Endpoint Manager and Windows Defender Application Guard

HOW TO: Deploy Windows Defender Application Guard with Endpoint Manager

In part 2 of the series, I will be taking a closer look at Windows Defender Application Guard (WDAG), specifically for Edge. Not to confused with Windows Defender Application Control (WDAC). Essentially WDAG runs application in a virtualized environment on your Windows 10 device. This way the operating system is protected from any applications that try to interfere with the system.

For Edge, WDAG helps to isolate untrusted websites. By isolating browsers users can safely browse the web without having to worry that they accidently end up on a site that they are not supposed to be on. This isolation happens within a Hyper-V-enabled container. This container is separate from the host operating system. Meaning that if a website turns out to be malicious the host device is protected, and the attacker cannot get the data.

Today this article is about Edge, more specifically the new Chromium version, but these same settings also work for the older Edge and even Internet Explorer. This level of isolation is also available for Microsoft Office, but this will not be covered today.

Other articles in the series:

  1. Windows Defender Application Control
  2. Windows Defender Application Guard
  3. Windows Defender Credential Guard
  4. Windows Defender Device Guard

Prerequisites

  1. A physical test client (64-bit, Virtualization options, minimum of 8GB), joined and enrolled in Endpoint Manager
  2. Windows 10 Enterprise currently supported version
  3. Microsoft subscription with Endpoint Manager

Enable Windows Defender Application Guard

To enable WDAG go to endpoint.microsoft.com, select Devices > Configuration Profiles > New Profile and select Windows 10 and later. For profile select Endpoint Protection.

Fill out the basic information and continue to the next step. Select Microsoft Defender Application Guard to reveal the options. I have applied the following settings, tailor them to your need if needed. In the link you can find the explication of all these settings. If you want to provide a nice experience for your users make sure to enable retain user generated browser data. This way cookies and preferences are saved. Finally apply the policy to a group.

Network boundaries

The next question is how to control what sites are blocked and what site are considered as trusted. The documentation of Microsoft is not particularly clear on this point, but is hidden way in one of the lines of text. Within Endpoint manager you have the options to create a Configuration Profile specifically for network boundaries.

To create a profile go to Devices > Configuration Profiles > New Profile and select Windows 10 and later. For profile select Network boundary. Depending on what you want to whitelist there are special rules and formats you need to apply by.  Also take into account if you want to use wildcards or specific domains. See the explication of Microsoft how to whitelist certain domains. See the explination on how to whitelist domains:

ValueNumbers of dots to the leftMeaning
contoso.com0Trust only the literal value of contoso.com.
www.contoso.com0Trust only the literal value of www.contoso.com.
.contoso.com1Trust any domain that ends with the text contoso.com. Matching sites include spearphishingcontoso.com, contoso.com, and www.contoso.com.
..contoso.com2Trust all levels of the domain hierarchy that are to the left of the dot. Matching sites include shop.contoso.com, us.shop.contoso.com, www.us.shop.contoso.com, but NOT contoso.com itself.

Here are some boundaries that I have added for this article. Most of the resources are Microsoft cloud services, but of course I also added my own website as a safe website.

Network boundary
Cloud Resourcesportal.office.com|tasks.office.com|protection.office.com|meet.lync.com|teams.microsoft.com
Cloud Resourcesoutlook.office.com|outlook.office365.com|portal.office.com
Cloud Resources/*AppCompat*/
Cloud Resourcescontoso.sharepoint.com| contoso-my.sharepoint.com| contoso-files.sharepoint.com
Neutral Resourceslogin.windows.net,login.microsoftonline.com
Neutral Resources.stephanvdkruis.com,.microsoft.com

Final result:

So now you configured WDAG, but what is happening on the background? By enabling WDAG the Windows Defender Application Guard feature is installed on the client. This installation requires a restart so the next time a user turns off its device the feature will be installed. After the feature is live users can start their browser and at first nothing is different then what they are used to. If they immediately start their browser, they might see an initialization popup meaning that the container is being provisioned.

