Improve operating system security

  • 18 minutes

The operating system hosts and manages your data, applications, and connected devices. Adopting a Zero Trust approach at the operating system level not only protects the operating system itself, but also all of the elements and entities that rely on it. This is a more evident example of how servicing, security, and productivity are connected. Inadequate protections for the operating system could also affect the performance of all of these components and ultimately affect productivity of your users and the organization.

Let's look at some of the key built-in and configurable security features that you can use to help protect your Windows devices at the operating system (OS) level. We'll use Microsoft Intune tools to help you level up in your security posture.

System security

You can achieve security that encompasses the foundations of operating system through a combination of security features already provided in your devices.

Device health attestation

Microsoft Intune integrates with Microsoft Azure Attestation to review Windows device health and connect this information with Microsoft Entra Conditional Access (reviewed in the unit on identity). The objective is that all hardware and firmware security components and features are trustworthy before granting them access to corporate resources. Zero Trust is reinforced by way of shifting focus from static enterprise defenses to active users, assets, and resources.

Use the device health attestation path in Intune to validate certain security configurations at the hardware level by creating a compliance policy. Require the following on the devices under your management:

  • Secure Boot (covered next)
  • BitLocker (covered in the following encryption and data protection section)
  • Code integrity (covered in the hardware-based security unit)

Follow Windows compliance settings in Microsoft Intune for a prerequisite check and a step-by-step guidance. Alternatively, use security baselines in Intune to set these requirements as Windows Health Attestation Service evaluation rules, under the Device Health category:

A screenshot shows the Microsoft Intune security baselines for device health.

See Support Tip: Using Device Health Attestation Settings as Part of Your Intune Compliance Policy for more details and examples.

Secure Boot and Trusted Boot

The first step to protect the operating system is to ensure it starts securely. Secure Boot is a security standard of booting a PC using only software that's trusted by the original equipment manufacturer (OEM).

Ensure you've got Secure Boot enabled on your Intune-enrolled PCs:

  1. Go to Start.
  2. In the search bar, type msinfo32 and press Enter.
  3. In System Information, select System Summary.
  4. On the right side of the window, look at BIOS Mode and Secure Boot State. If Bios Mode shows UEFI, and Secure Boot state shows Off, then Secure Boot is disabled. Otherwise, it's enabled.
  5. Follow the step-by-step guide to re-enable Secure Boot.

With Secure Boot enabled, you can verify the bootloader, which loads OS data into working memory during startup, hasn't been compromised.

Trusted Boot accompanies Secure Boot to build further on this. It ensures that the Windows bootloader in turn verifies the Windows kernel. The kernel itself then checks all other components of the Windows startup process, including startup files, boot drivers, and more. If any of these have been tampered with, the bootloader will refuse to load the corrupted component, and will attempt to repair and restart the PC normally.

Windows Security policy settings and auditing

In unit 3 on cloud security, we've learned how to configure security policy settings on your Windows devices with Intune to control user authentication on a device or network, which resources users are allowed to access, group memberships, and whether user or user group's activities should be recorded in the event log.

You can also configure auditing policies to monitor for specific kinds of security-related events such as logon events, object access, privilege use, and more.

Audit via reports in Intune and custom compliance accessing operational, organizational, historical, and specialist reports. For example, to generate the organizational report:

  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Select Reports > Device compliance > Reports tab > Device compliance.
  3. Refine your report with the Compliance status, OS, and Ownership filters.
  4. Select Generate report (or Generate again) to retrieve current data.

See Microsoft Intune reports for further details and other types of reports.

Endpoint monitoring registry settings

Use Endpoint monitoring registry settings in Intune to view the security and health status of your device, as well as advance your security posture with custom compliance settings and proactive remediations.

If you're already using Intune's built-in device compliance options, then you're at a great starting point with Zero Trust. Customize your compliance settings to allow your organization to advance to the next level of Zero Trust maturity.

You can only do this on Microsoft Entra joined (or Microsoft Entra hybrid joined) devices through the following steps:

  1. Once you determine what you want to monitor in the registry, create a PowerShell discovery script and upload it to the Microsoft Endpoint Manager admin center.

