Search This Blog

Friday, November 27, 2020

How I manage my device from Endpoint Manager - taste your own medicine - Part 1 of 4

Introduction

Do you like managing devices? Do you like to keep them safe? Then read along in this blog post.

In our company we use Microsoft Defender for Endpoint (aka MDATP) to protect our devices at a deeper level. If you work with Microsoft technology and you can use internet management, MDATP is definitely something you should look at. As I am working mostly with devices, security has also been a major thing to take into consideration, especially since we all started to work from home and not having our internet traffic going through a company firewall and/or Proxy.

In this blog post I will go through the security recommendations that MDATP suggested on my own device and will show you how this is implemented in Endpoint manager one by one, as we should know what the recommendations are and how it is set.

I started off with 57 security recommendations and this is my way towards 0 (or close to 0 )

Prerequisites

- Microsoft Defender Advanced Threat Protection license – for more information read here

- Microsoft Endpoint Manager

 

Table of content

Security Recommendation 1 Update Git.
Security Recommendation 2 Update Microsoft Visual Studio Code.
Security Recommendation 3 Enable ‘Hide Option to Enable or Disable Updates’
Security Recommendation 4 Disable ‘Allow running plugins that are outdated’
Security Recommendation 5 Disable ‘Continue running background apps when Google Chrome is closed’
Security Recommendation 6 Enable EDR in block mode.
Security Recommendation 7 Set controlled folder access to enabled or audit mode.
Security Recommendation 8 Enable Local Security Authority (LSA) protection.
Security Recommendation 9 Set User Account Control (UAC) to automatically deny elevation requests.
Security Recommendation 10 Block JavaScript or VBScript from launching downloaded executable content

 

Let’s make my device more secure

Fire up your Microsoft edge browser (if you do not have that installed, now is the time)

Go to https://securitycenter.microsoft.com/

Choose Device inventory you will see a list of devices.

clip_image002

Currently, my device is at Risk level: Low and Exposure Level: Low. That is pretty good, but it could be better!

clip_image004

Security Recommendation 1 Update Git

clip_image006

Click on Update Git

clip_image008

If we go BING it will give us this page: CVE - CVE-2020-27955 (mitre.org)

It says this particular CVE allows Remote Code Execution. We do not like that! Let’s send a request to our desktop team to update the app “Update GIT” and patch our device.

Unfortunately, the packager in our company is myself, so I will do this manually as we only have 10 devices to manage.

clip_image010

clip_image012

Go through the installation GUI. Done. 1 down 56 more to go!

 

 

Security Recommendation 2 Update Microsoft Visual Studio Code

Next on the list is Microsoft Visual Studio Code

clip_image014

clip_image016

This one had 2 CVE reports which indicated it is serious and needs to be updated.

Let’s see how we can create a ticket and send to the endpoint manager team.

clip_image018

Open full recommendation

clip_image020

Remediation Options

clip_image022

On this page we add info that needs to go to the endpoint management team. Let’s press Submit to this form.

Head over to https://endpoint.microsoft.com/

Go to Endpoint security -> Security tasks

clip_image024

As you can see my ticket was created and the desktop team is now notified to create this update and deploy it.

clip_image026

It even gives you the steps to go through. Could not be easier for the team to give me that update

 

 

Security Recommendation 3 Enable ‘Hide Option to Enable or Disable Updates’

clip_image028

MDATP tells us what to do. We have legacy options using GPO, Option 2 for modern management and option 3 for creating a script. Nice with possibilities!

We will head for option 2 and create a policy to make this recommendation.

Go to Admin center https://endpoint.microsoft.com/

Devices -> Configuration profiles -> Create Profile

clip_image030

Press create

clip_image032

Keep some nice naming standard

Next

clip_image034

Search for “hide option to”

clip_image036

Set it to Enabled

Skip scope tags unless you have custom tags for RBAC.

clip_image038

I have created a special group for my “High Security devices” assign the policy to this group.

 

 

Security Recommendation 4 and 5 Disable ‘Allow running plugins that are outdated’/ Disable ‘Continue running background apps when Google Chrome is closed’

clip_image040

Recommendations for Google Chrome, but as I moved to edge and I have copied all my stuff from Chrome to Edge I rather just uninstall Chrome, instead of having yet a browser to patch.

Another approach would be to ingest admx-file. I am not going to cover that in this post.

 

 

Security Recommendation 6 Enable EDR in block mode

clip_image042

To enable Endpoint detection and response, we have 2 steps. One is enabled on our ATP portal and the other in endpoint manager.

Read more about EDR here: Endpoint detection and response in block mode - Windows security | Microsoft Docs

Go to https://securitycenter.microsoft.com/ -> Settings -> Advanced features

clip_image044

Enable EDR in block mode

Go to https://endpoint.microsoft.com/ -> Endpoint security -> Antivirus

Create policy and setup Cloud-delivered protection

clip_image046

Assign it to your device group and create it.

