This blog article shows how to master the security recommendations of Microsoft Defender for Endpoint (MDE) with Microsoft Intune and achieve a device secure score above 95%.
- Security recommendations analysis and how to start
- Security recommendations covered by security baselines
- Security recommendations overview not covered by security baselines
Security recommendations analysis and how to start
With a freshly installed and untouched Windows 11 22H2 (10.0.22621), there are currently 62 device security recommendations (October 2022).
The easiest way to start is to implement the following 3 security baselines:
- Security Baseline for Windows 10 and later
- Microsoft Defender for Endpoint Baseline
- Microsoft Edge Baseline
This allows 42 security recommendations to be completed. Regarding security baselines, I have already written a detailed article. This means that only 20 security recommendations need to be completed separately afterwards.
Security recommendations covered by security baselines
For a better overview, here is a list of all device security recommendations that are already covered by security baselines and where they can be found:
| Security Recommendation | Category | points to be achieved | Security BaselineS |
|---|---|---|---|
| Disable ‘Always install with elevated privileges’ | Application Management | 4 | Security Baseline for Windows 10 and later |
| Block Adobe Reader from creating child processes | Attack Surface Reduction Rules Microsoft Defender | 4.5 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Block all Office applications from creating child processes | Attack Surface Reduction Rules Microsoft Defender | 4.5 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Block credential stealing from the Windows local security authority subsystem (lsass.exe) | Attack Surface Reduction Rules Microsoft Defender | 4.5 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Block executable content from email client and webmail | Attack Surface Reduction Rules Microsoft Defender | 4.5 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Block execution of potentially obfuscated scripts | Attack Surface Reduction Rules Microsoft Defender | 4.5 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Block JavaScript or VBScript from launching downloaded executable content | Attack Surface Reduction Rules Microsoft Defender | 4.5 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Block Office applications from creating executable content | Attack Surface Reduction Rules Microsoft Defender | 4.5 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Block Office applications from injecting code into other processes | Attack Surface Reduction Rules Microsoft Defender | 4.5 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Block Office communication application from creating child processes | Attack Surface Reduction Rules Microsoft Defender | 4.5 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Block untrusted and unsigned processes that run from USB | Attack Surface Reduction Rules Microsoft Defender | 4.5 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Block Win32 API calls from Office macros | Attack Surface Reduction Rules Microsoft Defender | 4.5 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Disable ‘Autoplay’ for all drives | Auto Play | 4 | Security Baseline for Windows 10 and later |
| Disable ‘Autoplay for non-volume devices’ | Auto Play | 2.5 | Security Baseline for Windows 10 and later |
| Set default behavior for ‘AutoRun’ to ‘Enabled: Do not execute any autorun commands’ | Auto Play | 4 | Security Baseline for Windows 10 and later |
| Enable ‘Require additional authentication at startup’ | BitLocker | 4 | Microsoft Defender for Endpoint Baseline |
| Encrypt all BitLocker-supported drives | BitLocker | 4.5 | Microsoft Defender for Endpoint Baseline |
| Resume BitLocker protection on all drives | BitLocker | 4.5 | Microsoft Defender for Endpoint Baseline |
| Disable ‘Enumerate administrator accounts on elevation’ | Credentials UI | 4 | Security Baseline for Windows 10 and later |
| Set ‘Enforce password history’ to ’24 or more password(s)’ | Device Lock | 2.5 | Security Baseline for Windows 10 and later |
| Set ‘Minimum password age’ to ‘1 or more day(s)’ | Device Lock | 2.5 | Security Baseline for Windows 10 and later |
| Disable merging of local Microsoft Defender Firewall connection rules with group policy firewall rules for the Public profile | Firewall | 2.5 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Disable merging of local Microsoft Defender Firewall rules with group policy firewall rules for the Public profile | Firewall | 2.5 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Disable Microsoft Defender Firewall notifications when programs are blocked for Domain profile | Firewall | 1 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Disable Microsoft Defender Firewall notifications when programs are blocked for Public profile | Firewall | 1 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Disable Microsoft Defender Firewall notifications when programs are blocked for Private profile | Firewall | 1 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Block outdated ActiveX controls for Internet Explorer | Internet Explorer | 2.5 | Security Baseline for Windows 10 and later |
