MD-101 Managing Modern Desktops – Managing Windows Defender and Monitoring Devices

1. Managing Windows Defender Antivirus on Windows 10

From there, we’re going to click on Update and Security. And if you look over here to the left, you’re going to see a little button called Windows Security. So we’re going to click on that and then I’m going to zoom in on it for you so you can see it a little closer up. All right, so notice what my options are here. It says protection areas and I have virus and threat protection, account protection, firewall and network protection, app and browser control device, security device performance and health, family options all this. So coming up here in these next couple of lessons, we’re going to also be talking about controlling these settings that you’re seeing right here. So this is going to get into things like Credential Guard and Device Guard, Windows Defender, Advanced Threat Protection, all that.

Right now I want to kind of focus on our Virus and Threat Protection, which is obviously a key ingredient for keeping our desktop operating systems safe, right? And granted, this Virus and Threat Protection, this can all be controlled with the help of your Microsoft 365 services through what’s called Windows Defender Advanced Threat Protection, and also with the help of Intune, the Endpoint Manager Control System. So I’m going to click on Virus and Threat Protection here, all right? And here it is. So if you look, you can see some information about the last time it scanned. It says current threats. So currently no threats. One of the things we can do very quickly with the virus protection, windows Defender Virus Protection is we can do a quick scan.

A quick scan is going to scan the high priority areas of our operating system in our computer. It’s going to scan all of our memory. It’s going to scan our boot integrity, boot data. It’s going to scan our drivers, it’s going to scan our Windows Critical system files. Okay, now you also can go right here where it says Scan options. And you could do a full scan. Of course, that’s going to take hours and hours usually to do that on a big hard drive. You can do a custom scan where you can pick and choose what you want to scan. And then also you can do a Windows Defender offline scan. And what that’s going to do is it’s going to reboot the computer and it’s going to scan the boot sequence before the operating system boots up.

This is going to make sure you don’t have any kind of situation where maybe you got a boot sector virus or something like that. Okay, so this is, as you can see, Windows Defender as far as antivirus goes, pretty easy to use there. I got the Virus and Threat area here I can look at. I got all these other options I can look at. And so there’s quite a few things there that can be controlled. You can control some of this through group policies as well, but ultimately through your Microsoft 365 Vance Threat Protection with Intune and the help of Endpoint Manager, you can really, really lock things down. Okay? So a lot of great features here and definitely Microsoft has come a long way from where they used to be. They’ve really, really stepped it up on Windows Defender. A lot of people say, oh, I’d rather go with McCaffrey or Norton, that’s fine if that’s sort of like what you’re used to.

However, I always tell people give Defender another chance because they’ve really stepped it up and of course it’s part of the deal, it’s free, you don’t have to pay anything extra. All right? So it can’t beat that, right? One other quick thing I’ve got here is if the Defender Threat Protection antivirus pops up a message and it’s not actually a threat, I can actually tell it to allow whatever it is it’s running. So if a program tries to run and the threat protection kicks in and says, hey, this is a threat, you can actually allow it. If you do that, you can always see right here which things you’ve allowed. All right? You’ve also got protection history and this will show you the latest actions that have been taken.

If I’ve quarantined things where it just kind of severs ties with whatever it is it’s trying to run or whatever, so all that’s going to be there. I’ve also got virus and threat protection settings here. It says Manage settings so I can click on that. All right? And this is real time protection, meaning it’s still monitoring, constantly monitoring the memory, the boot files, the critical files, all that. Another thing is cloud deliver protection. This has got to be turned on in order for us to be able to control these settings. Once the computer is linked to the cloud, we can manage the settings from the cloud side of things.

And we’ve actually already talked about that in some of our previous stuff where we’ve done compliance policies and all that, conditional access policies, and then also automatic sample submission. If your computer does run across something, it sends a sample to Microsoft and this actually benefits everybody because other companies ease of doing it, which of course benefits us. But if you wanted to turn that off, you could. You can also even submit manually if you want. Okay? So again, all in all, pretty easy to use. Lots of settings there you can actually manage with the help of group policies, with Intune, SCC, Endpoint Manager, all that.

2. Windows Defender Advanced Threat Protection (ATP) Guard Technologies

What exactly is the windows defender ATP? Okay, so you want to be thinking of almost like an appliance. Some of you guys may be familiar with something called intrusion detection systems. Intrusion prevention systems. And these are appliances that you would purchase and you plug them into your network and they actually act as alarm systems. Intrusion detection attempts to find threats and then alert somebody. You’ve also got what’s called intrusion invention, which is an appliance that actually tries to prevent a threat. Well, imagine not just going out and buying one device and plugging it in and it’s supposed to police everything.

