Enable the setting or enable in Audit mode.
    • Exploit protection Browse and locate a previously created XML file that contains exploit settings you exported from the Windows Security app on a properly configured device.

FIGURE 3-57 Configuring Exploit Guard settings

  1. Click Next, configure scope tags and assignments as necessary, and then Create the profile.

Implement Microsoft Defender Application Guard

Microsoft Defender Application Guard isolates browser sessions from the local device by running those sessions in a virtual machine environment; this helps prevent malicious apps or content from accessing the local device.

Requirements

The requirements for Microsoft Defender Application Guard are as follows:

  • 64-bit version of Windows 11 Enterprise, Education, or Professional.
  • 8 GB of physical memory is recommended.
  • Support for Virtualization-based security.
  • Secure Boot.
  • Virtualization features: Intel VT-x, AMD-V, and SLAT must be enabled.
  • An Intel VT-d or AMD-Vi input-output memory management unit.

Manage Android updates by using configuration profiles – Manage, maintain, and protect devices

You can also use Intune to exert a degree of control over Android Enterprise updates. This only applies to devices with Android using the fully managed, dedicated, and corporate-owned work profile. Rather than using specific update rings like you would do with Windows, iOS, and macOS, Android updates are managed though a device configuration profile.

To create a profile that includes the update settings, use the following procedure:

  1. Open Microsoft Intune admin center.
  2. Select Devices and then select Android.
  3. On the Android | Overview page, click Configuration profiles.
  4. Click Create profile.
  5. On the Create a profile page, select the Android Enterprise and then select Device restrictions under the Fully managed, Dedicated, and Corporate-Owned Work Profile heading.
  6. Click Create.
  7. On the Basics tab, enter a Name and Description and click Next.
  8. On the Configuration settings page, shown in Figure 3-51, expand General and then click System update. This setting ensures that when over-the-air updates are available for targeted devices, those updates are installed based on this policy. Choose between Device Default, Automatic, Postponed, and Maintenance window.

FIGURE 3-51 Using a device restrictions profile to configure Android updates

9. Depending on the option selected determines what other settings must be configured. For example, selecting Automatic requires no other settings.

10. Complete the wizard by configuring Scope tags and Assignments, and then create the profile.

It’s important to realize that the application of updates depends on the hardware vendor of your users’ Android devices releasing those updates.

Monitor updates

Using the Intune admin center, you can review the current status of updates and monitor the application of those updates using the configured update rings. For Windows, use the following procedure:

  1. Open Microsoft Intune admin center.
  2. Navigate to Devices | Windows and then choose Update rings for Windows 10 and later.
  3. Select the appropriate update ring. You can now review the application of update on the Overview tab. Select the Device status tab for details about specific device updates.

You can also use the Intune reporting node:

  1. In the Microsoft Intune admin center, select Reports and then select Windows updates.
  2. Click Refresh to generate reports.

From this page, you can review the following:

  • Windows Feature updates:
    • In progress
    • Success
    • Error
    • Rollback initiated
    • Canceled
    • On hold
    • Total
  • Windows Expedited Quality updates:
    • In progress
    • Success
    • Error
    • Canceled
    • Total