Hardening Windows Clients with Microsoft Intune and Defender for Endpoint

Posted by

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

As a major part of any corporate security program, vulnerabilities on corporate assets are required to be addressed, yet teams that solely focus on the patching aspects may be missing a key area of worry, insecure setup. Whether the asset’s configuration is unrestricted by default, or an operator has made a mistake, assets will end up in an unsecure configuration. Security teams with a proactive attitude will seek methods that automatically address asset misconfiguration, and, where possible, avert them in a centralized fashion. This blog will introduce a solution that uses multiple Microsoft products, including Microsoft Intune and Defender for Endpoint (MDE) to implement industry recognized security baselines consistently that reduces the effect on the end user, along with examining some issues and suggestions for these.


Confirm that Intune is managing your clients

Central management of your assets is key to ensure you deploy the security baselines consistently. For windows clients such as laptops, Microsoft Intune accomplishes this task and provides a central panel to track other aspects of the asset, such as performance issues. As baselines can only apply to devices under mobile device management (MDM), this approach will not cover bring your own device (BYOD) assets. We recommend that devices in scope are Azure AD joined and automatic enrollment is configured to minimize errors. Guidance for joining clients to Azure AD can be found here and guidance for configuring clients automatic enrollment can be found here.

Ensure that Microsoft Defender for Endpoint is automatically deployed

Microsoft Defender for Endpoint will implement the security configuration settings it receives from Microsoft Intune. We must first verify that communications are taking place between Defender for Endpoint and Intune. From the Microsoft 365 Defender portal select Settings > Endpoints >Advanced features, and make sure that we switch the connection to Microsoft Intune to On. Next, create a device configuration profile that automatically onboards Intune assets to Defender for Endpoint and assign it to the designated clients.

Create groups to test security baselines in a controlled manner

To further lower the impact of unexpected changes, test security baselines in samples of the end user population for some weeks before deploying further. For Azure AD joined devices, you can create dynamic groups which look at the user’s information and assign the device, thus removing the manual effort. Guidance on dynamic groups can be found here.


Select the security baselines to use and plan the deployment

There are many flavors of security policies used in the industry, including security baselines published by Microsoft, the Center for Internet Security (CIS) and even the United States Department of Defense (DOD) Security Technical Implementation Guides (STIGs). The user has the option of either applying security baselines included in the product, or create custom baselines to comply with organizational requirements. It is important to note that before applying a new security baseline policy; you need to first reassign the old policy from the devices, reset the devices, and then apply the new security baseline policy. Finally, security baselines deployments should be announced to the impacted user population with enough time to ensure groups can provide input. The time between advertising and deploying the security baselines allows you to test any impact on a selected group of users.


Default security baselines for Intune managed devices

From the Microsoft Intune admin center, under Endpoint security > Security baselines, multiple Microsoft maintained and published baselines exist. Click on any of the baselines to create a profile and apply it to the devices in scope. Guidance on applying out of the box baselines via Intune can be found here.


Custom security baselines for Intune managed devices

You can implement custom security baselines in multiple ways, such as modifying the Microsoft provided templates, creating a custom profile from scratch, or by importing group policy objects (GPOs) via the group policy analysis tool. Guidance on using the GPO analyzer can be found here. An example of import US DOD STIGs to Intune using this approach can be found here.


Monitor impact and report on compliance

The Intune portal allows for tracking the success of the baseline deployment efforts. The same way in which once creates a profile to apply a security baseline (go to Endpoint security > Security baselines), allows you to view issues at the setting level to include errors and conflicts with other profiles. Take note, the results might take 24 hours to populate in the portal to include changes during troubleshooting. As always, we recommend using the portal itself to view the most current state of the assets, but for those organizations that require documentation, we can export results as csv files. Guidance on how to monitor security baselines on Intune can be found here.


Optional, leverage attack surface reductions to take hardening to the extra level

Typically, security baselines will aim at balancing security and minimal user impact, a view that conflicts with attackers who will do everything available to ensure they can compromise your assets. Attack surface reduction (ASR) rules are extra security configuration based on the most common attack vectors used by adversaries and can provide an extra layer of protection to lower the risks to your organization. As security baselines are applied, one can go Intune admin portal > Endpoint Security > Attack surface reduction to get started with pre-configured profiles. It is recommended that many of these settings are set in audit mode and their impact is observed for a month before enforcing. Guidance on deploying ASR rules can be found here. Guidance on setting ASR rules to audit and monitoring can be found here.

In conclusion, hardening clients does not have to be difficult or limited. A solution that leverages Microsoft Intune and Defender for Endpoint can work wonders to lower your team’s workload while ensuring your organization’s security posture is maintained. The ease of implementing and reporting will make your team adopt more proactive measures while your leadership will be relieved to ensure a major pain point has been removed.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.