Главная » Linux

Endpoint compliance scanner windows 10

Содержание
  1. Get started with Endpoint data loss prevention
  2. Before you begin
  3. SKU/subscriptions licensing
  4. Permissions
  5. Prepare your endpoints
  6. Onboarding devices into device management
  7. Onboarding devices
  8. With devices onboarded into Microsoft Defender for Endpoint
  9. Viewing Endpoint DLP alerts in DLP Alerts Management dashboard
  10. Viewing Endpoint DLP data in activity explorer
  11. Next steps
  12. Запуск CheckPoint SSL Network Extender из-под пользователя с правами админа
  13. Device Compliance settings for Windows 10 and later in Intune
  14. Before you begin
  15. Device Health
  16. Windows Health Attestation Service evaluation rules
  17. Device Properties
  18. Operating System Version
  19. Configuration Manager Compliance
  20. System Security
  21. Password
  22. Encryption
  23. Device Security
  24. Defender
  25. Microsoft Defender for Endpoint
  26. Microsoft Defender for Endpoint rules
  27. Windows Holographic for Business
  28. Surface Hub

Get started with Endpoint data loss prevention

Microsoft Endpoint data loss prevention (Endpoint DLP) is part of the Microsoft 365 data loss prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. For more information about all of Microsoft’s DLP offerings, see Overview of data loss prevention. To learn more about Endpoint DLP, see Learn about Endpoint data loss prevention

Microsoft Endpoint DLP allows you to monitor Windows 10 devices and detect when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they are used and protected properly, and to help prevent risky behavior that might compromise them.

Before you begin

SKU/subscriptions licensing

Before you get started with Endpoint DLP, you should confirm your Microsoft 365 subscription and any add-ons. To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.

  • Microsoft 365 E5
  • Microsoft 365 A5 (EDU)
  • Microsoft 365 E5 compliance
  • Microsoft 365 A5 compliance
  • Microsoft 365 E5 information protection and governance
  • Microsoft 365 A5 information protection and governance

Permissions

To enable device management, the account you use must be a member of any one of these roles:

  • Global admin
  • Security admin
  • Compliance admin

If you want to use a custom account to view the device management settings, it must be in one of these roles:

  • Global admin
  • Compliance admin
  • Compliance data admin
  • Global reader

If you want to use a custom account to access the onboarding/offboarding page, it must be in one of these roles:

  • Global admin
  • Compliance admin

If you want to use a custom account to turn on/off device monitoring, it must be in one of these roles:

  • Global admin
  • Compliance admin

Data from Endpoint DLP can be viewed in Activity explorer. There are four roles that grant permission to activity explorer, the account you use for accessing the data must be a member of any one of them.

  • Global admin
  • Compliance admin
  • Security admin
  • Compliance data admin
  • Global reader
  • Security reader
  • Reports reader

Prepare your endpoints

Make sure that the Windows 10 devices that you plan on deploying Endpoint DLP to meet these requirements.

Must be running Windows 10 x64 build 1809 or later.

Antimalware Client Version is 4.18.2009.7 or newer. Check your current version by opening Windows Security app, select the Settings icon, and then select About. The version number is listed under Antimalware Client Version. Update to the latest Antimalware Client Version by installing Windows Update KB4052623.

None of Windows Security components need to be active, you can run Endpoint DLP independent of Windows Security status, but the Real-time protection and Behavior monitor) must be enabled.

The following Windows Updates are installed.

These updates are not a pre-requisite to onboard a device to Endpoint DLP, but contain fixes for important issues thus must be installed before using the product.

  • For Windows 10 1809 — KB4559003, KB4577069, KB4580390
  • For Windows 10 1903 or 1909 — KB4559004, KB4577062, KB4580386
  • For Windows 10 2004 — KB4568831, KB4577063
  • For devices running Office 2016 (and not any other Office version) — KB4577063

  • All devices must be Azure Active Directory (Azure AD) joined, or Hybrid Azure AD joined.

    Install Microsoft Chromium Edge browser on the endpoint device to enforce policy actions for the upload to cloud activity. See, Download the new Microsoft Edge based on Chromium.

    If you are on Monthly Enterprise Channel of Microsoft 365 Apps versions 2004-2008, there is a known issue with Endpoint DLP classifying Office content and you need to update to version 2009 or later. See Update history for Microsoft 365 Apps (listed by date) for current versions. To learn more about this issue, see the Office Suite section of Release notes for Current Channel releases in 2020.

    If you have endpoints that use a device proxy to connect to the internet, follow the procedures in Configure device proxy and internet connection settings for Endpoint DLP.