  2. Prepare a JSON file with your custom settings to upload later.

  3. Create a compliance policy using your normal procedure, customizing the configuration settings.

  4. On the Compliance settings page, set Custom compliance to Require.

  5. Upload your PowerShell script under **Select your discovery script.

  6. Upload and validate the JSON file with your custom compliance settings by locating and adding your created file.

  7. Check for any validation problems, complete your policy creation task, and assign the policy to devices.

  8. Finally, use proactive remediations with Intune to be protected and prepared. These script packages detect and fix common support issues on users' devices before they become noticeable. Deploy built-in or personalized scripts through Intune if your devices are

    • Enrolled into Endpoint analytics
    • Microsoft Entra joined or hybrid joined
    • Either managed by Intune with an Enterprise, Professional, or Education license of the latest Windows editions, or co-managed on supported Windows editions.

For proactive remediations, deploy script packages from Endpoint analytics in your Microsoft Endpoint Manager admin center by taking the following steps:

  1. Go to Proactive remediations in the console.

  2. Choose Create script package to create a script package.

    A screenshot of the Endpoint analytics view in Microsoft Intune, focused on where to create a script package.

  3. In the Basics step, give the script package a name and optionally, a description.

  4. On the Settings step, upload both the Detection script file and the Remediation script file.

    You need the corresponding detection and remediation script to be in the same package. For example, the Detect_Expired_User_Certificates.ps1 detection script corresponds with the Remediate_Expired_User_Certificates.ps1 remediation script.

  5. Finish the options on the Settings page with the following recommended configurations:

    • Run this script using the logged-on credentials: This setting is dependent on the script. For more information, see the Script descriptions.
    • Enforce script signature check: No
    • Run script in 64-bit PowerShell: No

    A screenshot shows the Endpoint analytics view in Microsoft Intune, focused on how to create a custom script.

  6. Select Next, then assign any Scope tags you need.

  7. In the Assignments step, select the device groups to which you want to deploy the script package.

  8. Complete the Review + Create step for your deployment.

Encryption and data protection

Data on your Windows devices can effectively be protected from cybercriminals attempting to gain access through physical theft of the device or through malicious software. Here are some of the encryption and data protection tools and features that you can configure for your Windows devices.

BitLocker

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and protects against data leaks on lost, stolen, or inappropriately discarded devices.

Prepare your organization for BitLocker drive encryption to provide protection for the OS, fixed drives, and even removable devices through data encryption. You can manage devices with the latest versions of Windows, some requiring a supported TPM, and have applicable Intune role-based access control permissions.

Use one of the following policy types to configure BitLocker on your managed devices in Intune:

In Intune's Configuration settings interface, configure BitLocker to meet your business needs under the Windows Encryption category, as illustrated below.

A screenshot of the Microsoft Intune configuration settings for endpoint protection.

Monitor your managed devices with a built-in Intune encryption report and further manage BitLocker recovery keys. Follow further guidance documented in Encrypt Windows devices with BitLocker in Intune - Microsoft Intune.

Hardware Encrypted Hard Drives

Hardware Encrypted Hard Drives use BitLocker Drive Encryption to improve data security on hard drives. They're self-encrypted at the hardware level and support full disk hardware encryption.

Use Encrypted Hard Drives for Windows for robust pre-configured protection on drives and offload the encryption operations to the hardware, while reducing CPU usage and power consumption.

Configure encrypted hard drives using the same methods as standard hard drives: deploying from media, from network, from server, through disk duplication, or with group policy. The best part is that users don't have to enable encryption: it's always on, and the keys never leave the hard drive. Learn more on BitLocker Upgrading FAQ.

Email encryption

Email encryption with Secure/Multipurpose Internet Mail Extensions (S/MIME) provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. Encrypted messages can be read only by recipients who have an encryption certificate, verifying the identity of the sender. If a user attempts to send the encrypted message to a recipient that wasn't verified, the Windows email client will prompt the user to remove the unverified recipient before the email can be sent.