But imagine if all of your Windows Ten devices could actually act as little alarm systems and could try to stop threats that are occurring against those machines. So this is exactly what windows defender ATP is. And these services are built into Windows Ten and can be controlled through your cloud services. Now in this course they do expect you to have a little bit of an understanding of this. They don’t really get into all the configurations, but it does give you a good understanding of what is going on here. All right, so we have threat and vulnerability management. This is a part of your Windows vendor ATP where it’s trying to detect threats, figure out what the vulnerabilities are that are out there maybe on a system, and then try to close out those threats.

So this is working in conjunction with the Microsoft security services where they’ve actually got thousands across the world, thousands of security personnel that work for Microsoft that are actually monitoring for threats. And they can update the database very quickly. And the ATP threat database gets updated. And this can benefit your environment by learning about threats as they happen. This is also to try to lower the attack surface. The attack surface is all the entryways into getting into your environment and accessing things that people shouldn’t. You have what’s called next gen protection. You may have heard of a next gen firewall. All that is, is it means that we can do intrusion detection, intrusion prevention.

And on top of all of our normal firewall capabilities that Windows Defender already has, we have endpoint detection and response. That involves being able to control our endpoints with malware protection and all that involving Windows Defender antivirus. We have automated investigation and remediation. We have the ability to investigate the threats and then attempt to remediate those threats using our cloud services. And lastly, we have the Microsoft threat experts. These are the guys that I was talking about. There’s thousands of them actually. Well, I wanted to say there was something like 3000 and something people, last time I I checked, Microsoft said they had something like over 3000 security personnel that are monitoring threats worldwide.

Okay, so what does this bring to the table? It brings to the table a centralized system for us to oversee all of our Windows Ten devices and try to protect them from the different threats that are out there. So let’s go deeper and talk about some of the other pieces of all this. The next piece of this we have is called Windows Defender Application Guard. Now Windows Defender Application Guard is going to try to protect your Windows Ten environment from apps that get ran that could be malicious apps that could attempt to install malware, any kind of virus or worm or root kit or any of those types of malware malicious code. Windows Defender Application Guard is going to try to prevent that.

One of the ways it’s going to do that is it’s going to try to isolate whatever it is and sever its ties from being able to make any changes. The other thing it’s going to try to do is get you to use the Edge Web browser, because the Edge Web browser has the ability to run everything in a virtualized container based on hypervisor. And this is going to make it where if an application runs and it tries to gain admin privileges, it’s going to block it from being able to do that. The Windows Defender Application Guard is another feature that can be controlled through your cloud services and is supported by Windows Ten. Something else we’ve got it’s called Windows defender.

Credential guard. Okay, so maybe you’ve heard of attacks where hackers actually have gained access to the password database on your computer. So in Windows, you have a service called Lisa, the local security authority, and Lisa manages a file on your hard drive called Sam on a domain controller. It’s actually the NTDs, which is the active directory database. Either way, what if a hacker somehow got a copy of the database file that had your passwords on it? They could attempt to do things like brute force attacks and all that. Now, in the past, another type of attack we had to worry about is somebody walking up to your computer, taking a USB flash drive, maybe with something like Kali Linux on it or some operating system.

They can just ignore windows security, plugging that flash drive in, rebooting booting up that computer on that flash drive, maybe in a Kali Linux, and then just blanking out your password. Okay, you can actually do that if you don’t know how to do it. Look it up on YouTube. There’s a million videos on how to actually reset a Windows password using something like Kali Linux. So this is going to protect you from that threat. Windows Defender Credential Guard is actually going to containerize using hypervisor. It’s going to containerize almost like a virtual machine that’s going to contain the sensitive information for your operating system, such as your password and all that. It’s also going to protect from things like key loggers, being able to get your password. So this is another very powerful capability that we get with Windows Ten. We also have windows.

Defender exploit guard. So this is all about looking at the exploit. So we were talking about ATP and how it can learn about the different threats and all that. Well, this is all part of that. So as the Microsoft security teams are updating the different threats and discovering different exploits, those exploits go out there into a database that we find out about them through this database. And if we’re communicating with the cloud services then Exploit Guard is learning about those and can stop a lot of the different types of exploits that come out there and it helps us monitor the different exploits. If a new exploit comes out that gets discovered, it helps us monitor that and then it’ll can send information to Microsoft so their security team can learn from it and release it to the rest of the world. Okay, so you get a lot of stuff with this. This is a very powerful capability. We get Windows Ten, lot of great features here that we could utilize to help secure our environments.