    Onboarding devices into device management

    You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device. Both of these actions are done in the Microsoft 365 Compliance portal.

    When you want to onboard devices that haven’t been onboarded yet, you’ll download the appropriate script and deploy it to those devices. Follow the Onboarding devices procedure.

    If you already have devices onboarded into Microsoft Defender for Endpoint, they will already appear in the managed devices list. Follow the With devices onboarded into Microsoft Defender for Endpoint procedure.

    Onboarding devices

    In this deployment scenario, you’ll onboard devices that have not been onboarded yet, and you just want to monitor and protect sensitive items from unintentional sharing on Windows 10 devices.

    Open the Compliance Center settings page and choose Onboard devices.

    While it usually takes about 60 seconds for device onboarding to be enabled, please allow up to 30 minutes before engaging with Microsoft support.

    Choose Device management to open the Devices list. The list will be empty until you onboard devices.

    Choose Onboarding to begin the onboarding process.

    Choose the way you want to deploy to these additional devices from the Deployment method list and then download package.

    Follow the appropriate procedures in Onboarding tools and methods for Windows 10 machines. This link takes you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:

    • Onboard Windows 10 machines using Group Policy
    • Onboard Windows machines using Microsoft Endpoint Configuration Manager
    • Onboard Windows 10 machines using Mobile Device Management tools
    • Onboard Windows 10 machines using a local script
    • Onboard non-persistent virtual desktop infrastructure (VDI) machines.
    Читайте также:  Creative cloud mac os что это

    • Once done and endpoint is onboarded, it should be visible in the devices list and also start reporting audit activity logs to Activity explorer.

    This experience is under license enforcement. Without the required license, data will not be visible or accessible.

    With devices onboarded into Microsoft Defender for Endpoint

    In this scenario, Microsoft Defender for Endpoint is already deployed and there are endpoints reporting in. All these endpoints will appear in the managed devices list. You can continue to onboard new devices into Endpoint DLP to expand coverage by using the Onboarding devices procedure.

    Open the Compliance Center settings page and choose Enable device monitoring.

    Choose Device management to open the Devices list. You should see the list of devices that are already reporting in to Microsoft Defender for Endpoint.

    Choose Onboarding if you need to onboard additional devices.

    Choose the way you want to deploy to these additional devices from the Deployment method list and then Download package.

    Follow the appropriate procedures in Onboarding tools and methods for Windows 10 machines. This link takes you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:

    • Onboard Windows 10 machines using Group Policy
    • Onboard Windows machines using Microsoft Endpoint Configuration Manager
    • Onboard Windows 10 machines using Mobile Device Management tools
    • Onboard Windows 10 machines using a local script
    • Onboard non-persistent virtual desktop infrastructure (VDI) machines.

    Once done and endpoint is onboarded, it should be visible under the Devices table and also start reporting audit logs to the Activity Explorer.

    This experience is under license enforcement. Without the required license, data will not be visible or accessible.

    Viewing Endpoint DLP alerts in DLP Alerts Management dashboard

    Open the Data loss prevention page in the Microsoft 365 Compliance center and choose Alerts.

    Refer to the procedures in How to configure and view alerts for your DLP policies to view alerts for your Endpoint DLP policies.

    Viewing Endpoint DLP data in activity explorer

    Open the Data classification page for your domain in the Microsoft 365 Compliance center and choose Activity explorer.

    Refer to the procedures in Get started with Activity explorer to access and filter all the data for your Endpoint devices.

    Next steps

    Now that you have onboarded devices and can view the activity data in Activity explorer, you are ready to move on to your next step where you create DLP policies that protect your sensitive items.

    Запуск CheckPoint SSL Network Extender из-под пользователя с правами админа

    Добрый день!
    Тема изъезжена, но рабочих методов для Windows 10 в сети не нашёл.
    Входные данные:
    — Windows 10
    — Доменная учетная запись пользователя;
    — Портал, для входа на который необходим Internet Explorer с использованием VPN (CheckPoint SSL Network Extender).
    — Запрет на использование «локального админа»

    Что наблюдаем:
    При входе обычным образом VPN выплёвывает ошибку — VPN модуль не может запуститься.
    Если браузер запустить под админом, всё работает.

    Собственно, вопрос: какие есть инструменты, воркэраунды, методики или непофикшенные баги, дабы заставить работать из-под юзероской УЗ конкретную программу с правами администратора?

    Это должно работать таким образом, чтобы было применимо на корпоративном уровне и пароль администратора нигде не светился.

    Запуск батника с правами админа из под учетки с ограниченными правами
    Здравствуйте. Есть батник. Так же есть учетка с ограниченными правами. Нужно что бы батник.