Configure email encryption to allow users to encrypt their email messages so that only their intended, verified recipients can read them.

  1. Use an on-premises or Office 365 Exchange account.
  2. Create PFX Certificate Profiles in Configuration Manager.
  3. Enable access to company resources using certificate profiles with Microsoft Intune.
  4. Instruct your users to use the Mail app to manage email encryption: to choose S/MIME settings for the device, encrypt and read individual messages, or install certificates from a received message.

These encryption and data protection features are designed to work seamlessly with Windows servicing updates to keep your devices up to date and most secure.

Network security

Inadequate network security on devices can open the devices and the organization up to a wide range of threats, including smooth update downloads and feature updates. But Windows devices allow you to use various network security features to protect your device network, including the following.

Transport layer security (TLS) and Domain Name Service (DNS) security

Windows supports new DNS capabilities and TLS protocol versions that you can use to strengthen the network protections for applications, webservices, and facilitate Zero Trust networking.

The Transport Layer Security (TLS) protocol is an industry standard for protecting the privacy of information communicated over the Internet. It's the internet's most deployed security protocol, which encrypts data to provide a secure communication channel between two endpoints. TLS most commonly applies to securing HTTP connections, email exchanges, and remote procedure calls (RPC).

TLS 1.3 is supported and enabled by default starting with Windows Server 2022 and Windows 11. You can check the TLS protocol version support for all of the Windows OS versions you manage. TLS protocols use algorithms from a cipher suite to create keys and encrypt information. A cipher suite is a set of cryptographic algorithms for tasks like key exchange, bulk encryption, and message authentication. You can locate all of the TLS Cipher Suites in Windows 11 and all the cipher suites supported on other versions of Windows. For legacy group policy, check your cipher suite group policy, which needs to include the TLS 1.3 cipher suites for it to work.

If you want to tighten your TLS security further, you can do the following:

Note

When TLS 1.3 is not available, the connection can negotiate TLS 1.2. As troubleshooting help, review Common issues when enabling TLS 1.2.

If your organization has an Azure Firewall Premium subscription, take advantage of the TLS inspection feature that decrypts outbound traffic, processes the data, then encrypts the data. and sends it to the destination.

The latest Windows version supports DNS over HTTPS (DoH), which is an encrypted Domain Name Service (DNS) protocol. Configure DoH to protect your devices from cybercriminals, like those who want to log browsing behaviors or those that want to redirect clients to their malicious sites.

Windows Defender Firewall and virtual private networks (VPN)

Windows Defender Firewall with Advanced Security provides host-based, two-way network traffic, filtering and blocking unauthorized traffic in and out of your devices based on the network to which it's connected. You can easily use the endpoint security Firewall policy if your devices are managed by Intune and run one of the latest operating systems (see requirements and more details in Manage firewall settings with endpoint security policies in Microsoft Intune).

Check your Firewall status with Intune reports:

  1. Open the Microsoft Endpoint Manager admin center.

  2. Go to Reports > Firewall > MDM Firewall status…

    A screenshot of Microsoft Intune's reports view, focused on Firewall.

Check or filter the result by the following status categories: temporarily disabled by default, enabled, disabled, limited, or not applicable.

Use the Firewall configuration service provider (CSP) to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the devices under your management. For more support, bookmark How to trace and troubleshoot the Intune Endpoint Security Firewall rule creation process. Stay tuned for significant new facilities coming to Intune for controlling Windows Firewall policy, which would optimize your security posture going forward.

If your enterprise uses Virtual Private Networks solutions, Intune also supports multiple settings to help you configure Windows VPN. This way, you can implement and create secure communication tunnels for your devices across the internet. Also, the Windows VPN platform receives periodic quality updates from Microsoft, which means that you can use enhanced features, such as integrations with Azure VPN, and enjoy a simpler admin experience. Just another example of how servicing provides for security.