| Disable running or installing downloaded software with invalid signature | Internet Explorer | 2.5 | Security Baseline for Windows 10 and later |
| Disable Anonymous enumeration of shares | Local Policies Security Options | 4 | Security Baseline for Windows 10 and later |
| Enable ‘Microsoft network client: Digitally sign communications (always)’ | Local Policies Security Options | 2.5 | Security Baseline for Windows 10 and later |
| Set ‘Interactive logon: Machine inactivity limit’ to ‘1-900 seconds’ | Local Policies Security Options | 2.5 | Security Baseline for Windows 10 and later |
| Set LAN Manager authentication level to ‘Send NTLMv2 response only. Refuse LM & NTLM’ | Local Policies Security Options | 4 | Security Baseline for Windows 10 and later |
| Set User Account Control (UAC) to automatically deny elevation requests Turn on PUA protection in block mode | Local Policies Security Options | 4 | Security Baseline for Windows 10 and later |
| Enable ‘Network Protection’ | Microsoft Defender | 4 | Security Baseline for Windows 10 and later |
| Enable scanning of removable drives during a full scan | Microsoft Defender | 4 | Microsoft Defender for Endpoint Baseline Security Baseline for Windows 10 and later |
| Enable ‘Apply UAC restrictions to local accounts on network logons’ | MS Security Guide | 2.5 | Security Baseline for Windows 10 and later |
| Disable IP source routing | MSS Legacy | 2.5 | Security Baseline for Windows 10 and later |
| Set IPv6 source routing to highest protection | MSS Legacy | 2.5 | Security Baseline for Windows 10 and later |
| Disable Solicited Remote Assistance | Remote Assistance | 4 | Security Baseline for Windows 10 and later |
| Disable ‘Allow Basic authentication’ for WinRM Client | Remote Management | 4 | Security Baseline for Windows 10 and later |
| Disable ‘Allow Basic authentication’ for WinRM Service | Remote Management | 4 | Security Baseline for Windows 10 and later |
| Prohibit use of Internet Connection Sharing on your DNS domain network | Wi-Fi | 2.5 | Security Baseline for Windows 10 and later |
Security recommendations overview not covered by security baselines
Here is an overview of all security recommendations that are not currently covered by security baselines and how to deploy them with Microsoft Intune. For the deployment, we aim for the following implementation sequence:
- Endpoint Security Polices
- Settings Catalog Policies
- Device Configuration Polices
- Proactive Remediations Scripts / ADMX Import
As with security baselines, it will be impossible to implement all security recommendations in most environments, as every policy is expected to have an impact. The policies must first be extensively tested in a test environment. A possible impact and advice per security recommendation can be found in the “Comments” column. A good goal is to achieve a device secure score of over 90%.
| Security Recommendation | Category | points to be achieved | how to implement | Comments |
|---|---|---|---|---|
| Disable the local storage of passwords and credentials | Accounts | 2.5 | Proactive Remediations Scripts or ADMX Import Remediation: Registry Hive: HKLM Registry Path: System\CurrentControlSet\Control\Lsa Value Name: DisableDomainCreds Value Type: REG_DWORD Value: 1 Feel free to download my Proactive Remediation Script to “Disable the local storage of passwords and credentials”: DisableDomainCreds.zip | This Policy will stop storing the domain credential into credential manager. This setting will not impact local accounts. In a cloud-only environment, I have not yet had any negative experiences with this policy. However, for clients that are members of a domain and depending on what legacy applications are still in use, I could imagine a negative user experience impact. The easiest way is to implement the policy in a test environment and test all legacy applications. |
| Enable Local Admin password management | Accounts | 2.5 | Settings Catalog Policies Settings Catalog – Enable local admin password management: Enabled | This policy is only relevant when using an environment with Active Directory, as LAPS currently only works with an on-premises Active Directory. If local administrator accounts are used and cloud-only is deployed, the community solution CloudLAPS should be used instead. Microsoft is currently working on a new LAPS solution (Windows LAPS) which will offer support for Azure AD (Cloud Only Management). Currently the solution is only available in private preview and is expected to be released in Q1/2023. |
