Endpoint Security

Microsoft Version 2306

Services
Module Overview
• Lesson 1: Endpoint security profile overview
• Lesson 2: Microsoft Defender Antivirus
• Lesson 3: Disk Encryption (aka. Bitlocker)
• Lesson 4: Windows Hello for Business
• Lesson 5: Device Firmware Configuration
Interface (DFCI)
• Lesson 6: Windows Update
Security by default
In Windows 11, hardware and
software security work
together to help keep users,
data, and
devices protected.

• Protects out-of-the-box with

security controls on by
default.

• Protects against threats

with hardware root-of-trust
for powerful security from
the start.

• Protects identities with

passwordless security.

• Delivers robust application

security and prevents Windows 11 delivers powerful
execution of unverified protection from chip to cloud
apps.
* Some features require a new PC or a clean install of the OS.
Raising the bar for security
Windows 11. A powerful combination
of hardware root-of-trust and silicon-
assisted security.

• Protects and maintains system

integrity as the firmware loads.

• Strengthens security for features

like Windows Hello and BitLocker
with TPM 2.0.

• Protects code integrity and critical

information with virtualization-
based security (VBS).
Silicon Assisted Security
• Enables virtualization-based Secured Kernel DMA and
Identity Protection Memory Protection
security (VBS) and hypervisor- Firmware Protection
protected code integrity (HVCI)
with 22H2.

• Has Credential Guard on by

default
The Windows Defence Stack

PRE-BREACH POST-BREACH

Breach detection
Device Threat Identity Information
investigation &
protection resistance protection protection
response

SmartScreen
Device
Deviceintegrity
Health Windows Firewall
SmartScreen Windows
Built-inHello
2FA for Device
BitLocker
protection
and / Conditional Access
attestation Microsoft Edge Business Drive
BitLocker
encryption
to Go
Device control AppLocker Account lockdown Defender for
Device Guard Device
Device Guard
Guard Credential
Credential Guard
Guard Endpoint
Enterprise
Data
Data
Loss Endpoint
Device Control Microsoft Passport Prevention
Protection
Microsoft Defender
Microsoft Defender
Security policies AV Windows Hello :) Conditional access
Network/Firewall
Microsoft Defender
Application Guard
Lesson 1: Endpoint Security Profile
Overview
• In this lesson, you get an overview about the
endpoint security profiles
Endpoint security in Intune
• Endpoint security node
• Groups all tools available through Intune
to configure and manage security
related tasks.
These are the same policies as already
configured with Device Configuration
profiles.
-> avoid conflicts
• Baselines
• Antivirus
• Disk encryption
• Endpoint Detection and response
• Attack surface reduction
• Account protection
• Compliance and Conditional Access
Device Management <-> Endpoint
Security
• Device Configuration • Endpoint Security
• Long list of configuration and • Curated experience for security
security settings management
• Template objects to make • Focussed on workload (not where
settings management easier the setting resides)
• Shopping cart experience with • Enhanced operational reporting
settings catalog • Security admin focussed
• Device management focussed

Prefer if workload is around

Prefer if workload is Endpoint security
resource access or
settings related Complete with device
configuration settings
Security Baseline
• Helps securing and protecting users and devices
• Automatically creates settings recommended by
the security teams
• Enables Bitlocker
• Creates password
settings
• Disables basic
authentication
• …

Analyze and test the

settings before
production!
Security Baseline - Profiles
• A Security Baseline creates
a standard configuration
profile
• Assignment and monitoring
works as usual

samples
Antivirus Profile
• Supports
• macOS and Windows AV settings
• Windows Security app experience settings
• Co-managed, Tenant attached and MDE attached devices

AV settings

Security app settings

Disk Encryption Profile
• Supports
• macOS and Windows disk encryption settings
• Silently enable Bitlocker for AAD joined devices

Needed for
silent
encryption
Firewall Profile
• Supports
• macOS and Windows firewall profile settings
• Two different profile types (General and rule settings)

General settings Rule settings (settings

(conflicts not sent to device) merged)
Endpoint detection and response
• Onboarding to Defender for
Endpoint
• For Intune managed devices
• For Configuration Manager managed devices
(Tenant attach required)

Option to use
automatic (tenant
connector) or
specific onboarding
package
Attack Surface Reduction
• Profiles for
• Device control (Secures removable media access, USB)
• Attack surface reduction rules (Behaviour monitoring)
• App and browser isolation (Run app/browser in isolated VM)
• Exploit protection (Applies process mitigations)
• Web protection (Blocks access to malicious sites)
• Application control (Restrict applications)