To begin, review the guide in Windows 10/11 VPN settings in Microsoft Intune and use settings catalog to configure settings relevant for your organization. For example, enable or disable features, specify allowed VPN vendors, DNS, proxies, and more. Use these settings in device configuration profiles first and then deploy them to devices. Finally, keep monitoring these profiles with Intune.

Virus and threat protection

Cyberthreats are becoming more complex and increasing in their scale and scope. The latest quality and feature updates always address the newest risks for you. Additionally, you need virus and threat protection that are up to the task. You can use the following combination of tools and features to help you achieve this. These features are available to you through the Microsoft Defender for Endpoint, which is kept up to date through your regular monthly servicing and further adaptable to your needs.

Microsoft Defender for Endpoint

Your organization might have many devices, across many different environments, business units, and locations. For comprehensive enterprise-level protection, consider using Microsoft Defender for Endpoint. With it, you can utilize:

  • Endpoint behavioral sensors across all your devices to monitor for anomalous signals from the operating system.
  • Cloud security analytics to use unique and deep insights across the estate.
  • Threat intelligence that uses Microsoft's expertise in line with machine learning to identify the most complex threats.
  • Rich response capabilities so that you can use automated investigation and remediation to isolate, investigate, and remediate threats across your environments.

Create a plan to deploy Microsoft Defender for Endpoint for your organization and use the deployment guide to start using it.

Microsoft Defender Antivirus

Configure Microsoft Defender Antivirus to continually monitor for malware, viruses, and other types of security threats from the moment your device starts up. It's a major component of the Microsoft Defender for Endpoint. For increased protection, configure it for real-time, behavior-based, and heuristic antivirus protection.

A screenshot shows the Antivirus summary view of Endpoint security.

Attack surface reduction

Certain software behaviors are often exploited by attackers, such as users launching executable scripts that attempt to download or run files or running obfuscated or otherwise suspicious scripts. To detect and block actions like these, configure attack surface reduction rules in Intune, based on your organizational context. These options are available to you under Endpoint Security, as shown below.

A screenshot of the Attack surface reduction summary view of Endpoint security.

Alternatively, use Microsoft Defender capabilities to reduce your attack surface on the web: Understand and use attack surface reduction.

Tamper protection and exploit protection

Sometimes, cybercriminals will attempt to disable or remove security features. For example, they might try to disable antivirus protection, remove security updates, or disable real-time protection. They'll try to do this in order to carry out or expand their ransomware and other attacks.

Configure tamper protection in Microsoft Defender for Endpoint to prevent this from happening. If you have an appropriate E5 license, connect Microsoft Defender ATP to Intune:

  1. Go to  https://securitycenter.windows.com.
  2. Visit  Settings > Advanced features. 
  3. Turn the Microsoft Intune connection on.

Follow these steps to create an Endpoint Protection policy in Intune:

  1. Choose Device configuration - Profiles, and then Create profile.
  2. Choose an Endpoint protection profile type.
  3. In the endpoint protection view, select the > sign to see all available settings.
  4. From Microsoft Defender Security Center, set Tamper Protection to Enabled.
  5. Assign this policy to a user or device group.

A screenshot of the Microsoft Defender security center options in Microsoft Intune, focused on enabled Tamper protection.

Additionally, enable exploit protection to protect against malware that relies on exploits to infect and spread across devices. It works best together with Microsoft Defender for Endpoint for more reporting capabilities.

Enhanced phishing protection with Microsoft Defender SmartScreen

Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. Specifically, it analyses webpages and downloaded files for indications of suspicious behaviors and unsafe characteristics tracked in our dynamic database. It alerts you anytime a match is found or anytime you're about to enter your Microsoft credentials into a potentially risky location. This new feature is available to all Windows 11 editions, Home, Pro, Enterprise, Education, and IoT.

Use settings catalog to enable SmartScreen:

A screenshot of the Windows SmartScreen settings in Microsoft Intune's settings catalog.

Use security baselines for basic initial configuration of Windows SmartScreen:

A screenshot of the Security baselines for Windows SmartScreen in Microsoft Intune.

The workflow diagram shows that we've completed the operating system step.