    Запуск приложения с правами админа из под службы
    public static bool StartProcessAndBypassUAC(String applicationName, out PROCESS_INFORMATION.

    Запуск C++ Builder 4.0 из-под пользователя с ограниченными правами
    Такой вопрос: Нужно установить C++ Builder 4.0 в компьютерном классе (такой старый, потому что.

    Создание пользователя с правами админа на VC++
    Кому не втягость поделитесь темой. Не могу нарыть не где как управлять пользователями в WinXp. В.

    Понадобилась неделя чтобы победить это г-ще..

    В итоге: заменяем dll компонента ActiveX от SSL Network Extender на версию новее.

    DLL лежит здесь «C:\Windows\Downloaded Program Files»
    Но туда попасть невозможно обычным способом, возможно просмотреть имеющиеся файлы через браузер отличный от осла по пути file:///C:/Windows/Downloaded%20Program%20Files (в ff работает по крайней мере =) )

    Решается наверняка ухудшением безопасности IE, но надо было срочно (не смешно, меня всю эту неделю стащали должностными инструкциями и иже с ними), и возможно я потом нагуглю как в «C:\Windows\Downloaded Program Files» впихать длл штатно.

    Устанавливаем CheckPoint SSL Network Extender нашей стародревней версии, в моём случае это был 80.0.52.10 версия DLL от 02.06.2011

    Переименовываем от админа родную папку «Downloaded Program Files» в чё душе угодно, от этого IE не поломается.
    Создаём новую «C:\Windows\Downloaded Program Files» она уже будет с вменяемыми правами просмотра/доступа.

    Device Compliance settings for Windows 10 and later in Intune

    This article lists and describes the different compliance settings you can configure on Windows 10 and later devices in Intune. As part of your mobile device management (MDM) solution, use these settings to require BitLocker, set a minimum and maximum operating system, set a risk level using Microsoft Defender for Endpoint, and more.

    This feature applies to:

    • Windows 10 and later
    • Windows Holographic for Business
    • Surface Hub

    As an Intune administrator, use these compliance settings to help protect your organizational resources. To learn more about compliance policies, and what they do, see get started with device compliance.

    Before you begin

    Create a compliance policy. For Platform, select Windows 10 and later.

    Device Health

    Windows Health Attestation Service evaluation rules

    Require BitLocker:
    Windows BitLocker Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker uses the Trusted Platform Module (TPM) to help protect the Windows operating system and user data. It also helps confirm that a computer isn’t tampered with, even if its left unattended, lost, or stolen. If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys can’t be accessed until the TPM verifies the state of the computer.

    • Not configured (default) — This setting isn’t evaluated for compliance or non-compliance.
    • Require — The device can protect data that’s stored on the drive from unauthorized access when the system is off, or hibernates.
    Читайте также:  Windows 64 bit regedit

    Require Secure Boot to be enabled on the device:

    • Not configured (default) — This setting isn’t evaluated for compliance or non-compliance.
    • Require — The system is forced to boot to a factory trusted state. The core components that are used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies the signature before it lets the machine start. If any files are tampered with, which breaks their signature, the system doesn’t boot.

    The Require Secure Boot to be enabled on the device setting is supported on some TPM 1.2 and 2.0 devices. For devices that don’t support TPM 2.0 or later, the policy status in Intune shows as Not Compliant. For more information on supported versions, see Device Health Attestation.

    Require code integrity:
    Code integrity is a feature that validates the integrity of a driver or system file each time it’s loaded into memory.

    • Not configured (default) — This setting isn’t evaluated for compliance or non-compliance.
    • Require — Require code integrity, which detects if an unsigned driver or system file is being loaded into the kernel. It also detects if a system file is changed by malicious software or run by a user account with administrator privileges.

    Device Properties

    Operating System Version

    To discover build versions for all Windows 10 Feature Updates and Cumulative Updates (to be used in some of the fields below), see Windows 10 release information. Be sure to include the 10.0. prefix before the build numbers, as the following examples illustrate.

    Minimum OS version:
    Enter the minimum allowed version in the major.minor.build.revision number format. To get the correct value, open a command prompt, and type ver . The ver command returns the version in the following format:

    Microsoft Windows [Version 10.0.17134.1]

    When a device has an earlier version than the OS version you enter, it’s reported as noncompliant. A link with information on how to upgrade is shown. The end user can choose to upgrade their device. After they upgrade, they can access company resources.

