Enable Windows Defender Application Control with Microsoft Intune
ฝัง
- เผยแพร่เมื่อ 25 มิ.ย. 2023
- Microsoft have just made it easier to get started with Windows Defender App Control, the next iteration of Applocker
I’m a big fan of WDAC - it’s one of the most effective security controls to prevent ransomware attacks, as it ensures only approved apps can be run on devices.
In this video we walk through how WDAC can be implemented directly from Microsoft Intune's Endpoint Security blade. - วิทยาศาสตร์และเทคโนโลยี
Thanks Dean, WDAC is a complex & tricky area to work on, appreciate you going through the changes (it's very much a tough nut to crack) top effort!
Thanks Andrew!
Thanks for this. I enabled IME as the managed installer in our tenant last night (previously there's been no managed installer configured), and today I'm seeing roughly 50/50 successful and failed assignments. I'm hoping the failed ones will fix themselves in due course.
What's the difference between this, and a device configuration profile > endpoint security template? Do I need to configure it this was first?
Thanks for sharing 👍
Thanks for watching!
Hi! you are talking about security risks of deploying the managed installer of Intune, which allows apps from Intune. What are those security risks?
Awesome content. Is there any other way to see audit events without using local or advanced threat hunting? i cant see where they are reported in intune/defender
You are awesome, Thanks
Thanks!
I also installed WDAC with the signed and reputable mode using the wizard. If the settings button is clicked on the wizard the Microsoft recommended block rules can be added to the policy.
Thanks for the video. Can you advise where to view the reports when configured in audit mode?
Thanks Dean.
Question. If we want to also look at implementing Endpoint Priviledge Management, is there a way to integrate this with WDAC, so that for example certain departments that require a specialised application use, we would be able to set up an EPM rule allowing them to run their specialised programs as evaluated users, that would then bypass the block policy? Or allow them to run the application.
Trying to avoid having an exclude list on our companies universal block policy in WDAC, but come up with a solution to allow departments to run their specialised software without throwing it on the allowed XML list so that any user can run the software.
You're welcome.
No, that's not possible - yet.
I have no firm information on this, but the interface and structure they've used for EPM would work very well for a future version of WDAC. I'm guessing, but that's what I'd be looking for in the next year or so!
Hi can you talk about Defender app guard
I like that you can deploy the XML with Intune to give more of a centralised deployment, but I can't say I'm a fan of having to use an XML really. It would be nice to add the rules directly into Intune like you can with ASR rules. What's the cleanest way of keeping on top of your XML files
I agree, it's not perfect but it's good to see some investment being made in WDAC.
As for managing XML, that's usually decided on a case-by-case basis. I work with many customers who all have their own repositories or preferences when it comes to maintaining consistent code.
Thanks for the vid Dean. I want to enable wdac in audit mode, where are the logs stored?
You’re welcome. The logs are stored in the Event Log on each client. Application and Services > Microsoft > Windows > CodeIntegrity > Operational
Great explanation! Any idea how one configures WDAC to be able to override it with a local admin account? e.g. install one single application for a single machine. Similar to what is possible with AppLocker.
Sure - WDAC was designed as an 'addon' to AppLocker to solve the workaround where an Admin could override the protections, so no - there doesn't appear to be that option in WDAC.
I uploaded XML policy(Created from WDAC wizard) and Company Portal as Managed Installer also success. Still Apps installed from Company Portal are getting blocked. Any Suggesations?
Only apps installed after the policy applied will be reported as installed by a managed installer. Does that help?
@@DeanEllerbyMVP i tried installing app after forcing the policy via Company Portal which was only made available (packaged) via Intune before policy was pushed. But its still saying those are voilating the Code integrity policy in audit mode. However, i have gone through and chose least possible controls when creating XML via WDAC wizard i guess its just because there may have some tricks and tips while using WDAC for (Multiple) creating Base and Supplimental policies to deploy via Intune.
Have been following you and other online platforms to see if thers a brief tutorial on how to create correct XML via WDAC wizard or what to keep in mind when deploying App control policy via Application control in Endpoint Security. I am assuming i am just one step behind to make it scuccessful. Thank you for your assistance like always.