Sample for Web

Protection
Application Control (Preview)
• Defender Application Control

Import WDAC policy

Define „managed
installer“
Account protection I
• Profiles for
• Windows Hello for
Business
• Credential Guard
Account protection II
• Local user group memberships
• Profile uses „LocalUsersAndGroups“ CSP
• Windows 10 20H2 or newer required

Privileges using this

policy are evaluated
only for these SIX
groups
Windows LAPS
Built-in in Windows
10 and 11 since CU
2023-04

• Protection against pass-the-hash and

lateral-traversal attacks
• Improved security for remote help
desk scenarios
• Ability to sign in to and recover
devices that are otherwise
inaccessible
• Fine-grained security model
• Support for the Azure role-based
access control model for securing
passwords that are stored in Azure
Microsoft Defender for Endpoint
Security platform that
enables customers to:
• Detect, investigate and
respond to advanced
threats on their networks

Intune configures:
• Onboarding information
• Telemetry frequency
• Sample sharing policy
Unified Endpoint Security
• Deploy security configurations without Intune
enrollment

Tenant Attach MDE Attach

Devices
devices – devices –
enrolled in
Configuration Defender for
Intune
Manager Endpoint
Lesson 2: Microsoft Defender Antivirus
• In this lesson, you will learn about the Microsoft
Defender Antivirus feature
Overview
• Behavior-based, heuristic, and real-time
antivirus protection
• Always-on scanning using file and process behavior monitoring and
other heuristics (also known as "real-time protection"). It also includes
detecting and blocking apps that are deemed unsafe but may not be
detected as malware.
• Cloud-delivered protection
• Near-instant detection and blocking of new and emerging threats.
• Dedicated protection and product updates
• Updates related to keeping Microsoft Defender Antivirus up to date with
Security Intelligence Updates (Signatures and Engine) and Antimalware
Platform updates (Common Antimalware Platform, CAMP).
Additional Features
• Cloud-delivered protection
• Microsoft Active Protection Service (MAPS) must be joined
• Samples can be sent
• Block at first sight (BAFS) protection
• Defender prevents suspicious file from running and queries cloud
service
• 10sec default wait time for cloud check
• Potentially unwanted applications (PUA)
protection
• Not considered as virus or malware but may influence performance or
use like advertising software and others.
• Tamper protection
• Prevents disabling Defender features through the registry
Device Overview
• Get device state regarding Defender Antivirus
• Summary view in Endpoint Security blade
• Additional views in the Reports blade
Lesson 3: Bitlocker Disk Encryption
• In this lesson, you will learn about the Bitlocker
disk encryption feature
What is BitLocker?
• Drive encryption feature
• Prevent offline attacks (lost or stolen laptop)
• Integrity checking of early boot components and
pre-boot authentication
Bitlocker - Automatic Device
Encryption
• Prerequisites:
• The device contains:
• TPM 1.2 or TPM 2.0 for Windows 10
• TPM 2.0 for Windows 11
• UEFI Secure Boot is enabled, Platform Secure Boot is enabled
• DMA protection is enabled, 250 MB free Disk Space

• Compliant hardware with Modern Standby (InstantGo) or HSTI-compliant

hardware
• Windows 10 1809 or newer (works for standard user) with this
configuration
Needed for
silent
encryption
Bitlocker - Recovery
• When does BitLocker Recovery Mode come into
action?
• As soon as the hardware configuration was changed
• The PIN was not correctly provided (depends on the TPM chip)
• BIOS configuration change
• BIOS update
• TPM firmware updates
• Updates of system components which are modifying boot components
• Partitioning OS drive
• Completely depleting the charge of the battery
• … www
Bitlocker - Recovery Key
Admin view

User view
https://
myaccount.microsoft.com/
Bitlocker - Key Rotation
• Prevent re-usage of recovery key
• Rotate after use or manually

Remote task

Automatic after use

Bitlocker – Encryption report
• Reports the overall encryption status and
readiness
Check Bitlocker Status on Client
• MDM Report

• Event Viewer

• Command line
Lesson 4: Windows Hello for Business
• This lesson is a short overview about password
less authentication
Strategy to Password less

Eliminate
passwords
Transition from the
into a identity
Reduce password- directory
user-visible less
Develop a password deployment
password surface
replacemen area
t offering
Available Technologies
• Hello for Business • Security key sign-in
• Keys are stored locally • Keys are stored on external
• Key is unlocked by biometry device, e.g. thumb drive
or PIN • Key may be unlocked by
fingerprint, NFC
 Windows 10/11 Hello for Business sign
in
User 1sign-in with bio-gesture unlocks TPM holding private key