They can go to any trusted site or cloud resources that have been defined as trusted in the boundary policy. However as soon as they try to go to an untrusted website a secure isolated browser is started. See the example below when we browse to google.com.

Endpoint Manager Win32 App Deployment (MSI and EXE)

HOW TO: deploy Win32 application using Endpoint Manager.

With Endpoint Manger you can deploy a variety of different applications to Windows clients.  I have made blog posts about using MSIX packages to provide a modern way to distribute applications. Sometimes MSIX might not be the right solution for you. This blog is about deploying Win32 applications using the Windows App (Win32) capabilities. This form of distributing gives you a lot of control on how and when an application should be installed.

A note of caution, if you start to use Windows App (Win32) app deployment for your environment it is highly recommended that you do not combine Windows App (Win32) with Line-of-Buisiness app installations. Especially if you are planning to use Microsoft Autopilot, the combination of Win32 apps and Line-of-Business apps will cause installations to fail. So, if you decide to use Windows App (Win32), use it for all your applications.

Before you can upload a Win32  application to Endpoint Manager you will need to prepare the application. Essentially you repackage the application and all the dependent files into an .IntuneWin package, which can then be uploaded to Endpoint Manger. To package an application you will need to download the Win32 Content Prep Tool from GitHub.

You will then need to gather all required media to install the application and place them into one folder. I have created two examples, one for .exe applications and one for .msi application. For both types of installations, it is recommended to create two batch files, one for installation and one for the uninstallation. This will provide better control when deploying the application.

For the Citrix Workspace, which is an .exe I have created the following batch files: install.cmd and uninstall.cmd and placed them in a folder togheter with the exe installation file.

Install.cmd:

@ECHO OFF
PUSHD "%~dp0"
"CitrixWorkspaceApp.exe" /silent /noreboot /forceinstall

uninstall.cmd

@ECHO OFF
PUSHD "%~dp0"
"CitrixWorkspaceApp.exe" /silent /uninstall
Citrix Workspace package content

For Acrobat Reader, which is an .msi I have also created the following batch files: install.cmd and uninstall.cmd. These files are added to the installation files.

msiexec /i "%~dp0AcroRead.msi" ALLUSERS=1 /qn /norestart
msiexec /x "%~dp0AcroRead.msi" /q
Acrobat Reader package content

Once you have gathered all the necessary installation media and you have validated that your batch files are working, by running the install.cmd and uninstall.cmd files you are ready to package. To package the applications run IntuneWinAppUtil.exe from an elevated PowerShell prompt. You are prompted for the source folder, which is the folder that contains all the installation files. The setup file is the actual executable and you need to specify an output folder where the .IntuneWin  file will be saved. At this point we do not need a Catalog folder. After the Utillity is ready you will end up with an .IntuneWin file.

Endpoint Manager

Now its time to distribute the application using Endpoint Manger. Login to endpoint.microsoft.com and select Apps and all Apps to Add a new application. Make sure to choose Windows app (Win32) as an app type. The first step is to select your .IntuneWin file and to provide information about the application. I will first start with Citrix Workspace and then add Acrobat Reader.

Application information

The second step specifies how to install the application. For the install and uninstall commands you will need to enter the batch files you created in the beginning. In my case the Install command is install.cmd and the uninstall command is uninstall.cmd. For installation behavior you can choose between system and user. This will determine where the application will be installed, either in the system context or in the user profile, this depends on your application.

Application installation controls

Choosing a restart behavior after the application is installed. Of course, this all depends on your application and whether it requires a reboot. Depending on your needs the following actions are explained:

Determine behavior based on return codes – The device will restart bases on the configured return code.
No specific action – Will suppress a restart during the installation of Win32 apps.
App install may force a device restart – This option means that the Win32 app installation can complete without suppressing restarts. With this configuration a Hard reboot return code will notify the user that a restart of the device will be triggered in 120 minutes. A Soft reboot return code will notify the user that a restart is required to finish the installation.
Intune will force a mandatory device restart – After a successful Win32 app installation the device will be rebooted immediately with no notification.

