Introduction
This blog post is part of a series. If you did not see the How I manage my device from Endpoint Manager – taste your own medicine – Part 1 of 4, you should go through that first.
In this blog post I will go through the security recommendations that MDATP suggested on my own device and will show you how this is implemented in Endpoint manager one by one, as we should know what the recommendations are and how to set them.
I started off with 57 security recommendations and this is my way towards 0 (or close to 0 )
Prerequisites
– Microsoft Defender Advanced Threat Protection license – for more information read here
– Microsoft Endpoint Manager
Table of content
Security Recommendation 11 Block execution of potentially obfuscated scripts
Security Recommendation 12 Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Security Recommendation 13 Block process creations originating from PSExec and WMI commands
Security Recommendation 14 Block persistence through WMI event subscription
Security Recommendation 15 Set Interactive logon: Machine inactivity limit to 1-900 seconds
Security Recommendation 16 Disable Enumerate administrator accounts on elevation
Security Recommendation 17 Set Minimum password length to 14 or more characters
Security Recommendation 18 Set Enforce password history to 24 or more password(s)
Security Recommendation 19 Set Minimum password age to 1 or more day(s)
Security Recommendation 20 Disable Microsoft Defender Firewall notifications when programs are blocked for Domain profile
Let’s make my device more secure
Fire up your Microsoft edge browser (if you do not have that installed, now is the time)
Go to https://securitycenter.microsoft.com/
Choose Device inventory, select your device and see Security Recommendations for your device..
Security Recommendation 11 Block execution of potentially obfuscated scripts
Go to https://endpoint.microsoft.com/ -> Endpoint security -> Attack surface reduction
Give it a friendly name
Assign it to your device and save it
Security Recommendation 12 Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Go to https://endpoint.microsoft.com/ -> Endpoint security -> Attack surface reduction
Give it a friendly name
Assign it to your device and save it
Security Recommendation 13 Block process creations originating from PSExec and WMI commands
Go to https://endpoint.microsoft.com/ -> Endpoint security -> Attack surface reduction
Give it a friendly name
Assign it to your device and save it
Security Recommendation 14 Block persistence through WMI event subscription
This setting is not available at the given time.
It will be released very soon.
Use attack surface reduction rules to prevent malware infection – Windows security | Microsoft Docs
We will instead use OMA-URI to set this one.
Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles
Friendly naming
Now if you already added ASRRules these should not be overwritten, so go to the registry
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderPolicy ManagerASRRules and copy the content of that policy on a device with ASR fully configured.
Copy the values and paste them to notepad
Via this site, you can get the GUID from “Block persistence through WMI event subscription”
Use attack surface reduction rules to prevent malware infection – Windows security | Microsoft Docs
In my case I added this parameter
And the whole text goes into the value field of our OMA-URI
OMA-URI: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
Value:
01443614-cd74-433a-b99e-2ecdc07bfc25=1|26190899-1602-49e8-8b27-eb1d0a1ce869=1|3b576869-a4ec-4529-8536-b80a7769e899=1|5beb7efe-fd9a-4556-801d-275e5ffc04cc=1|75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84=1|7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c=1|92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b=1|9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2=1|b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4=1|be9ba2d9-53ea-4cdc-84e5-9b1eeee46550=1|c1db55ab-c21a-4637-bb3f-a12568109d35=1|d1e49aac-8f56-4280-b9ba-993a6d77406c=1|d3e037e1-3eb8-44c8-a917-57927947596d=1|d4f940ab-401b-4efc-aadc-ad5f3c50688a=1|e6db77e5-3df2-4cf1-b95a-636979351e5b=1
DON’T forget to unassign your other Endpoint Security ASR Rules otherwise these policies will battle.
Save and assign to your device.
Security Recommendation 15 Set Interactive logon: Machine inactivity limit to 1-900 seconds
Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles
Edit W10-Security-EndpointProtection-Enabled-Device that we created earlier.
My device will lock automatically after 5minutes. This could be much more aggressive, but I always lock my device when leaving it unattended, because you never know when my kids tend to try and get access to play roblox
Security Recommendation 16 Disable Enumerate administrator accounts on elevation
Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles
Create Profile
Search for Enumerate administrator accounts on elevation
Disabled
Assign it to your device and save it.
Security Recommendation 17 Set Minimum password length to 14 or more characters
Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles
Create Profile
Assign it to your device and save it.
(you should use Windows Hello for Business and get rid of the need to type your pw)
This is what your registry should look like.
Security Recommendation 18 Set Enforce password history to 24 or more password(s)
Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles
Edit Profile W10-ConfigProfiles-DeviceRestrictions-Enable
Save it.
This particular setting did not get the security recommendation to disappear from MDATP, so I ended up with creating an OMA-URI setting instead
This is what your registry should look like.
Security Recommendation 19 Set Minimum password age to 1 or more day(s)
To my knowledge this is not a setting you can add by the gui. We will use OMA-URI to help us here
We will instead use OMA-URI to set this one.
Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles
Friendly naming
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordAge
Value: 1
Save and assign to your device.
This is what your registry should look like.
Security Recommendation 20 Disable Microsoft Defender Firewall notifications when programs are blocked for Domain profile
This is more like and end-user experience rather than a security concern. But nice to have.
Go to https://endpoint.microsoft.com/ -> Endpoint security -> Firewall
Give it a friendly name
Turn on firewall for domain networks and disable inbound notifications
Assign to your device and create the policy.
To see the next 10 security recommendations go to part 3:
How I manage my device from Endpoint Manager – taste your own medicine – Part 3 of 4
Mattias Melkersen is a community driven and passionate modern workplace consultant with 20 years’ experience in automating software, driving adoption and technology change within the Enterprise. He lives in Denmark and works at Mindcore.
He is an Enterprise Mobility Intune MVP, Official Contributor in a LinkedIn group with 41.000 members and Microsoft 365 Enterprise Administrator Expert.
Mattias blogs, gives interview and creates a YouTube content on the channel "MSEndpointMgr" where he creates helpful content in the MEM area and interview MVP’s who showcase certain technology or topic.
Official Contributor here "Modern Endpoint Management":
https://www.linkedin.com/groups/8761296/