 

Security Recommendation 7 Set controlled folder access to enabled or audit mode

clip_image048

Go to https://endpoint.microsoft.com/ -> Endpoint security -> Attack surface reduction

clip_image050

clip_image052

Give it a friendly name

clip_image054

Set Enable folder protection to “Block disk modification” (You might want to start using audit disk modification in a production environment, to gather events that were or would be triggered and denied access. It can break stuff.)

Assign it to your device and save it

 

 

Security Recommendation 8 Enable Local Security Authority (LSA) protection

clip_image056

This setting has currently (to my knowledge) no UI yet.

Therefore, we are forced to create a PowerShell script to add the registry key mentioned.

clip_image058

Save the script

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> PowerShell scripts

Add

clip_image060

Give it a friendly name

clip_image062

clip_image064

Add to a security group

Add –> done

 

 

Security Recommendation 9 Set User Account Control (UAC) to automatically deny elevation requests

clip_image066

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Edit W10-Security-EndpointProtection-Enabled-Device that we created earlier.

clip_image068

clip_image070

Go to the Local device security options

clip_image072

User account control

Review+save.

 

 

Security Recommendation 10 Block JavaScript or VBScript from launching downloaded executable content

clip_image074

Go to https://endpoint.microsoft.com/ -> Endpoint security -> Attack surface reduction

clip_image075

clip_image076

Give it a friendly name

clip_image078

Assign it to your device and save it

 

Stay tuned for the next MDATP security recommendations blogpost!

Friday, November 13, 2020

This collection cannot be made available to assign policies from Microsoft Endpoint Manager admin center

“This collection cannot be made available to assign policies from Microsoft Endpoint Manager admin center.”

 

Is that the message you are encountering while trying to make your collection available for MEMAC?

Then read along.

clip_image002

clip_image004

Go to Co-management and double click CoMgmtSettingsProd

 

clip_image006

Go to the configure upload tab and verify the collection specified. If you are moving slowly forward and not uploading all your devices at once, then this would be the typically configuration.

A reason for not uploading all devices could be due to lack of RBAC implementation. If RBAC has not been configured or thought of, you should start doing that before granted access to the Admin Center (MEMAC)

 

clip_image008

First collection to be uploaded, should be the one specified in the upload tab on the co-management setup guide.

 

clip_image010

Limit your collection to the collection you started by uploading.

 

clip_image012

Like this

 

clip_image014

At last the message:” This collection cannot be made available to assign policies from Microsoft Endpoint Manager admin center” will disappear and you are good to go!

 

clip_image016

Have some patience. The collection will be populated after some time.

Friday, November 6, 2020

Manage security polices directly from the cloud without co-management

Introduction

When you use the Configuration Manager tenant attach scenario, you can deploy endpoint security policies from Intune to devices you manage with Configuration Manager.

Prerequisites

  • Tenant attach
  • CMG (only if you need it to apply policies to internet based devices)
  • Configuration Manager current branch version 2006 or later, with in-console update Configuration Manager 2006 Hotfix (KB4578605)
  • Windows 10 and later (x86, x64, ARM64)
  • Microsoft Defender ATP tenant must be integrated with your Microsoft Endpoint Manager tenant (For Endpoint Detection and response)

 

The tenant attach and CMG can be configured by using this blogpost by Lars Lohmann here

Collection to assign policies

First, we need to add a collection where we enable it to be reached from the cloud.

clip_image002

Assets and Compliance – right click

clip_image004

Create Device Collection

clip_image006

Give it a proper name – next

clip_image008

Let the collection be empty for starters. Click Next

clip_image010

OK

clip_image012

Next

clip_image014

Close

clip_image016

Go to properties on the newly created collection

clip_image018

Tick ”Make this collection available to assign Endpoint security policies from Microsoft Endpoint Manager admin center” – OK

Create and assign policies

Go to MEM Portal https://endpoint.microsoft.com/#home

Endpoint security -> Firewall

clip_image020

Create Policy

clip_image022

Windows 10 and later -> Microsoft Defender Firewall (ConfigMgr) (Preview)

Create

clip_image024

Have your naming in relation to the collection, it will help you later when the need to debug or track your policies.

Next

clip_image026

Set Domain profile to true

clip_image028

Do the same for the Private and Public

clip_image030

Select collections to include

clip_image032

Choose the collection we told to upload from our Configuration Manager.

Select

clip_image034

Create

clip_image036

My local firewall on a test machine was turned off for the Domain profile

clip_image038

On the local client go to the configuration manager Configurations tab.

Our policy arrived and has already created a configuration baseline for us.

clip_image040

Configuration baseline says “Compliant”

clip_image042

Going back to the firewall “domain network” it is still turned off, so I guess the “preview” is correct

To be fair I have no Defender ATP integrated to my intune subscription, and it is a requirement.

 

Summary

As tenant attach evolve, more and more value are added by the product team.  I believe, that adding policies like this will overtime make daily support operations much easier. If possible, you should attach your configuration manager today. Nothing happens on the clients; it is all backend and it is safe to add.

I am really thrilled by the road Microsoft has chosen and look forward to see what we will get next!

Last minute note:

Currently we can set beneath settings through the MEM Portal. (remember it is PREVIEW)

image