You get several default return codes. In most cases these return codes will work for you application . . The code configures the post-installation behavior of the Win32 app. If your application uses different access codes, you can use them here. The actions are explained:

Failed – The Failed return code indicates that the Win32 app installation failed.
Hard reboot – The Hard reboot return code indicates that the device is required to restart to complete the installation. Additional Win32 apps cannot be installed on the device without restart. The user will be notified about the required restart.
Soft reboot – The Soft reboot return code indicates that the next Win32 app can be installed without requiring a restart, but a restart is necessary to complete the installation of the installed Win32 app. The user will be notified about the restart.
Retry – The Retry return code indicates that the Win32 app installation is retried three times. The installation will wait for 5 minutes between each attempt.
Success – The Success return code indicates the Win32 app installation was successful.

The third step in the process is to specify the requirements. For the most part these are self-explanatory. You can however use custom requirement types such as specific files, registry settings or even scripts to determine whether an application should be installed or not. I will not be going into detail in this blog. For now, I only choose to install on 64-bit machines with a minimum operating system of Windows 10 1903.

Installation requirements

The fourth step are the detection rules. The detection rules are used to check if the application is present on the device. If the rules are not met Endpoint Manager will try to install the application on the device.

For .exe installations you might decide to just validate if the application is present. In my case I just check if SelfService.exe is present, in the path C:\Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\.

EXE Application detection rule

The fifth step is to create dependency rules. Software dependencies are applications that must be installed before this application can be installed.  Specifically, the device must install the dependent apps before it installs the Win32 app. You can add Win32 app dependencies only after your Win32 app has been added and uploaded to Intune. After your Win32 app has been added, you will see the Dependencies option on the pane for your Win32 app. Any Win32 app dependency needs to also be a Win32 app. It does not support depending on other app types, such as single MSI LOB apps or Microsoft Store apps.

Since this is the first Win 32 app there is no option to create any dependencies. After Citrix Workspace is added a dependency will be created with Acrobat Reader. So, I just select next and I assign the application to a user group, as required.

For Acrobat Reader the steps are the same with a few exceptions. For the detection rules I will use a MSI rule type instead of a file location. Normally the MSI product code is filled in automatically. If this is not the case, you can check your registry settings. For 64-bit machines browse to HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall. Here you will find an overview of all the installed applications. In my case for Acrobat Reader I can find the MSI GUID.

MSI application detection rule
Find the MSI GUID in the Registry settings

Since Citrix Workspace has been added to Endpoint Manger this can be used as a dependency. Acrobat Reader and Citrix are do not require each other to function, this is purely for demonstration purposes. To add a dependency simply select to add a dependency and select the application, in this case CitrixWorkspace.exe. By creating dependencies means that before Acrobat Reader is installed the Citrix Workspace application must be present. If Citrix Workspace is not present Endpoint Manager will install it first.

Application dependencies

Now the configuration is ready, and the applications start deploying to the clients. What happens on the client? Well first the Intune Management Extensions is installed on the client. This extension is used for the installation as well as the deployment of custom PowerShell scripts on devices. You can use the extension for troubleshooting purposes. The log file IntuneManagementExtension.log can be found in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.

User notification

Update MSIX package with Intune

In my previous blog I showed how easy it was to package and deploy an application using MSIX and Intune. In this blog I want to show how easy it is to update and application. Applications evolve and time to time they get updated with the latest patches or security updates. To update applications with Intune can be challenging. Sometime you have to create a new deployment of an application. This requires you to first uninstall the application, otherwise you would get conflicts.

So for this blog I have the following situation. I have deployed the Citrix Receiver application to my users. The Citrix receiver was been updated and is now the Citrix Workspace application. I want to remove Citrix Receiver and replace this with the new Citrix Workspace application. Let me show you how easy this process is when you use MSIX.

