Is it possible to block applications with Defender?

David B 1 Reputation point
2022-11-10T16:34:07.99+00:00

Hello,

for the context, we protect 3k endpoints with Defender, we have set policies with Intunes :
-Antivirus
-Endpoint detection and response
-Attack surface reduction
In intunes, there is the "control application" strategy but this method is too restrictive for our activities and does not allow you to block an application of your choice.
In Defender, you can block by hash via Settings > Endpoints > Indicators but the hash can change with each version.
I tried with SCCM (System Center Configuration Manager) without success either.

Other antivirus programs allow this, is it possible to block an application of your choice with Defender/Intunes?

David

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,838 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Reza-Ameri 16,861 Reputation points
    2022-11-11T16:12:42.343+00:00

    To block specific application, you may try use AppLocker and set policy to block it.
    You may use sanctions/unsanctions app in cloud.
    Have a look at:
    https://learn.microsoft.com/en-us/defender-cloud-apps/governance-discovery

    0 comments No comments

  2. David B 1 Reputation point
    2022-11-16T15:41:33.627+00:00

    Hi
    Thank you for you feedback

    AppLocker
    When I configure the blocking of a single application with AppLocker, it blocks the application but notepad, command prompt and powershell are also blocked... I don't understand...

    sanctions/unsanctions
    I followed the 2 links and I finalized the configurations
    https://learn.microsoft.com/en-us/defender-cloud-apps/governance-discovery
    https://learn.microsoft.com/en-us/defender-cloud-apps/mde-integration#how-to-integrate-microsoft-defender-for-endpoint-with-defender-for-cloud-apps
    I get an alert in MS Defender : "Unsanctioned cloud app access was blocked"
    -If the user is using Edge, they cannot access the site of the blocked application and therefore cannot download and install it.
    -If the user uses another browser, they can access the application download site, install it and start the blocked application.
    My intention is to block the use of software.

    0 comments No comments

  3. Andrew Blumhardt 9,776 Reputation points Microsoft Employee
    2022-11-16T15:57:41.99+00:00

    The AV policy has an option to block Potentially Unwanted Apps (PUA) that might be useful.

    You could use a certificate indicator which is more persistent than a file hash. I think this can also be used as an App Control override.

    You might also revisit Application Control. This allows all from your MECM/SCCM, Microsoft store, and Microsoft signed certs. You can start in an audit mode. The Intune policy is rather sparce but there are more granular policy options. The goal here is to reduce the need for app-specific controls by taking a more dynamic approach. This should also block those web-based installs.

    https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/

    0 comments No comments