top of page
  • Writer's pictureJames Agombar

MS Defender for Endpoint Policy Tips #01 - Beware of this policy!



So you're rolling out Defender for Endpoint and you're really getting stuck in to the more complex policies under the hood with the Attack Surface Reduction rules. But there is one specific policy that needs to come with a warning....


Application Control


Why on earth Microsoft haven't added a warning note to this policy about forced reboots is beyond me. For anyone new to Defender for Endpoint and uses Intune to manage your policies, you're in for a shocker. Specifically when every PC you apply your new policy to get's a message pop up that your device is going to reboot within the next minutes (whether you like it or not).

What's even weirder is apparently Endpoint Configuration Manager doesn't do that, so what's going on??


Apparently it's by design, albeit a bad one.


So what does Application Control do and should I use it?


Windows Defender Application Control is designed to protect devices against malware and other untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know, can be run.


Application Control is a software-based security layer that enforces an explicit list of software that is allowed to run on a PC. On its own, Application Control doesn't have any hardware or firmware prerequisites. Application Control policies deployed with Configuration Manager enable a policy on devices in targeted collections that meet the minimum Windows version and SKU requirements outlined in this article. Optionally, hypervisor-based protection of Application Control policies deployed through Configuration Manager can be enabled through group policy on capable hardware.


Application Control lets you strongly control what can run on devices you manage. This feature can be useful for devices in high-security departments, where it's vital that unwanted software can't run.


When you deploy a policy, typically, the following executables can run:

  • Windows OS components

  • Hardware Dev Center drivers with Windows Hardware Quality Labs signatures

  • Windows Store apps

  • The Configuration Manager client

  • All software deployed through Configuration Manager that devices install after they process the Application Control policy

  • Updates to built-in Windows components from:

    • Windows Update

    • Windows Update for Business

    • Windows Server Update Services

    • Configuration Manager

    • Optionally, software with a good reputation as determined by the Microsoft Intelligent Security Graph (ISG). The ISG includes Windows Defender SmartScreen and other Microsoft services. The device must be running Windows Defender SmartScreen and Windows 10 version 1709 or later for this software to be trusted.


Source: Microsoft


So in simple terms, yes you should absolutely use it, but with caution.


How do I Configure it?


For this example I'm going to use Microsoft Intune (note I have preview features enabled, so my screenshots might look different to some people's consoles).


In the menu, go to Endpoint Security > Attack Surface Reduction

  • Click New Policy

  • Select Windows 10 and later from the Platform drop down

  • Select Application control from the Profile drop down

  • Click Create


Give the new policy a suitable name and click Next.

Now we're going to configure the policy settings.


Click the App locker application control drop down menu and you'll see a list of options;


Not Configured:

All apps are allowed to run


Enforce Components and Store Apps:

Windows OS components are allowed to run, including drivers and Windows Store apps, the configuration manager client, and all software deployed through Configuration Manager, such as updates to built-in Windows Components from Windows Update, Windows Update for Business and Windows Server Update Services.


Audit Components and Store Apps

Windows OS components are allowed to run, including drivers and Windows Store apps, the configuration manager client, and all software deployed through Configuration Manager, such as updates to built-in Windows Components from Windows Update, Windows Update for Business and Windows Server Update Services. The use of any untrusted applications will be audited.


Enforce Components, Store Apps, and Smartlocker

Only allows Windows OS components to run, including drivers, Windows Store apps, the configuration manager client, all software deployed through Configuration Manager, Updates to built-in Windows Components from Windows Update, Windows Update for Business, Windows Server Update Services, Configuration Manager, Software with a good reputation determined by the Microsoft Intelligence Graph.


Audit Components, Store Apps, and Smartlocker

All Windows OS components are allowed to run, including drivers, Windows Store apps, the configuration manager client, all software deployed through Configuration Manager, Updates to built-in Windows Components from Windows Update, Windows Update for Business, Windows Server Update Services, Configuration Manager, Software with a good reputation determined by the Microsoft Intelligence Graph. The use of any untrusted applications will be audited.



For test purposes I recommend setting the policy to "Audit Components, Store Apps, and Smartlocker".


Leave "Block users from ignoring SmartScreen warnings" as Not Configured and set "Turn on Windows SmartScreen" to Yes.


Click Next, then Next.


Select which groups you want to apply the new policy to. In my example below I've assigned it to my Windows 10 and Windows 11 groups, then click Next.



At the following page, click Review+Create.



Congratulations! Now go test your new policy, but be prepared for your test devices to get that annoying 10 minute forced reboot.


Checking Logs for any Issues


Intune has built in capabilities to report on any issues that may arise from your chosen Application Control policy.


In the Intune console, go to Apps > Monitor and select the appropriate option. In my example below there are thankfully no issues showing, but that's really down to me testing on a lightweight OS build.


I recommend keeping an eye on these status options throughout testing and when you move things in to production to see if there are any underlying issues worth noting.



Conclusion


Well I hope this has been of use to some of you out there, and it saves some time / frustration from working out how to use Application Control policies effectively. Please leave a comment below if you have any feedback or questions.


510 views0 comments

Comments


bottom of page