MS Defender for Endpoint Policy Tips #01 - Beware of this policy!
So you're rolling out Defender for Endpoint and you're really getting stuck in to the more complex policies under the hood with the Attack Surface Reduction rules. But there is one specific policy that needs to come with a warning....
Application Control
Why on earth Microsoft haven't added a warning note to this policy about forced reboots is beyond me. For anyone new to Defender for Endpoint and uses Intune to manage your policies, you're in for a shocker. Specifically when every PC you apply your new policy to get's a message pop up that your device is going to reboot within the next minutes (whether you like it or not).
What's even weirder is apparently Endpoint Configuration Manager doesn't do that, so what's going on??
Apparently it's by design, albeit a bad one.
So what does Application Control do and should I use it?
Windows Defender Application Control is designed to protect devices against malware and other untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know, can be run.
Application Control is a software-based security layer that enforces an explicit list of software that is allowed to run on a PC. On its own, Application Control doesn't have any hardware or firmware prerequisites. Application Control policies deployed with Configuration Manager enable a policy on devices in targeted collections that meet the minimum Windows version and SKU requirements outlined in this article. Optionally, hypervisor-based protection of Application Control policies deployed through Configuration Manager can be enabled through group policy on capable hardware.
Application Control lets you strongly control what can run on devices you manage. This feature can be useful for devices in high-security departments, where it's vital that unwanted software can't run.
When you deploy a policy, typically, the following executables can run:
Windows OS components
Hardware Dev Center drivers with Windows Hardware Quality Labs signatures
Windows Store apps
The Configuration Manager client
All software deployed through Configuration Manager that devices install after they process the Application Control policy
Updates to built-in Windows components from:
Windows Update
Windows Update for Business
Windows Server Update Services
Configuration Manager
Optionally, software with a good reputation as determined by the Microsoft Intelligent Security Graph (ISG). The ISG includes Windows Defender SmartScreen and other Microsoft services. The device must be running Windows Defender SmartScreen and Windows 10 version 1709 or later for this software to be trusted.
Source: Microsoft
So in simple terms, yes you should absolutely use it, but with caution.
How do I Configure it?
For this example I'm going to use Microsoft Intune (note I have preview features enabled, so my screenshots might look different to some people's consoles).
In the menu, go to Endpoint Security > Attack Surface Reduction
Click New Policy
Select Windows 10 and later from the Platform drop down
Select Application control from the Profile drop down
Click Create
Give the new policy a suitable name and click Next.
Now we're going to configure the policy settings.
Click the App locker application control drop down menu and you'll see a list of options;
Not Configured:
All apps are allowed to run
Enforce Components and Store Apps:
Windows OS components are allowed to run, including drivers and Windows Store apps, the configuration manager client, and all software deployed through Configuration Manager, such as updates to built-in Windows Components from Windows Update, Windows Update for Business and Windows Server Update Services.
Audit Components and Store Apps
Windows OS components are allowed to run, including drivers and Windows Store apps, the configuration manager client, and all software deployed through Configuration Manager, such as updates to built-in Windows Components from Windows Update, Windows Update for Business and Windows Server Update Services. The use of any untrusted applications will be audited.
Enforce Components, Store Apps, and Smartlocker
Only allows Windows OS components to run, including drivers, Windows Store apps, the configuration manager client, all software deployed through Configuration Manager, Updates to built-in Windows Components from Windows Update, Windows Update for Business, Windows Server Update Services, Configuration Manager, Software with a good reputation determined by the Microsoft Intelligence Graph.
Audit Components, Store Apps, and Smartlocker
All Windows OS components are allowed to run, including drivers, Windows Store apps, the configuration manager client, all software deployed through Configuration Manager, Updates to built-in Windows Components from Windows Update, Windows Update for Business, Windows Server Update Services, Configuration Manager, Software with a good reputation determined by the Microsoft Intelligence Graph. The use of any untrusted applications will be audited.
For test purposes I recommend setting the policy to "Audit Components, Store Apps, and Smartlocker".
Leave "Block users from ignoring SmartScreen warnings" as Not Configured and set "Turn on Windows SmartScreen" to Yes.
Click Next, then Next.
Select which groups you want to apply the new policy to. In my example below I've assigned it to my Windows 10 and Windows 11 groups, then click Next.
At the following page, click Review+Create.
Congratulations! Now go test your new policy, but be prepared for your test devices to get that annoying 10 minute forced reboot.
Checking Logs for any Issues
Intune has built in capabilities to report on any issues that may arise from your chosen Application Control policy.
In the Intune console, go to Apps > Monitor and select the appropriate option. In my example below there are thankfully no issues showing, but that's really down to me testing on a lightweight OS build.
I recommend keeping an eye on these status options throughout testing and when you move things in to production to see if there are any underlying issues worth noting.
Conclusion
Well I hope this has been of use to some of you out there, and it saves some time / frustration from working out how to use Application Control policies effectively. Please leave a comment below if you have any feedback or questions.