Windows
2 sends “hello”

Azure
3 AD sends back nonce
3 5

Windows
4 uses private key to sign nonce and returns to Azure AD with key ID
2 4 6

Azure5 AD returns PRT + encrypted session key protected in TPM

Windows
6 returns the signed PRT and derived
session key to Azure AD to verify 1
Lesson 5: Device Firmware
Configuration Interface
• In this lesson, you will learn about the Device
Firmware Configuration Interface (DFCI) feature
Device Firmware Configuration
Interface I
• Pass management commands from Intune to
UEFI (Unified Extensible Firmware Interface)
• Example: Disable camera at the firmware layer. User and even
reinstallation of the OS cannot turn it on.
• DFCI uses public key cryptography
• Does not depend on local UEFI password security
• Requirement
• DFCI must be integrated by the OEM
• The device must be registered for Autopilot by a CSP or OEM
• Manual registered devices (CSV import) will not work
Device Firmware Configuration
Interface II is supported on the following
• Currently, DFCI
devices
Windows 11 Config Lock
• Ensuring that a Secured-Core PC isn‘t
unintentionally misconfigured. This will lock
several policies like:
• Bitlocker
• PassportForWork
• Windows Defender Control
• Application Control
• Smart Screen
• Device Installation
• Device Guard
• …. OMA-URI:
./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
Data type: Integer
Value: 1
Lab: Configure
Windows Security with
Intune

Exercise: Create
Defender, Bitlocker
and Hello for Business
configuration profile
Lesson 6: Windows Update
• In this lesson, you will learn about Windows
Update and how it is implemented in Intune
Windows Lifecycle

• Up to 21H1 • One release per year

• Two releases per year till 21H1 • Monthly cumulative quality updates

• Home and Pro editions: 18 months support • Home and Pro editions: 24 months support

• Enterprise editions: • Enterprise editions: 36 months support

• 18 months (Spring), 30 months (Fall) support

•Since 21H2

• Aligned to Windows 11
• Home/Pro 18 months support
• Enterprise 30 months support

Formal support ends October 14,

2025 (except LTSC editions)
Windows 11 Hardware
Requirements
•Processor:
1 gigahertz (GHz) or faster with two or more cores
TPM:
Trusted Platform Module (TPM) version 2.0
on a compatible 64-bit processor or system on a chip
(SoC) Display:
High definition (720p) display, 9" or greater, 8 bits
•RAM: per color channel
4GBs or greater
Internet connection:
•Storage space: Internet access is required to perform updates and
64GBs or larger to download and take advantage of some features.
Windows 11 Home edition requires internet
•Graphics card: connectivity and a Microsoft Account to complete
Compatible with DirectX 12 or later with WDDM 2.0 device setup on first use.
driver

•System firmware:
UEFI, Secure Boot capable
Note: S mode is only supported on Home Edition on Windows 11. If you are running a different edition of Windows in S mode, you will need to first
switch out of S mode prior to upgrading. Switching a device out of Windows 10 in S mode also requires internet connectivity.

To install or upgrade to Windows 11, devices must meet a

set of minimum hardware requirements
Learn more: https://www.microsoft.com/windows/windows-11-specifications
Migration to Windows 11 Windows Update for
Business reports
Several tools are available to check for Win11
Readiness
Endpoint Analytics

PCHealthcheck Tool

Win11 HW Readiness Script

Consistent management and
servicing
Upgrade to Windows 11 using tools and processes the you already have in place
today for Windows 10
Upgrade support by general
Upgrade channel Management tool, analytics
availability

Windows Server Update Service, Windows Update for

Business
On-premises Configuration Manager

Endpoint Analytics

Group Policy Management Console (GPMC), local Group Policy

The cloud Microsoft Intune, Windows Update for Business

Windows Update for Business reports, Endpoint Analytics

*
Third-party Third-party management tools and analytics

*Dependent on third-party partner support.