| Set ‘Account lockout duration’ to 15 minutes or more | Accounts | 3 | Proactive Remediations Scripts Remediation: net accounts /lockoutduration:15 Feel free to download my Proactive Remediation Script for all Accounts Lockout Settings: AccountsLockoutSettings.zip | Basically a policy that is only relevant for on-premises environments. Azure AD accounts are already secured by “Azure AD smart lockout”. If you use Windows 10/11 and local accounts are used, the policy can be enforced via a proactive remediations script. The default setting for Windows 10/11 21H2 is 30 minutes. The default setting for Windows 11 22H2 is 10 minutes. The policy will therefore probably only have to be extended by 5 minutes for Windows 21H2. |
| Set ‘Reset account lockout counter after’ to 15 minutes or more | Accounts | 3 | Proactive Remediations Scripts Remediation: net accounts /lockoutwindow:15 Feel free to download my Proactive Remediation Script for all Accounts Lockout Settings: AccountsLockoutSettings.zip | Basically a policy that is only relevant for on-premises environments. Azure AD accounts are already secured by “Azure AD smart lockout”. If you use Windows 10/11 and local accounts are used, the policy can be enforced via a proactive remediations script. The default setting for Windows 10/11 21H2 is 30 minutes. The default setting for Windows 11 22H2 is 10 minutes. The policy will therefore probably only have to be extended by 5 minutes for Windows 21H2. |
| Set ‘Account lockout threshold’ to 1-10 invalid login attempts | Accounts | 3 | Proactive Remediations Scripts Remediation: net accounts /lockoutthreshold:10 Feel free to download my Proactive Remediation Script for all Accounts Lockout Settings: AccountsLockoutSettings.zip | Basically a policy that is only relevant for on-premises environments. Azure AD accounts are already secured by “Azure AD smart lockout”. If you use Windows 10/11 and local accounts are used, the policy can be enforced via a proactive remediations script. The default setting for Windows 10/11 21H2 is “Never” = 0 If Windows 11 22H2 is already in use, nothing needs to be adjusted. The default lockout threshold setting of Windows 11 22H2 is already set to “10”. |
| Set ‘Minimum password length’ to ’14 or more characters’ | Accounts | 2.5 | Device Configuration Polices Device Configuration Profiles – Device restrictions – Password – Password: Require Minimum password length: 14 Alternatively, the Security Baseline can also be customized: Security Baseline for Windows 10 and later – Device lock – Minimum password length: 14. The default Security Baseline setting is: 8 | Basically a policy that is only relevant for on-premises environments. Azure AD Accounts Password Restriction Policies cannot be customized and are by default: A minimum of 8 characters and a maximum of 256 characters. If local accounts are used, the policy can be set. However, the policy will then only impact locally created accounts and not Azure AD accounts. |
| Enable Automatic Updates | Application (Microsoft Office) | 2.5 | Settings Catalog Policies Settings Catalog – Enable Automatic Updates: Enabled | Office updates are always downloaded and installed automatically by default. This can be checked in an Office application as follows File – Account – Office Updates This policy ensures that this cannot be customized. This policy can be enabled without hesitation, as in my opinion a user should not be able to customize Office Update settings. |
| Enable ‘Hide Option to Enable or Disable Updates’ | Application (Microsoft Office) | 2.5 | Settings Catalog Policies Settings Catalog – Hide option to enable or disable updates: Enabled | This policy hides the “Disable updates” button in the Office Updates settings (File – Account – Office Updates) This policy can be enabled without hesitation, as in my opinion a user should not be able to customize Office Update settings. |
| Disable ‘Installation and configuration of Network Bridge on your DNS domain network’ | Network | 2.5 | Settings Catalog Policies Settings Catalog – Prohibit installation and configuration of Network Bridge on your DNS domain network: Enabled Registry Hive: HKLM Registry Path: Software\Policies\Microsoft\Windows\Network Connections Value Name: NC_AllowNetBridge_NLA Value Type: REG_DWORD Value: 1 | If this policy is enabled, users will not be able to enable or configure a network bridge. In an enterprise environment, where there is a need to control network traffic to only authorized paths, you can safely disable the Network Bridge setting. |
| Enable ‘Require domain users to elevate when setting a network’s location’ | Network | 1 | Settings Catalog Policies Settings Catalog – Require domain users to elevate when setting a network’s location: Enabled Registry Hive: HKLM Registry Path: Software\Policies\Microsoft\Windows\Network Connections Value Name: NC_StdDomainUserSetLocation Value Type: REG_DWORD Value: 1 | If you enable this policy setting domain users must elevate when setting a network’s location. If you disable or do not configure this policy setting domain users can set a network’s location without elevating. I would not be aware that standard/domain users would have to define network’s location. Therefore, in my opinion, the policy can be enabled without hesitation. |
