This repository contains the accompanying scripts to deploy some of the artifacts required to deploy an Azure Secure Workstation, they will deploy
- Azure AD groups
- Compliance Policies
- Configuration Scripts
- Autopilot profiles
- Enrollment status page
Before running the deployment script the latest version of the following modules need to be installed in the system:
- WindowsAutopilotIntune
- Microsoft.Graph
Allow scripts to run on your device
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process_masterScript.PS1 - This script is used to import the Compliance policies, Configuration profiles used to apply the Privileged Profile settings
To import the Privileged Profile configuration settings into your tenant, open a Windows PowerShell console and execute
.\code\_masterScript.ps1Log in with an account that has Global Administrator role assigned.
Wait for the import process to complete.
The _masterScript.ps1 file calls the following scripts to import the artifacts
Import-CompliancePolicies.ps1 - This scripts imports three device compliance policies for the Privileged profile. Three policies are used to ensure that Conditional Access does not prevent a user from being able to access resources. Refer to Windows 10 and later settings to mark devices as compliant or not compliant using Intune
-
Privileged Compliance ATP policy is used to feed the Threat Intelligence data from Microsoft Defender for Endpoint into the devices compliance state so its signals can be used as part of the Conditional Access evaluation process.
-
Privileged Compliance Delayed policy applies a more complete set of compliance settings to the device but its application is delayed by 24 hours. this is because the device health attestation that is required to assess policies like BitLocker and Secure Boot is only calculated once a device has rebooted and then might take a number of hours to process whether the device is compliant or not.
-
Privileged Compliance Immediate policy is used to apply a minimum level of compliance to users and is configured to apply immediately.
Import-ConfigurationProfiles.ps1 - this script is used to import the Device Configuration profiles that harden the Operating System. there are five profiles used:
- SAW-Win10-AppLocker-Custom-CSP applies the Restricted Execution Model policies in enforced mode. The AppLocker configuration is configured to allow applications to run under C:\Program Files, C:\Program Files (x86) and C:\Windows, with user writable paths under blocked. the characteristics for the AppLocker approach is:
- Assumption is that users are non-privileged users.
- Wherever a user can write they are blocked from executing
- Wherever a user can execute they are blocked from writing
- SAW-Win10-Config-Custom-CSP Applies configuration service provider (CSP) settings that are not available in the Endpoint Manager UI, refer to Configuration service provider reference for the complete list of the CSP settings available.
- SAW-Win10-Config-Device-Restrictions-UI applies settings that restrict cloud account use, configure password policy, Microsoft Defender SmartScreen, Microsoft Defender Antivirus. Refer to Windows 10 (and newer) device settings to allow or restrict features using Intune for more details of the settings applied using the profile.
- SAW-Win10-Config-Endpoint-Protection-UI applies settings that are used to protect devices in endpoint protection configuration profiles including BitLocker, Device Guard, Microsoft Defender Firewall, Microsoft Defender Exploit Guard, refer to Windows 10 (and later) settings to protect devices using Intune for more details of the settings applied using the profile.
- SAW-Win10-Config-Identity-Protection-UI applies the Windows Hello for Business settings to devices, refer to Windows 10 device settings to enable Windows Hello for Business in Intune for more details of the settings applied using the profile.
- SAW-Win10-URLLockProxy-UI applies the restrictive URL Lock policy to limit the web sites that SAW devices can connect to.
- SAW-Win10-Windows-Defender-Firewall-UI applies a Firewall policy that has the following characteristics - all inbound traffic is blocked including locally defined rules the policy includes two rules to allow Delivery Optimization to function as designed. Outbound traffic is also blocked apart from explicit rules that allow DNS, DHCP, NTP, NSCI, HTTP, and HTTPS traffic. This configuration not only reduces the attack surface presented by the device to the network it limits the outbound connections that the device can establish to only those connections required to administer cloud services.
| Rule | Direction | Action | Application / Service | Protocol | Local Ports | Remote Ports |
|---|---|---|---|---|---|---|
| World Wide Web Services (HTTP Traffic-out) | Outbound | Allow | All | TCP | All ports | 80 |
| World Wide Web Services (HTTPS Traffic-out) | Outbound | Allow | All | TCP | All ports | 443 |
| Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | 546 | 547 |
| Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out) | Outbound | Allow | Dhcp | TCP | 546 | 547 |
| Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCP-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | 68 | 67 |
| Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCP-Out) | Outbound | Allow | Dhcp | TCP | 68 | 67 |
| Core Networking - DNS (UDP-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | UDP | All Ports | 53 |
| Core Networking - DNS (UDP-Out) | Outbound | Allow | Dnscache | UDP | All Ports | 53 |
| Core Networking - DNS (TCP-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | All Ports | 53 |
| Core Networking - DNS (TCP-Out) | Outbound | Allow | Dnscache | TCP | All Ports | 53 |
| NSCI Probe (TCP-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | All ports | 80 |
| NSCI Probe - DNS (TCP-Out) | Outbound | Allow | NlaSvc | TCP | All ports | 80 |
| Windows Time (UDP-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | All ports | 80 |
| Windows Time Probe - DNS (UDP-Out) | Outbound | Allow | W32Time | UDP | All ports | 123 |
| Delivery Optimization (TCP-In) | Inbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | 7680 | All ports |
| Delivery Optimization (TCP-In) | Inbound | Allow | DoSvc | TCP | 7680 | All ports |
| Delivery Optimization (UDP-In) | Inbound | Allow | %SystemRoot%\system32\svchost.exe | UDP | 7680 | All ports |
| Delivery Optimization (UDP-In) | Inbound | Allow | DoSvc | UDP | 7680 | All ports |
Note
There are two rules defined for each rule in the Microsoft Defender Firewall configuration. To restrict the inbound and outbound rules to Windows Services, e.g. DNS Client, both the service name, DNSCache, and the executable path, C:\Windows\System32\svchost.exe, need to be defined as separate rule rather than a single rule that is possible using Group Policy.
Import-SAW-DeviceConfigurationADMX.ps1 this script is used to import the Device Configuration ADMX Template profile that configures Microsoft Edge security settings.
- SAW-Edge Version 85 - Computer applies administrative policies that control features in Microsoft Edge version 77 and later, refer to Microsoft Edge - Policies or more details of the settings applied using the profile.
The app locker configuration profile has the settings base64 encoded, they can be customized as a one time task directly in the portal after deployment. Additionally XML files with the raw settings have been provided, if settings are modified in the XML files, they will need to be base64 encoded and merged in to the JSON file. A build script has been provided to complete this task.
From the base directory run
Invoke-BuildSimilarly to AppLocker, settings for Configuration profiles, compliance policies, Enrollment status page and Autopilot profiles can be modified in the portal after deployment or directly in the JSON files before deployment. For one time changes (specific for a customer) is recommended to do after deployment, and for persistant changes (for all customers) it's recommended to do in the JSON files. These changes should be peer reviewed before commiting them to the main branch.
The following links provide details on the settings available to be configured