This is a post about using PowerShell and Microsoft Graph to access data in Azure AD, Intune and Office 365. The GUI management of these Microsoft 365 technologies is constantly evolving, but there will always be things that can’t be done that way. Microsoft Graph approaches the problem from the other direction. It provides an endpoint and API to access the entire dataset. You can then write your own scripts or applications, using the object model of the whole of the Microsoft 365 suite of products.
Category: Cloud
MDAC and Signers
Signers are the identities of the certificates used by Microsoft Defender Application Control (MDAC) to allow or deny a signed file to run. If you open a policy XML file, you will see the list of signers. It is interesting that many of the files allowed to run by this method are not, in fact, signed. This post explains how this works.
MDAC and File Types
When we implement a Microsoft Defender Application Control (MDAC) policy, we need to allow or deny different types of executable file. Different methods of creating a policy handle file types differently. This post is an attempt to explain how it works in practice.
MDAC FilePath Rules and Drivers
The new File Path rules in Microsoft Defender Application Control (MDAC) allow EXE and DLL files in the path, but not SYS, or MSI or script files. This is curious and, as far as I know, undocumented. And it means that we cannot simply allow all files in C:\Windows. If we do that, the system will not boot because the drivers will still be blocked. We will need to use another method to add drivers to an MDAC policy.
Continue readingMDAC or WDAC
The Application Control feature in Windows 10 was originally called Device Guard Code Integrity. This was brought under the Defender umbrella of security technologies as Windows Defender Application Control (WDAC). Microsoft earlier this year announced that Windows Defender would become cross-platform (with a version of Defender antivirus for macOS) and be renamed Microsoft Defender.
In my blog posts I have called it Microsoft Defender Application Control (MDAC). You can see in the screenshot below that all the Defender technologies for Windows 10 Endpoint Protection, in Intune, are now Microsoft Defender.
Set MDAC Policy Options
A Microsoft Defender Application Control (MDAC) policy uses Options to control aspects of how it works. The options are binary choices: Enabled or Disabled; Required or Not Required. This post explains the choices.
Merge MDAC Policies
In a previous post I described creating an MDAC policy with the new file path rules. But this, alone, would not be enough for a desktop. We need to add rules to allow other files to run. To get a complete policy ready for production, we need to merge the file path rules with other policies.
MDAC and File Path Rules
In Windows 1903, Microsoft has added support in Microsoft Defender Application Control (MDAC) for file path rules as a basis for whitelisting. This is how to create an MDAC policy with file path rules.
MDAC and Intune Blog Series
A series of posts about using Microsoft Defender Application Control (MDAC) with Intune.
Deliver an MDAC Policy with Intune
This post covers how to deliver an MDAC policy with Intune. It is part of a series about MDAC (formerly WDAC) policies. To perform this step, we need to have previously created a policy and tested it manually. The Microsoft documentation on delivering an MDAC policy with Intune is confusing and incorrect. This is how to do it.