Modern Device Management

Microsoft Defender for Endpoint Device Control protects against data loss by monitoring and controlling media use of removable storage devices and USB drives. It is part of the Attack Surface Reduction profiles which enables auditing, read, write or execute access to removable storage. Once you enable Device Control policy, you can find the device control report in the Microsoft 365 security center . However, please note that the device control report can have a 12-hour delay from the time a media connection occurs to the time the event is reflected in the card or in the domain list. I recently came across a situation where there was a requirement for allowing the use of USB screen sharing solutions like Barco Clickshare . They are normally used in VC Meeting rooms and the process for activation requires plugging them into a laptop and running the application executable. To ensure the use of such devices, you either disable the Device Control policy or simply create a whitelist. C...

Controlled folder access is a feature that helps protect your documents and files from modification by suspicious or malicious apps. It does so by checking apps against a list of trusted apps. This is particularly important during Ransomware attacks when user data can get encrypted which is normally found in common system folders. Here is a list of Windows system folders that are protected by default: c:\Users\<username>\Documents c:\Users\Public\Documents c:\Users\<username>\Pictures c:\Users\Public\Pictures c:\Users\Public\Videos c:\Users\<username>\Videos c:\Users\<username>\Music c:\Users\Public\Music c:\Users\<username>\Favorites The protected folders also include boot sectors and you can add more folders, allow specific apps access to the protected folders or exclude them all together. I recently dealt with one such application that needed to be allowed access to the protected folders. The app in question is Symantec Encryption Desktop. The first ind...

Last year I had posted a blog on enabling Attack Surface Reduction rules within Microsoft Defender for Endpoint using Intune . This time I will be covering a particular use case that involves one of the ASR rules 'Block process creations originating from PSExec and WMI commands' and challenges around enabling it on devices running ConfigMgr agent. If you are managing ASR rules using Intune or another MDM provider, then there is little to no problem in enabling ASR rules. However, if you are managing the ASR rules using ConfigMgr or if your devices are running ConfigMgr client, then some of the ASR rules are not supported.  I am currently working on an implementation project of Defender for Endpoint where devices are in Co-managed state and the ASR rules are being deployed using Intune. As part of testing, I enabled all the ASR rules and all of a sudden started to see application installations to fail. My first clue was  seeing 'Access denied' errors in Appenforce.log. I...