3. Monitoring Device Health with Log Analytics

With our cloud services, we have some different capabilities, some different tools that will help us in monitoring our environment, monitoring Windows Ten devices and all that. Now this is a feature called Azure Log Analytics. It used to be called desktop analytics. So just a heads up, if you’re reading some of the older documentation out there, you may hear referred to as Desktop Analytics. So now it’s called Log Analytics. And Azure Log and analytics. This is a system that you get with Azure. Now I will tell you that this is one of the IaaS features infrastructure as a service. What that basically means is that you’ll pay based on the usage of this log and storage of this log. Okay? So you can actually turn this on, but you’ll have to have some Azure credit in order to do it.

Now if you set up a free Azure subscription, you can get a free $200 credit. So you can play around with all this, but this is not part of your Microsoft 365 subscription. Okay? So just a heads up on that. Having Enterprise ability, security, subscription all that is not going to give you Azure Log analytics. This is something you have to subscribe to through the Azure Portal. If you actually open up Portal Azure. com and go to all services, you can search for Azure Log Analytics and click on it and you’re going to notice that it’s going to ask you to have that Azure credit and you can activate and get a $200 free credit if you want. Okay? So you can try that out if you want. Now what this is going to do though, it’s going to allow you to build these things called workspaces.

And in these workspaces you can create these customized dashboards that can gather intelligence, gather analytics, gather health statistics, all of that from the different resources in your environment. And for one, you can gather statistics from Windows Ten machines, health information, but it also gathers statistics from all over your Azure environment, your Microsoft 365 environment. So even though Azure Log Analytics, it can focus on Windows health, and that’s kind of what I’m talking about. Keep in mind it can do all sorts of things as far as gathering information for you to look at. Okay, so you kind of think about like Event Viewer and all that on Windows.

Well, this takes things to a whole new level because you can look at information for the entire cloud service that you subscribe to. Okay? So this is going to help you also with providing a visualized report. It’s going to give you some graphical displays. I’ll show you that here in a second. And you can create queries for it to go out and look and filter certain information and bring that back and generate a report out of it. It’s going to use the Graph API that we talked about before to give you some visualizations. Okay? So these queries can be logged. And then the other thing you can do is you can share these with other people. So I might be the person that’s having to gather a bunch of information and I could share that with my boss to try to explain something that’s going on, or maybe somebody else on the team with me.

I can also customize this dashboard and have all sorts of little reports right there in little tiles. So again, we’ll look at some of this now. So if you look here, here’s an example, the Log Analytics dashboard, and you can see there that you’ve got usage, reliability, responsiveness, all these little reports that you can look at that you can monitor in your cloud services. And again, since it is IaaS, you can actually monitor your virtual machines, you can monitor SQL Exchange, you can monitor all these things using this little dashboard. And you can customize it and save it, you can download it, put it into a certain format, you can change the way that it looks as far as like histograms and all that.

It’s a lot of little features here that you can utilize. All right, so custom Log workspaces, you can create as many dashboards as you want. So maybe you have a dashboard in your workspace that looks just at Windows Ten Health. You might have another dashboard that’s monitoring your Exchange online services. You might have another dashboard that’s monitoring things like SharePoint. So you have a lot of control here, lots you can do in terms of just setting all that up, so really easy to use. What I want to do now, I want to take a look at some of our Windows Ten settings that would actually report to Log Analytics. And then from there I’m going to go to Update and Security, all right, and we’ll look right here on Windows Security. All right, so I want you to see this thing right here.

It says Device Performance and Health. So I’m going to click on that. It’s going to bring this device performance and health area up.And I want you to notice some of the things that it’s mentioning here. So it’s doing a health report and currently everything is good on my machine. Storage is fine, apps and software is fine, windows Time service is fine. So Health report wise on those three items are all good. The other thing that gets reported and can be reported to our Log Analytics out there in the Microsoft 365 area is the virus and threat information. All this information can go out there as well, and it can specify if our machines are healthy.

Okay, another thing that happens is we have a tool called Resource Monitor that gathers intelligence as well in terms of some of our performance of our machine.And so the same engines that’s driving this is what’s actually giving us this device performance. Something else that we’ve got in Windows Ten is this thing called Reliability Monitor. If I go down here to search and I type view reliability, you’ll see reliability history. And this is great because you can see when Windows has had some failures. Okay, so you can notice here that I’ve had some failures on this little virtual machine that I’m using. You can see it wasn’t shut down properly a bunch of times. And of course, that kind of information can be gathered as well and sent out to the Cloud also.

So ultimately, we do have quite a few capabilities that we can utilize in the Cloud to help us control and get a feel for our Windows Ten environments and just making sure that our devices are healthy. So again, where is log analytics turned on at? It’s turned on by going here into Portal Azure. com. Go to all services and then search in all services. You’re just going to search for the words log analytics and there it is right there. And then at that point you can, you can activate it and set yourself up a workspace. So you have to, you can start your Azure credit. You get a free $200 Azure credit that you can use and you can set the workspace up. And that’s when you can start gathering intelligence from it.