    Maximum OS version:
    Enter the maximum allowed version, in the major.minor.build.revision number format. To get the correct value, open a command prompt, and type ver . The ver command returns the version in the following format:

    Microsoft Windows [Version 10.0.17134.1]

    When a device is using an OS version later than the version entered, access to organization resources is blocked. The end user is asked to contact their IT administrator. The device can’t access organization resources until the rule is changed to allow the OS version.

    Minimum OS required for mobile devices:
    Enter the minimum allowed version, in the major.minor.build number format.

    When a device has an earlier version that the OS version you enter, it’s reported as noncompliant. A link with information on how to upgrade is shown. The end user can choose to upgrade their device. After they upgrade, they can access company resources.

    Maximum OS required for mobile devices:
    Enter the maximum allowed version, in the major.minor.build number.

    When a device is using an OS version later than the version entered, access to organization resources is blocked. The end user is asked to contact their IT administrator. The device can’t access organization resources until the rule is changed to allow the OS version.

    Valid operating system builds:
    Specify a list of minimum and maximum operating system builds. Valid operating system builds provides additional flexibility when compared against minimum and maximum OS versions. Consider a scenario where minimum OS version is set to 10.0.18362.xxx (Windows 10 1903) and maximum OS version is set to 10.0.18363.xxx (Windows 10 1909). This configuration can allow a Windows 10 1903 device that doesn’t have recent cumulative updates installed to be identified as compliant. Minimum and maximum OS versions might be suitable if you have standardized on a single Windows 10 release, but might not address your requirements if you need to use multiple builds, each with specific patch levels. In such a case, consider leveraging valid operating system builds instead, which allows multiple builds to be specified as per the following example.

    Example:
    The following table is an example of a range for the acceptable operating systems versions for different Windows 10 releases. In this example, three different Feature Updates have been allowed (1809, 1909 and 2004). Specifically, only those versions of Windows and which have applied cumulative updates from June to September 2020 will be considered to be compliant. This is sample data only. The table includes a first column that includes any text you want to describe the entry, followed by the minimum and maximum OS version for that entry. The second and third columns must adhere to valid OS build versions in the major.minor.build.revision number format. After you define one or more entries, you can Export the list as a comma-separated values (CSV) file.

    Description Minimum OS version Maximum OS version
    Win 10 2004 (Jun-Sept 2020) 10.0.19041.329 10.0.19041.508
    Win 10 1909 (Jun-Sept 2020) 10.0.18363.900 10.0.18363.1110
    Win 10 1809 (Jun-Sept 2020) 10.0.17763.1282 10.0.17763.1490

    Configuration Manager Compliance

    Applies only to co-managed devices running Windows 10 and later. Intune-only devices return a not available status.

    • Require device compliance from Configuration Manager:
      • Not configured (default) — Intune doesn’t check for any of the Configuration Manager settings for compliance.
      • Require — Require all settings (configuration items) in Configuration Manager to be compliant.

    System Security

    Password

    Require a password to unlock mobile devices:

    • Not configured (default) — This setting isn’t evaluated for compliance or non-compliance.
    • Require — Users must enter a password before they can access their device.

    Simple passwords:

    • Not configured (default) — Users can create simple passwords, such as 1234 or 1111.
    • Block — Users can’t create simple passwords, such as 1234 or 1111.

    Password type:
    Choose the type of password or PIN required. Your options:

    • Device default (default) — Require a password, numeric PIN, or alphanumeric PIN
    • Numeric — Require a password or numeric PIN
    • Alphanumeric — Require a password, or alphanumeric PIN.

    When set to Alphanumeric, the following settings are available:

    Password complexity:
    Your options:

    • Require digits and lowercase letters (default)
    • Require digits, lowercase letters, and uppercase letters
    • Require digits, lowercase letters, uppercase letters, and special characters

    The Alphanumeric password policies can be complex. We encourage administrators to read the CSPs for more information:

    Minimum password length:
    Enter the minimum number of digits or characters that the password must have.

    Maximum minutes of inactivity before password is required:
    Enter the idle time before the user must reenter their password.

    Password expiration (days):
    Enter the number of days before the password expires, and they must create a new one, from 1-730.

    Number of previous passwords to prevent reuse:
    Enter the number of previously used passwords that can’t be used.

    Require password when device returns from idle state (Mobile and Holographic):

    • Not configured (default)
    • Require — Require device users to enter the password every time the device returns from an idle state.

    When the password requirement is changed on a Windows desktop, users are impacted the next time they sign in, as that’s when the device goes from idle to active. Users with passwords that meet the requirement are still prompted to change their passwords.

    Encryption

    Encryption of data storage on a device:
    This setting applies to all drives on a device.

    • Not configured (default)
    • Require — Use Require to encrypt data storage on your devices.

