Tag Archives: Microsoft Defender for Endpoint

Microsoft Defender for Endpoint – Web Content Filtering for Windows 365 Cloud PC and Azure Virtual Desktop

22 Feb

In today’s world, online security has become more important than ever, especially for businesses. As more and more companies shift their workloads to the cloud, the need for effective security measures has increased. One of the most critical aspects of security is web content filtering. Microsoft Defender for Endpoint is an excellent solution for protecting your Windows 365 Cloud PC and Azure Virtual Desktop environments. If you haven’t see my previous blog post on – Microsoft Defender for Endpoint (MDE) – Getting started for Windows 365 Cloud PC and Azure Virtual Desktop check that first.

Usecase

Web content filtering is a critical aspect of online security that can be used in many different scenarios. Here are some common use cases for web content filtering:

  1. Business Security: Blocking access to malicious websites and other dangerous content, web content filtering helps prevent cyber attacks and data breaches.
  2. Compliance: Many organizations are required to comply with industry-specific regulations and standards, such as HIPAA or PCI-DSS. Web content filtering can help ensure that employees are not accessing websites or content that violates these regulations.
  3. Employee Productivity: Web content filtering can also be used to enhance employee productivity by blocking access to non-work-related websites, such as social media or gaming sites.
  4. Education: Educational institutions can use web content filtering to prevent students from accessing websites that are not educational or age-appropriate.
  5. Guest Wi-Fi: Businesses that offer guest Wi-Fi can use web content filtering to protect their network and guests from online threats.

Overall, web content filtering is a versatile tool that can be used in a variety of settings to enhance online security, productivity, and compliance.

Pre-requisites

To use Microsoft Defender for Endpoint web content filtering on Windows 365 Cloud PC and Azure Virtual Desktop, there are a few prerequisites that you need to meet:

  • Portal Access to Microsoft 365 Defender Portal
  • Windows Defender SmartScreen Enabled on all Browsers (Edge, Chrome etc.)
  • Network Protection must be enable on the endpoint devices
  • Microsoft Defender for Endpoint (MDE) Plan 1 or 2
  • MDE for Business
  • Windows 10/11 or Multi-session Operating System

Enable Web Content Filtering

To enable Web Content Filtering in Microsoft Defender for Endpoint (MDE), you need to follow these steps:

  • Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
  • Navigate to Settings and select Endpoints
  • Click on Advance Features and enable Web Content Filtering

Create Device Group for Windows 365 & AVD in Microsoft 365 Defender Portal

To assign the policy to particular devices such as Windows 365 Cloud and Azure Virtual Desktop Session, we will create the Device Groups:

  • Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
  • Navigate to Settings and select Endpoints
  • Under Permissions, click on Device Groups
  • Select Add device group and give it a name – Win365Devices
  • The Cloud PC start with CPC, I will be using that along with OS type – Windows 11
  • For the Azure Virtual Desktop – My Session host start with AVD-, I will use that as the device group along with OS Type – Windows 11

Enable Network Protection under Microsoft Endpoint Portal (Intune)

Under the Enpoint Secruity – Antivirus policy we will enable the configuration:

  • Login to the MEM Portal – https://endpoint.microsoft.com/
  • Select Endpoint security > Antivirus > Create Policy.
  • For Platform, select Windows 10, Windows 11, and Windows Servers.
  • For Profile type, select Microsoft Defender Antivirus, and then select Create.
  • Enter a Name – W365-AVD-AV-P01 and description and choose Next
  • Under the Configuration Settings
  • Enable Network Protection – Enable (Block Mode)

In my previous blog post on getting started, I enabled Network Protect and other configurations. Here I am trying to give you a quick config guidance.

Enable Smart Screen under Microsoft Edge Browser via Intune

I want to use the security baseline around Microsoft Edge for enabling global configuration across all the endpoints:

  • Login to the MEM Portal – https://endpoint.microsoft.com/
  • Select Endpoint security > Security Baseline > Microsoft Endge Baseline.
  • Click on Create a profile and give it a name – MSEdge-Sbaseline-01
  • Enable the SmartScreen config
  • I am applying this security baseline to All Devices

Note you can enable them via configuration profiles too. In this scenario, I prefer using the security baselines.