So I have my test machines on which the Citrix Receiver MSIX is deployed.

CitrixReceiver

The fist step is to create a new MSIX package for the Citrix Workspace application. I wont go over all the steps (check out the previous blog). But here it is important that you name your package the same as the application you want to replace. So if you previously deployed an application with the name CitrixReceiver, create a new package with the name CitrixReceiver. Furthermore it is important that you increment the version of your package.

Update_MSIX
Update Name and Versions

When your MSIX package is ready and tested, you can upload it to Intune. Simply go to your previous deployment. In my case this was the CitrixReceiver deployment. Select Properties and go to App package File. Here you can select and upload the new version of your application.

Upload new version of your MSIX package

When the application is finished uploading Intune will redeploy the application to your clients.

MSIX updating to Workspace
Citrix Workspace App is finished updating

Recap

I showed you how easy it was for you to update an existing MSIX application with Intune, by simply redeploying it. Knowing how easy your application management can be, I would encourage everyone to give MSIX a try.

Deploy MSIX with Intune

I think we can all agree that application deployment is probably the most challenging part of an Intune implementation. The wide variety of Line of Business applications and different installation types can give you sleepless nights. It’s true that Microsoft has made some real improvements in application deployment with the support for most applications extensions. But there are always some applications that simply can’t be deployed with Intune or are very hard to deploy and manage.

With the introduction of MSIX I dare to say that you can now practically deploy any application successfully with Intune. In this blog I describe how you can create and deploy an MSIX package with Microsoft Intune.  In this blog I will cover:

  • Create a Self-Signed Certificate (testing purposes)
  • Deploy a certificate with Intune
  • Create a MSIX package
  • Deploy the MSIX package

Please note that in order to install MSIX packages you must enable Application Sideloading.

Create a self-signed certificate

Before you can deploy a MSIX package you need a certificate to sign your package. The signing of a package is a required step in the creation of the package. This is necessary because this is the only way you can assure that package is valid and came from a trusted provider. Preferably you should use a Code Signing certificate from a 3rd party provider. For now I use a self-signed certificate so that the deployment can be tested, but for you production environment I wouldn’t recommend this.

To create a self-signed certificate, you can start PowerShell as an administrator from any VM. Enter the following cmd, where you replace <Your Organisation> with a name of your choosing:

New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject “CN=<Your Organisation>” -KeyAlgorithm RSA -KeyLength 2048 -Provider “Microsoft Enhanced RSA and AES Cryptographic Provider” -KeyExportPolicy Exportable -KeyUsage DigitalSignature -Type CodeSigningCert
Self_Signed-Certificate

To Export the certificate open certmgr, your certificate is located in the Personal Certificates folder. Select the certificate –> all Tasks –> Export. Choose Next –> Yes, Export the private Key –> Choose Next –> For Encryption choose AES265 and enter a Password –> Enter a save location –> and choose Finish. You now have the certificate with a pfx extension.

Export Certificate

We also need a certificate with the cer extension, so run the export Wizard again. Select the certificate –> all Tasks –> Export. Choose Next –> No, do not export the private key –> Choose Next –>   Enter a save location –> and choose Finish.

You now have the certificate to sign your MSIX package and you have a certificate to distribute it via Intune.

Deploy Certificate Using Intune

Before you can install the MSIX package on any machine the certificate to sign the application must be trusted by the machine. Otherwise the application wont start. To install the certificate on the machine we can use Intune to distribute the certificate.

From the Intune Management Portal go to –> Device Configuration –> Profiles and choose Create Profile. Here you enter the name and description of the Profile. For the platform you choose Windows 10 and later, for Profile type select Trusted certificate. In the new blade you select the .cer certificate that you exported. After you created the Profile you than assign the profile to a group with has a test device in it.

Certificate_Intune

Create a MSIX Package

For this blog I wanted to package an application that I had some trouble with in the past, the Citrix Receiver.