Windows Update Types
• Feature Updates: previously referred to as upgrades, Feature Updates contain
significant feature additions and changes; they are released semi-annually.
• Quality Updates: traditional operating system updates, typically released the second
Tuesday of each month. These include security, critical, and driver updates.
• Non-deferrable updates: Currently, antimalware and antispyware Definition Updates

Category Maximum Deferral Example

deferral increments
Feature 365 days Days In Windows 10/11 maximum is 365 days
Updates

Quality 30 days Days Security updates

Updates Drivers (optional)
Non-security updates
Microsoft updates (Office,Visual Studio, etc.)
Non- No deferral No deferral Security Intelligence Updates (Definitions
deferrable and engine)
Windows Feature Update Management
• Deploy updates in staged rings with Windows Update for
Business
• Intune manages the update policy assignment
• Basic Telemetry needs to be enabled on Windows 10/11
devices e of group Siz

Windows Insider
Channels General Channel
Plan and
Pilot Broad Deployment
Prepare
Ring Ring Ring Ring Ring Ring Ring
Self Managed …
0 1 2 3 A B
Windows Release Health Dashboard
• Get insights about releases, known issues
and further details
• Available in admin.microsoft.com
Windows Software Update Ring
Settings Flexible ring
handling
options
Windows 10/11 Feature Updates
• Device installs and remains on the configured
feature level
• Receives quality updates as defined in the update ring

Can be used
for
automatic
upgrade
Define
when
upgrade
prerequisites
availability
are met.
Based on Windows Update
for Business deployment
service
Windows 10/11 Quality Updates
• Speed up quality updates or out-of-band security
updates
• Policy ignores regular
update rings
• Helps accelerate necessary
restarts
• Uses Windows Push Notification

• Prerequisites
• Windows 10/11 license
• Intune enrolled
• AADJ or Hybrid AADJ
• Update Health Tools
• Windows Health Monitoring
Windows Updates Reports
• Various reports in the Intune portal
Windows Update for Business reports
• Monitor updates and patch compliance
• Access the Overview, Quality, and Feature Update experiences directly
from the Microsoft 365 admin center or through the Azure Monitor
Workbooks Gallery

Configure Azure
subscription and Log
Analytics workspace
Windows Update Deployment Service
• Cloud Service provides approval, scheduling and
safeguarding of updates

Approve
Tool Deploymen
content t Service
with conveys
processes
PowerShell, approval,
approval
MS Graph scheduling and offers
or Endpoint and device approved
Manager selection content

Graph API already

available
 Driver & Firmware Servicing
(preview) Scan results

Scan and Install

Your Enterprise
Browse .sys Devices
MICROSO Approve & Schedule
FT .sys .sys
.sys
INTUNE
A A Devices scan
.sys .sys
.sys .sys

WINDOWS UPDATE
IT admins WITH DEPLOYMENT SERVICE

Manage

Public
preview
upcomin
g
 Driver & Firmware Servicing
(preview)
Scan results

Browse .sys Approve & Schedule Scan and Install

.sys
Your Enterprise
Devices
MICROSO
Devices scan
FT .sys Approved Drivers offered
INTUNE
A A
.sys .sys
.sys .sys

WINDOWS UPDATE
IT admins WITH DEPLOYMENT SERVICE

Manage
Windows Autopatch I
• Automatically organize and deploy updates
• Shifts planning and operations of the update process to Microsoft
• Contains Windows 10/11 quality and feature updates, Microsoft 365
Apps, driver and firmware updates
• Intune (or Co-management) and Windows 10/11 Enterprise E3 required
• Autopatch uses regular Intune profiles
Uses ring-
based Key capabilities for
approach issues:

• Halt feature
• Rollback feature
• Selectivity feature
Windows Autopatch II
• Autopatch onboarding and readiness
assessment
Allow access

Enroll

Check readiness
during enrollment
Windows Autopatch III
• Define device • Device discovery and
candidates actions
• AAD group membership • Automated ring assignment
Windows Autopatch IV
• Configuration objects created
• AAD Groups
• Configuration Profiles
• Update rings
• Feature update rings
Delivery Optimization I
• Overview
• Cloud managed solution
(device requires Internet
access)
• Devices contacts Windows
Update directly
• Delivery Optimization self
organizes a distributed
cache
• Configurable boundaries
with peering groups
• Configurable bandwidth
restrictions
• More options to configure …
Delivery Optimization II
• Download mode
• Dictates which
download sources
clients can use

• Default (1)

DO cloud service
finds clients behind
the same public IP

These clients
attempt to connect
other peers using
their private subnet
IP
Microsoft Connected Cache
• Protect WAN links
• Cache server acts as on-
demand transparent cache for
Delivery Optimization
• Process
• Upcoming:
Standalone Cache Server
• Client checks for content and
gets the address for the CDN
• Client requests content from
the cache server
(which downloads and caches
the content on-demand) Rebranded with CM 1910 from
DOINC to Microsoft Connected Cache
Lab: Configure
Endpoint Security
© 2023 Microsoft Corporation. All rights reserved.