Enable Smart Screen for Google Chrome Browser via Intune

To enable Smart Screen on Google Chrome, follow these steps:

  • Login to the MEM Portal – https://endpoint.microsoft.com/
  • Select Devices > Configuration profiles > Create profile
  • Under Platform – Windows 10 & Later
  • Profile Type – Templates and Select Administrative Templates
  • Give the policy a name – GoogleChrome-SmartScreen-CP01
  • Under Computer – Select Configure the list of force-installed apps and extensions
  • Click on Enable and enter the below URL for extension
  • Further assign the policy to the target devices
  • Click on Review and Save
bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx

Create policy for Web Content Filtering

To create a web content filtering policy in Microsoft Defender for Endpoint, follow these steps:

  • Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
  • Navigate to Settings and select Endpoints
  • Under Rules > Web Content Filtering > Add Item
    • Policy Name – Stop Social Media
    • Block Categories > Leisure > Social Networking & Instant Messaging & Professional Networking
    • Scope – Select the Windows 365 Device Group & AVD Device Group (Session Host VMs), as its a targeted policy
  • Wait for approx. 40 mins for the policy to implement for your endpoints

Validate the URLs within Windows 365 Cloud PC

Before going ahead and checking the URLs within the browser verify the following on the virtual desktop or endpoints:

SmartScreen

Open the browser and type edge://policy and make sure the Smart Screen is enabled

Network Protection

Open the Powershell and check if network protection is enable (Value 1) block mode

Microsoft Edge

Open Microsoft Edge and open https:\\www.facebook.com or https:\\www.snapchat.com

Google Chrome

Check reports in Defender Portal

Under the Microsoft Defender Portal go to Reports > Web Protection > Web content filtering categories details

Useful LinksCredits
Web content filtering – https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/web-content-filtering?view=o365-worldwideMicrosoft
How to configure Microsoft Defender SmartScreen via Microsoft Intune? – Endpoint CaveRene Laas
Enabling web filtering with Microsoft Defender for Endpoint – CIAOPSRobert Crane

I hope you will find this helpful information towards web content filtering journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Microsoft Defender for Endpoint (MDE) – Getting started for Windows 365 Cloud PC and Azure Virtual Desktop

16 Feb

If you are using Windows 365 Cloud PC and Azure Virtual Desktop, the Microsoft Defender for Endpoint (MDE) is a security solution designed for protecting endpoints, such as Windows 11/Windows 11 Mutli-Session computers, servers, Azure Virtual Desktops and more from various types of cyber threats. The main reason it’s evident to use MDE is that it seamlessly integrates with the solution with minimal to less effort compared to other solutions. This blog post will discuss how to get started with Microsoft Defender for Endpoint in the Windows 365 Cloud and Azure Virtual Desktop.

Prerequisites

  • Rights to use and deploy Windows 365 Cloud PC and Azure Virtual Desktop and the ncessary licenses
  • Microsoft Defender for Endpoint Plan 1 or Plan 2 depending upon the requirements and $$$.
  • Make sure the license is available and listed Microsoft admin center

Enable MDE in Microsoft 365 Security Portal/Intune

To enable Microsoft Defender for Endpoint (MDE) in the Microsoft Defender Security Center, you need to follow these steps:

  1. Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
  2. Navigate to Settings and select Endpoints
  3. Click on On for Microsoft Intune Connection & Device Discovery
  4. Scroll to the bottom and select Save Preferences

We will manage the endpoints via Intune, so all the rest of the actions and fun will be within the https://endpoint.microsoft.com/ and Endpoint Security. After a brief period of 10-15 mins, you can see the connection status being Available and synchronized.

Create the Endpoint detection and response policy (onboarding)

Our environment is managed via Modern Management, and we don’t have the overhead of legacy setup. We will use the Intune Endpoint detection response (EDR) policy to onboard the devices. This is the simplest method as it doesn’t involve installing the agent manually or via GPOs.

Sign in to the Microsoft Endpoint Manager admin center.

  • Login to the MEM Portal – https://endpoint.microsoft.com/
  • Select Endpoint security > Endpoint detection and response > Create Policy.
  • For Platform, select Windows 10, Windows 11, and Windows Servers.
  • For Profile type, select Endpoint detection and response, and then select Create.
  • Enter a Name – W365-AVD-EDR-P01 and description and choose Next
  • Under the Configuration Settings
    • MDE client configuration package type – Auto from connector (We are a 100% modern managed environment we can leverage this simple option)
    • Sample Sharing – Not configured
    • Telemetry Reporting Frequency – Expedite (We want reporting to be lightning-fast)
  • Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop
  • Review and Create the policy and it will go ahead and enable MDE on the fleet.
  • After sometime all your devices will show whether they are onboarded or not.

