This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
for the context, we protect 3k endpoints with Defender, we have set policies with Intunes :
-Antivirus
-Endpoint detection and response
-Attack surface reduction
In intunes, there is the "control application" strategy but this method is too restrictive for our activities and does not allow you to block an application of your choice.
In Defender, you can block by hash via Settings > Endpoints > Indicators but the hash can change with each version.
I tried with SCCM (System Center Configuration Manager) without success either.
Other antivirus programs allow this, is it possible to block an application of your choice with Defender/Intunes?
David
To block specific application, you may try use AppLocker and set policy to block it.
You may use sanctions/unsanctions app in cloud.
Have a look at:
https://learn.microsoft.com/en-us/defender-cloud-apps/governance-discovery
Hi
Thank you for you feedback
AppLocker
When I configure the blocking of a single application with AppLocker, it blocks the application but notepad, command prompt and powershell are also blocked... I don't understand...
sanctions/unsanctions
I followed the 2 links and I finalized the configurations
https://learn.microsoft.com/en-us/defender-cloud-apps/governance-discovery
https://learn.microsoft.com/en-us/defender-cloud-apps/mde-integration#how-to-integrate-microsoft-defender-for-endpoint-with-defender-for-cloud-apps
I get an alert in MS Defender : "Unsanctioned cloud app access was blocked"
-If the user is using Edge, they cannot access the site of the blocked application and therefore cannot download and install it.
-If the user uses another browser, they can access the application download site, install it and start the blocked application.
My intention is to block the use of software.
The AV policy has an option to block Potentially Unwanted Apps (PUA) that might be useful.
You could use a certificate indicator which is more persistent than a file hash. I think this can also be used as an App Control override.
You might also revisit Application Control. This allows all from your MECM/SCCM, Microsoft store, and Microsoft signed certs. You can start in an audit mode. The Intune policy is rather sparce but there are more granular policy options. The goal here is to reduce the need for app-specific controls by taking a more dynamic approach. This should also block those web-based installs.