What is secure boot?
It is a feature of UEFI. It only allows trusted bootloaders/OS to run by checking the bootloader’s digital certificate.
This prevents rootkits and malware being loaded before the OS has booted
What is TPM?
It is a chip on the motherboard that stores the disk encryption key.
It also checks secure boot, firmware and if the bootloader has been tampered with; if not it boots into the OS
What vulnerability do TPM and Secure Boot help secure?
The OS is most vulnerable when first booting because antivirus and other software is not running untill you boot the machine.
What is Microsoft Defender Application Control
It is a feature that allows you to control what apps are allowed on a machine and what apps can access files
What is Attack Surface reduction?
It is the protection of scripts, macros
What is controlled folder access
Only allowing specifc apps to have access to folders
Only the local admin can also modify folders that the app have access to
What is exploit protection
Analogy - knights have suits that have little holes that need repairing - apps have small vulberabilities and need fixes
What is Application Guard?
It uses VBS to create a sandbox enviromnent for microsoft edge that tests for malware
Device Guard?
What Technology Does it use?
it combines Windows Defender application control with Hyper - V to protect the kernel from alicious code being injected - Device Guard does require addidtial hardware due to virtualisation
Uses TPM UEFI and secure boot
What is hardware based isolation?
Castle Anaolgy - Scans from the floors up and ensures no rooms, doors etc have been altered or changed
Ensures Hardware integrity by using secure boot
What does Windows Defender Exploit Guard Include?
ASR, Controlled Folder access, Netowrk Filtering and Exploit protection
Remeber the analogy - Expolit prtection is the magical reparing armour
Exploit Guard includes Explooit protection and three more features
What is Windows Defender System Guard
- Uses VBS to ensure integrity of System
Ensures signed drivers are loaded while booting
A company wants to edit the Antivirus settings for Intune. Where would they do this?
A) Endpoint Security > Antivirus
B) Device configuration > Device restrictions > Microsoft Defender Antivirus
What is Microsoft Defender Antivirus offline
Microsoft Defender Antivirus Offline mode scans the device before Windows fully loads, using kernel-based protection. This allows it to detect and remove rootkits and deeply embedded malware that may hide when the operating system is running.
With least privilege in mind, what admin role should you apply a user that needs to change security defaults?
A) Security Admin
B) Conditional Access Admin
C) Intune Admin
D) Helpdesk Admin
B - Conditional Access Admin allows you to edit security defaults
What Platforms are available for Microsoft Defender for Endpoint? Select 6
A) Linux
B) MacOS X
C) MacOS 12,13,14,16,26
D)Windows Server
E) Windows
F) iOS
G) Android
H) Linux Server
C
D
E
F
G
H
What is a service principle?
Identity for Apps - Login account for apps