| Set user authentication for remote connections by using Network Level Authentication to ‘Enabled’ | Network | 2.5 | Settings Catalog Policies Settings Catalog – Require user authentication for remote connections by using Network Level Authentication: Enabled Registry Hive: HKLM Registry Path: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Value Name: UserAuthentication Value Type: REG_DWORD Value: 1 | When using RDP with NLA disabled or not configured, remote users can access the RDP tunnel without any authentication required. This dramatically increases the chance for attackers to perform RDP based attacks, such as the wormable BlueKeep among others. Enabling NLA will block attackers lacking authentication credentials, and it is recommended specifically for BlueKeep prevention, regardless of patching actions. It is not possible to change the password via CredSSP, which creates a problem when “User must change password at next logon” is enabled or if an account’s password expires. Depending on how RDP is used and what kind of password policy is in place, this policy can cause an impact. |
| Enable ‘Local Security Authority (LSA) protection’ | Operating system | 4 | Proactive Remediations Scripts or ADMX Import Remediation: Registry Hive: HKLM Registry Path: System\CurrentControlSet\Control\Lsa Value Name: RunAsPPL Value Type: REG_DWORD Value: 1 Feel free to download my Proactive Remediation Script to “Enable Local Security Authority (LSA) protection”: RunAsPPL.zip | The Local Security Authority (LSA) Subsystem Service is a process in Microsoft Windows that verifies logon attempts, password changes, creates access tokens, and other important tasks relating to Windows authentication and authorization protocols. Attackers rely on various tools, such as Mimikatz and LSAdump, to dump password hashes or clear-text passwords from memory. Regarding to Microsoft’s documentation about Configuring Additional LSA Protection, before you deploy LSA protection across your entire network it is a good idea to identify all LSA plug-ins and drivers that are in use within your organization. You should also check that all LSA plug-ins are digitally signed with a Microsoft certificate, that correctly signed plug-ins can successfully load into LSA and that they perform as expected. You can also use the audit logs to identify LSA plug-ins and drivers that fail to run as a protected process. |
| Set ‘Minimum PIN length for startup’ to ‘6 or more characters’ | Operating system | 2.5 | Endpoint Security Polices Endpoint security – Disk Encryption BitLocker – OS Drive Settings – System drive recovery: Minimum PIN length: 6 | If you already deploy Enable ‘Require additional authentication at startup’ then you can safely configure this policy too. A PIN should nowadays contain at least 6 digits. However, I am not a fan of “additional authentication at startup” for the following reasons: Most likely, most users will be annoyed to remember an additional PIN and use the same PIN as for Hello for Business or, even worse, write the PIN on a piece of paper and keep it with the device. In most cases, this will not improve security unless you have the users on your side and they understand that the extra PIN brings a security benefit. Also important to note: For silent enable scenarios (including Autopilot) this setting cannot be successful, as user interaction is required. Is is recommended hat PIN is disabled where silent enablement of BitLocker is required. |
| Turn on Microsoft Defender Application Guard managed mode | Security controls (Application Guard) | 4 | Endpoint Security Polices Endpoint security – Attack surface reduction – App and browser isolation Application Guard: Enabled for Edge Clipboard behavior: Block copy and paste between PC and browser Block external content from non-enterprise approved sites: Yes Collect logs for events that occur within an Application Guard session: Yes Allow user-generated browser data to be saved: Yes Enable hardware graphics acceleration: Yes Allow users to download files onto the host: Yes | Microsoft Defender Application Guard requires a 64-bit version of Windows and a CPU supporting hardware-assisted CPU virtualization (Intel VT-x or AMD-V). This feature is not officially supported on virtual hardware, although it can work on VMs (especially for testing) provided that the hardware-assisted CPU virtualization feature is exposed by the host to the guest VM. If you are using high performance clients and do not experience any performance problems in your tests, Defender Application Guard will definitely provide a security advantage. However, Application Guard should be enforced, and a whitelist must be maintained. |
