The scripts for configuring the Privileged security baseline are located in this folder. Before the scripts can be run install Azure AD powershell module on your device
Import-Module Microsoft.Graph -force
and allow scripts to run on your device;
Set-ExecutionPolicy remotesigned
MasterScript_PAW.PS1 - This script is used to import the Compliance policies, Configuration profiles used to apply the Privileged Profile settings
To import the Privileged Profile configuration settings into your tenant Open powershell console Navigate to PAW folder in Repo
.\MasterScript-PAW.ps1
PAWer username and password of an account that has Intune Administrator (preferred) or Global Admin privilege
Wait for the import process to complete.
The MasterScript_PAW.ps1 file calls the following scripts to import the Compliance Policies, Configuration Profiles
Import-PAW-DeviceCompliancePolicies.ps1 - This scripts imports the three device compliance policies for the Privileged profile. Three policies are used to ensure that Conditional Access does not prevent a user from being able to access resources. Refer to Windows 10 and later settings to mark devices as compliant or not compliant using Intune
-
Privileged Compliance ATP policy is used to feed the Threat Intelligence data from Microsoft Defender for Endpoint into the devices compliance state so its signals can be used as part of the Conditional Access evaluation process.
-
Privileged Compliance Delayed policy applies a more complete set of compliance settings to the device but its application is delayed by 24 hours. this is because the device health attestation that is required to assess policies like BitLocker and Secure Boot is only calculated once a device has rebooted and then might take a number of hours to process whether the device is compliant or not.
-
Privileged-Compliance-Immediate policy is used to apply a minimum level of compliance to users and is configured to apply immediately.
Import-PAW-DeviceConfiguration.ps1 - this script is used to import the Device Configuration profiles that harden the Operating System. there are five profiles used:
-
Privileged-Config-Win10-Custom-CSP Applies configuration service provider (CSP) settings that are not available in the Endpoint Manager UI, refer to Configuration service provider reference for the complete list of the CSP settings available.
-
Privileged-Config-Win10-Device-Restrictions-UI applies settings that restrict cloud account use, configure password policy, Microsoft Defender SmartScreen, Microsoft Defender Antivirus. Refer to Windows 10 (and newer) device settings to allow or restrict features using Intune for more details of the settings applied using the profile.
-
Privileged-Config-Win10-Endpoint-Protection-UI applies settings that are used to protect devices in endpoint protection configuration profiles including BitLocker, Device Guard, Microsoft Defender Firewall, Microsoft Defender Exploit Guard, refer to Windows 10 (and later) settings to protect devices using Intune for more details of the settings applied using the profile.
-
Privileged-Config-Win10-Identity-Protection-UI applies the Windows Hello for Business settings to devices, refer to Windows 10 device settings to enable Windows Hello for Business in Intune for more details of the settings applied using the profile.
-
PAW-Win10-URLLockProxy-UI applies the restrictive URL Lock policy to limit the web sites that PAW devices can connect to.
-
PAW-Win10-AppLocker-Custom-CSP applies the Restricted Execution Model policies in enforced mode. The AppLocker configuration is configured to allow applications to run under C:\Program Files, C:\Program Files (x86) and C:\Windows, with user writable paths under blocked. the characteristics for the AppLocker approach is:
- Assumption is that users are non-privileged users.
- Wherever a user can write they are blocked from executing
- Wherever a user can execute they are blocked from writing
-
PAW-Win10-Windows-Defender-Firewall-UI applies a Firewall policy that has the following characteristics - all inbound traffic is blocked including locally defined rules the policy includes two rules to allow Delivery Optimization to function as designed. Outbound traffic is also blocked apart from explicit rules that allow DNS, DHCP, NTP, NSCI, HTTP, and HTTPS traffic. This configuration not only reduces the attack surface presented by the device to the network it limits the outbound connections that the device can establish to only those connections required to administer cloud services.
Rule | Direction | Action | Application / Service | Protocol | Local Ports | Remote Ports |
---|---|---|---|---|---|---|
World Wide Web Services (HTTP Traffic-out) | Outbound | Allow | All | TCP | All ports | 80 |
World Wide Web Services (HTTPS Traffic-out) | Outbound | Allow | All | TCP | All ports | 443 |
Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | 546 | 547 |
Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out) | Outbound | Allow | Dhcp | TCP | 546 | 547 |
Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCP-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | 68 | 67 |
Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCP-Out) | Outbound | Allow | Dhcp | TCP | 68 | 67 |
Core Networking - DNS (UDP-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | UDP | All Ports | 53 |
Core Networking - DNS (UDP-Out) | Outbound | Allow | Dnscache | UDP | All Ports | 53 |
Core Networking - DNS (TCP-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | All Ports | 53 |
Core Networking - DNS (TCP-Out) | Outbound | Allow | Dnscache | TCP | All Ports | 53 |
NSCI Probe (TCP-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | All ports | 80 |
NSCI Probe - DNS (TCP-Out) | Outbound | Allow | NlaSvc | TCP | All ports | 80 |
Windows Time (UDP-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | All ports | 80 |
Windows Time Probe - DNS (UDP-Out) | Outbound | Allow | W32Time | UDP | All ports | 123 |
Delivery Optimization (TCP-In) | Inbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | 7680 | All ports |
Delivery Optimization (TCP-In) | Inbound | Allow | DoSvc | TCP | 7680 | All ports |
Delivery Optimization (UDP-In) | Inbound | Allow | %SystemRoot%\system32\svchost.exe | UDP | 7680 | All ports |
Delivery Optimization (UDP-In) | Inbound | Allow | DoSvc | UDP | 7680 | All ports |
Note
There are two rules defined for each rule in the Microsoft Defender Firewall configuration. To restrict the inbound and outbound rules to Windows Services, e.g. DNS Client, both the service name, DNSCache, and the executable path, C:\Windows\System32\svchost.exe, need to be defined as separate rule rather than a single rule that is possible using Group Policy.
Import-PAW-DeviceConfigurationADMX.ps1 this script is used to import the Device Configuration ADMX Template profile that configures Microsoft Edge security settings.
- Privileged-Edge Version 85 - Computer applies administrative policies that control features in Microsoft Edge version 77 and later, refer to Microsoft Edge - Policies or more details of the settings applied using the profile.