I have copied the Citrix Receiver installation file and the pfx certificate to the packaging VM and have launched the MSIX Packaging Tool. Here I want to create a new package, so I select ‘Application Package’.

MSIX_New_Package

Select Create package on this computer and choose Next.  The packaging tool will now check some prerequisites and make sure that the drivers are installed.

MSIX_Prereqs

In the next screen select the installation file. For now, I leave the installer arguments empty. For Signing preference, I select Sign with a certificate. This step is important. If you don’t select a certificate the application won’t be able to install.

MSIX_certificate

Now provide some information for you package. Give your package a Name and a Display name. The Publisher name is provided from the certificate. The display name must be the same as the certificate, if these values don’t match the application won’t install. The installation location is not a mandatory field but is recommended.

MSIX_Information

By clicking next you will now enter the installation stage. The installation of your application will now start.  You can just run through the installation as you normally would. When the installation is completed you can continue by clicking Next.

MSIX_Citrix_Installation

If the application requires any first launch tasks, they can now be performed otherwise press Next and continue Yes, move on. The package will now be created.

MSIX_Capturing

Finally provide a save location for the package and choose Create.

MSIX_Save_Package

Deploy MSIX with Intune

Now that the MSIX package is ready we can start deploying it with Intune. Simply go to the Intune management portal –> Client apps –> Add App. Here you select Line-of-business app. Here you can upload the MSIX package you created.

MSIX_Intune

When you click the app information blade you can see that most of the information is already filled out with the information from the MSIX package. After adding the app, just wait till the application is uploaded. The final step is to assign the application to a group.

After some time check your test machine to confirm that the application is deployed.

MSIX_Installation_Conformation

Recap

As you can see the packaging and distribution of an application with MSIX and Intune is really easy. But it doesn’t stop here, after you deployed one version of the application you might want to provide the application with an update. With MSIX this process is even easier. So in my next blog I will show you can can upgrade the Citrix Receiver application to the new Citrix Workspace application!

Configure Windows 10 Web sign in

With the arrival of Windows 10 1809, Microsoft introduced a new way to sign in to your PC. Besides a pin, password or biometric authentication they introduced Web-sign in . This feature enables Windows logon support for identity provides like SAML. Web sign-in enables you to set multifactor authentication before signing in to Windows. Even though you cannot set the Web-sign-in as the default authentication method yet, I’m sure that this will become possible in the future.

In this blog I will show you how to enable Web sign-in, using Intune. This is what you need:

  • A test device with Windows 10 1809.
  • The test device needs to be Azure AD Joined.
  • An Azure AD group with the test device as member.
  • An Intune license assigned to a user. I’m using a test user with an EMS E5 License, but any Intune license will do.

To enable Web sign-in you will need to create a Device configuration Profile. So, sign into the Azure Portal and go to the Intune blade, where you select “Device Configuration” and “Profiles”.

Click “Create Profile”. Enter a name and for Platform choose Windows 10 and later. For Profile Type you will need to select Custom.

At the OMA-URI Settings click add and enter the following values (reference link):

Name: Web Sign In
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn
Data Type: Integer
Value: 1

Click OK and click OK at the OMA-URI settings, finally choose create. The policy is now created.

Now you will need to assign the policy to a group with your test device(s).

Testing the policy

Wait before the policy is applied to your test machine. This could take a while but try to reboot your test device occasionally this could help. After you see the policy is applied you can go to the logon screen of your device. If you choose Sign-in options, you should see a new icon for Web sign-in.

Select the Icon and choose Sign in. This will take you to the web sign-in page of Microsoft where you need to authenticate with your password. If you require MFA there will also be an MFA challenge at this point.

When you passes the MFA challenge the user will be signed in.

I think this feature has a lot of potential. I often get the question whether it is possible to enable MFA for Windows. However the feature is not ready yet. I find the sign in process slow if you are used to a pin or facial recognition. Further more Web sign-in is not supported in the Multi Factor Unlock feature with Windows Hello For Business.