| Turn on Tamper Protection | Security controls (Antivirus) | 4 | Endpoint Security Polices Endpoint security – Antivirus – Windows 10, Windows 11, Windows Server – Windows Security Experience: TamperProtection (Device): On | Tamper protection helps protect important security features from unwanted changes and interference. Currently, I see no reason not to turn on this policy. |
| Block abuse of exploited vulnerable signed drivers | Security controls (Attack Surface Reduction) | 4.5 | Endpoint Security Polices Endpoint security – Attack surface reduction – Block abuse of exploited vulnerable signed drivers (Device): Block | Start in audit mode first and add possible necessary exceptions. After that you can switch to block mode. For me, no exceptions were necessary and the block mode could be activated without restrictions. Check “Attack surface reduction” reports, where “Blocked” and “Audited” ASR events are reported: https://security.microsoft.com – Reports – Attack surface reduction rules |
| Block executable files from running unless they meet a prevalence, age, or trusted list criterion | Security controls (Attack Surface Reduction) | 4.5 | Endpoint Security Polices Endpoint security – Attack surface reduction – Block executable files from running unless they meet a prevalence, age, or trusted list criterion: Block | Only start with audit mode. This setting will have effects especially for developers. Very likely only strictly controlled environments will be able to support this ASR setting in block mode. Check “Attack surface reduction” reports, where “Blocked” and “Audited” ASR events are reported: https://security.microsoft.com – Reports – Attack surface reduction rules |
| Block persistence through WMI event subscription | Security controls (Attack Surface Reduction) | 4.5 | Endpoint Security Polices Endpoint security – Attack surface reduction – Block persistence through WMI event subscription: Block | File and folder exclusions don’t apply to this attack surface reduction rule. Start in audit mode first. If no problems are recorded, the block mode can be activated For me, the block mode could be activated without restrictions. Check “Attack surface reduction” reports, where “Blocked” and “Audited” ASR events are reported: https://security.microsoft.com – Reports – Attack surface reduction rules |
| Block process creations originating from PSExec and WMI commands | Security controls (Attack Surface Reduction) | 4.5 | Endpoint Security Polices Endpoint security – Attack surface reduction – Block process creations originating from PSExec and WMI commands: Block | Only use this rule if you’re managing your devices with Intune or another MDM solution. This rule is incompatible with management through Microsoft Endpoint Configuration Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly. For me, the block mode could be activated without restrictions. Check “Attack surface reduction” reports, where “Blocked” and “Audited” ASR events are reported: https://security.microsoft.com – Reports – Attack surface reduction rules |
| Use advanced protection against ransomware | Security controls (Attack Surface Reduction) | 4.5 | Endpoint Security Polices Endpoint security – Attack surface reduction – Use advanced protection against ransomware: Block | You must enable cloud-delivered protection to use this rule. cloud-delivered protection is already enabled by default with the Security Baselines (Security Baseline for Windows 10 and later and Microsoft Defender for Endpoint Baseline). This setting will have effects especially for developers. Start in audit mode first and add possible necessary exceptions. After that you can switch to block mode. Check “Attack surface reduction” reports, where “Blocked” and “Audited” ASR events are reported: https://security.microsoft.com – Reports – Attack surface reduction rules |
| Set controlled folder access to enabled or audit mode | Security controls (Exploit Guard) | 4.5 | Endpoint Security Polices Endpoint security – Attack surface reduction – Enable Controlled Folder Access: Enabled Controlled Folder Access Allowed Applications: Application Exclusion | Start in audit mode first and add necessary exceptions. After that you can switch to “block” mode. Be prepared to define multiple exclusions for this policy. Use Advanced Hunting to audit necessary exceptions. Query: DeviceEvents | where ActionType contains “ControlledFolderAccessViolation” |
Finally, I’d be interested to hear which device security recommendations you’ve had to rethink and adapt? Do you have a different opinion or experience with a specific policy? Are there any questions about specific settings? Or could you implement a policy more easily than I described? Let me know in the comments. I will try to update the article continuously, as soon as new or updated device security recommendations are added.
Gobisweb 