    The Encryption of data storage on a device setting generically checks for the presence of encryption on the device, more specifically at the OS drive level. Currently, Intune supports only the encryption check with BitLocker. For a more robust encryption setting, consider using Require BitLocker, which leverages Windows Device Health Attestation to validate Bitlocker status at the TPM level.

    Device Security

    Firewall:

    • Not configured (default) — Intune doesn’t control the Microsoft Defender Firewall, nor change existing settings.
    • Require — Turn on the Microsoft Defender Firewall, and prevent users from turning it off.

    If the device immediately syncs after a reboot, or immediately syncs waking from sleep, then this setting may report as an Error. This scenario might not affect the overall device compliance status. To re-evaluate the compliance status, manually sync the device.

    Trusted Platform Module (TPM):

    • Not configured (default) — Intune doesn’t check the device for a TPM chip version.
    • Require — Intune checks the TPM chip version for compliance. The device is compliant if the TPM chip version is greater than 0 (zero). The device isn’t compliant if there isn’t a TPM version on the device.

    Antivirus:

    • Not configured (default) — Intune doesn’t check for any antivirus solutions installed on the device.
    • Require — Check compliance using antivirus solutions that are registered with Windows Security Center, such as Symantec and Microsoft Defender.

    Antispyware:

    • Not configured (default) — Intune doesn’t check for any antispyware solutions installed on the device.
    • Require — Check compliance using antispyware solutions that are registered with Windows Security Center, such as Symantec and Microsoft Defender.

    Defender

    The following compliance settings are supported with Windows 10 Desktop.

    Microsoft Defender Antimalware:

    • Not configured (default) — Intune doesn’t control the service, nor change existing settings.
    • Require — Turn on the Microsoft Defender anti-malware service, and prevent users from turning it off.

    Microsoft Defender Antimalware minimum version:
    Enter the minimum allowed version of Microsoft Defender anti-malware service. For example, enter 4.11.0.0 . When left blank, any version of the Microsoft Defender anti-malware service can be used.

    By default, no version is configured.

    Microsoft Defender Antimalware security intelligence up-to-date:
    Controls the Windows Security virus and threat protection updates on the devices.

    • Not configured (default) — Intune doesn’t enforce any requirements.
    • Require — Force the Microsoft Defender security intelligence be up-to-date.

    Real-time protection:

    • Not configured (default) — Intune doesn’t control this feature, nor change existing settings.
    • Require — Turn on real-time protection, which scans for malware, spyware, and other unwanted software.

    Microsoft Defender for Endpoint

    Microsoft Defender for Endpoint rules

    Require the device to be at or under the machine risk score:
    Use this setting to take the risk assessment from your defense threat services as a condition for compliance. Choose the maximum allowed threat level:

    • Not configured (default)
    • Clear -This option is the most secure, as the device can’t have any threats. If the device is detected as having any level of threats, it’s evaluated as non-compliant.
    • Low — The device is evaluated as compliant if only low-level threats are present. Anything higher puts the device in a non-compliant status.
    • Medium — The device is evaluated as compliant if existing threats on the device are low or medium level. If the device is detected to have high-level threats, it’s determined to be non-compliant.
    • High — This option is the least secure, and allows all threat levels. It may be useful if you’re using this solution only for reporting purposes.

    To set up Microsoft Defender for Endpoint as your defense threat service, see Enable Microsoft Defender for Endpoint with Conditional Access.

    Windows Holographic for Business

    Windows Holographic for Business uses the Windows 10 and later platform. Windows Holographic for Business supports the following setting:

    • System Security >Encryption >Encryption of data storage on device.

    To verify device encryption on the Microsoft HoloLens, see Verify device encryption.

    Surface Hub

    Surface Hub uses the Windows 10 and later platform. Surface Hubs are supported for both compliance and Conditional Access. To enable these features on Surface Hubs, we recommend you enable Windows 10 automatic enrollment in Intune (requires Azure Active Directory (Azure AD)), and target the Surface Hub devices as device groups. Surface Hubs are required to be Azure AD joined for compliance and Conditional Access to work.

    Special consideration for Surface Hubs running Windows 10 Team OS:
    Surface Hubs that run Windows 10 Team OS do not support the Microsoft Defender for Endpoint and Password compliance policies at this time. Therefore, for Surface Hubs that run Windows 10 Team OS set the following two settings to their default of Not configured:

    In the category Password, set Require a password to unlock mobile devices to the default of Not configured.

    In the category Microsoft Defender for Endpoint, set Require the device to be at or under the machine risk score to the default of Not configured.

    Оцените статью
    © 2024 Советы по настройке компьютера