This chapter focuses on implementing the remaining MDE security capabilities for Windows. So far, you have learned how to manage Microsoft Defender Antivirus (MDAV) and ASR capabilities. Now, you will learn about the other key features of any MDE environment:

• Device discovery, which lets you understand your estate and build Microsoft Defender Vulnerability Management data
• Device control, which lets you protect endpoints from threats or noncompliance from attached devices, including printers
• Windows Defender Firewall with Advanced Security (WFAS), which is the client firewall built into Windows and Windows Server for network control

By the end of this chapter, you will understand the use cases for these and how to implement them in line with good practices.

Some of the devices you should be most worried about compromising your environment are those you don’t control, can’t control, or don’t even know about. The objective of MDE’s device discovery capability is to uncover these risks, be they traditional unmanaged endpoints such as laptops and desktops, or other platforms such as network devices and printers.

Discovery can be approached in two ways:

• Unmanaged devices can be discovered using MDE-onboarded devices. This means no additional agent or software to manage. This is sometimes referred to as the distributed sensor architecture. It is distributed insofar as all your onboarded devices can work together to build the data of discovered devices.
• Managed network devices can be discovered using targeted assessment with a dedicated scanning device with an agent. Microsoft calls this network device discovery or authenticated scan. It is also sometimes referred to as targeted assessment...

Device control is all about protecting your endpoints from devices attached to them. USB attacks continue to be a problem, and you may also have governance needs to restrict access to external storage. We know we need some level of access to devices for productivity and business processes, but that must be balanced with security. In the era of remote work, this is particularly relevant because you are limited in your ability to physically monitor what users are connecting. Device control contributes to endpoint security by giving administrators the ability to control what types of hardware are permitted.

BitLocker and Endpoint DLP can be regarded as device control capabilities but are quite separate from MDE’s scope and aren’t covered in this book. Due to the nature of their access, device control is targeted at client operating systems rather than server operating systems.

Device control is divided into three capabilities:

• Removable storage...

Built into Windows 7 onward, including Windows Server equivalents, WFAS is the host firewall that can be used to control network traffic. WFAS is stateful, without being dependent on MDAV’s active mode, and comes preloaded with rules to protect systems out of the box, though it can also be managed centrally with the usual administrator tools for additional control and customization.

A key part of WFAS to understand is the concept of profiles, which are containers for rules depending on the connection determined by Network Location Awareness (NLA) (the NlaSvc service). There are three profiles, corresponding to NLA’s three location types:

• Public, which is the most restrictive, and for areas such as public Wi-Fi, but also the default network
• Private, which is behind a NAT and, most commonly now, the end user’s home or non-Active Directory Domain Services network
• Domain, which is an on-premises Active Directory Domain Services network, determined...

This chapter concluded a series of chapters on managing MDE capabilities for Windows. In this one, you learned about key features in completing the MDE management options. This started with device discovery for discovering unmanaged devices or network devices using the authenticated scanner. Then, you learned about device control, which can be configured to protect your managed devices from unsanctioned or potentially malicious attached devices. Lastly, we explored WFAS, the built-in firewall capability for Windows that, although enabled out of the box, should be tuned for optimum protection.

In the chapters that follow, you will learn about how protection does not stop at Windows devices as we cover MDE across other operating systems.

To test your knowledge of protecting Windows clients and servers with MDE, try answering the following questions. The answers can be found toward the end of this book:

1. Which of the following firewall profiles should be applicable in an office network for Active Directory-joined devices with line of sight to a domain controller?
   1. Domain
   2. Public
   3. Private
2. You want to monitor Cisco switches in your network for known vulnerabilities. Which of the following MDE capabilities should you consider?
   1. Device control
   2. Network protection
   3. Cloud-delivered protection
   4. Network device discovery
3. There is only one type of USB printer you want to support in your organization. You are reviewing printer protection to enforce this. Which of the following pieces of information do you need about the supported printer? Choose all that apply.
   1. VID
   2. Serial ID
   3. Product ID
   4. Friendly name
4. You find that a corporate network is not being scanned as part of distributed device discovery. Where can you confirm...

To go into even further detail about some of the topics in this chapter, you can refer to the following online material:

• Microsoft maintains an official GitHub repository for device control with sample XML files that you may find useful for your learning and deployments: github.com/microsoft/mdatp-devicecontrol.
• In the WFAS section, it was mentioned you can implement IPsec controls, which require authentication to allow communication. Anthony Fontanez has an excellent series of blogs on this, and more: anthonyfontanez.com/index.php/2021/09/16/windows-firewall-the-series.
• There is a useful guide and script tool for troubleshooting WFAS deployment using Intune available on Microsoft TechCommunity: techcommunity.microsoft.com/t5/intune-customer-success/how-to-trace-and-troubleshoot-the-intune-endpoint-security/ba-p/3261452?WT.mc_id=EM-MVP-5003580.