Many ways to carry out the onboarding. This is just one way and the most straightforward. Read more options here – https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager?view=o365-worldwide

On the onboarded device, go and run the following command to verify the status

Get-MpComputerStatus

Device Compliance Policy (Update)

I already have my existing Windows 10/11 compliance policy after enabling MDE, and I will go ahead and update the compliance policy to accommodate the changes further. This will allow reporting within the tenant on what device compliance level the endpoints are on and whether corporate governance is maintained.

Create Antivirus Policy in Intune

The next step is creating the Antivirus (AV) Policy with the options that your organization demands. I am starting with a few, but remember most choices will require nailing out with internal security/endpoint/governance teams.

Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements.

Sign in to the Microsoft Endpoint Manager admin center.

  • For Platform, select Windows 10, Windows 11, and Windows Servers.
  • For Profile type, select Microsoft Defender Antivirus, and then select Create.
  • Enter a Name – W365-AVD-AV-P01 and description and choose Next
  • Under the Configuration Settings
Configuration SettingsStatus (Value)
Allow Archive Scanning (Scanning through zip and cab files)Allowed
Allow Behaviour Monitoring Allowed
Allow Cloud Protection (Joining Microsoft MAPS Community)Allowed
Allow Email Scanning (Very useful if you are using Microsoft 365)Allowed
Allow Full Scan Removable Drive Scanning (Scanning of Pen Drives)Allowed
Allow Intrusion Prevention SystemAllowed
Allow scanning of all downloaded files and attachmentsAllowed
Allow Realtime MonitoringAllowed
Cloud Block LevelHigh
Allow Users UI Access (Defender Client)Allowed
Enable Network ProtectionEnabled (Audit mode)
Avg CPU Load Factor Enabled (30%)
Schedule Quick Scan TimeEnable (120)
Signature Update IntervalEnable (8 hours)
  • Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop
  • Review and Create the policy and it will go ahead and enable AV across the fleet.
  • After sometime all your devices will show whether they are onboarded or not.

Create Attack surface reduction (ASR) Policy in Intune

The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. This set of capabilities also includes network protection and web protection, which regulate access to malicious IP addresses, domains, and URLs. In my case I am starting with few, but remember most of the options will require nailing out with internal security/endpoint/governeance teams.

Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements. Here I would like to take the approach of Audit mode first, followed by adding exclusions to refine the block rules (production).

Sign in to the Microsoft Endpoint Manager admin center.

  • For Platform, select Windows 10, Windows 11, and Windows Servers.
  • For Profile type, select Attack Surface Reduction Rules, and then select Create.
  • Enter a Name – W365-AVD-ASR-P01 and description and choose Next
  • Under the Configuration Settings
Configuration SettingsStatus (Value)
Block Adobe Reader from creating child processesAudit
Block execution of potentially obfuscated scriptsAudit
Block Win32 API calls from office macrosAudit
Block credential stealing from the Windows local security authority subsystemAudit
Block JavaScript or VBScript from launching downloaded executable contentAudit
Block process creatons originating from PSExec and WMI commandsAudit
Block untrusted and unsigned processes that run from USBAudit
Block abuse of exploited vulnerable signed drivers (Devices)Audit
  • Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop
  • Review and Create the policy and it will go ahead and enable ASR across the fleet.
  • After sometime all your devices will show whether they are onboarded or not.
Useful LinksCredits
Microsoft Defender for Endpoint series – Tips and tricks/ common mistakes – Part10 (jeffreyappel.nl) – The most mind blowing and detailed blog post series on MDE. I think I only scratch the surface here however, Jeffrey takes an indept approach.Jeffrey Appel
Configure Microsoft Defender for Endpoint in IntuneMicrosoft
Defend Cloud PCs against threats with Microsoft Defender for Endpoint | Windows in the Cloud – YouTubeChristiaan Brinkhoff | LinkedIn and Paul Huijbregts | LinkedIn

Next step, I plan to write a few blog posts on specific topics like URLs, Networks etc, blocking (TikTok, Facebook etc,) concerning MDE. I hope you will find this helpful information towards your journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari