Microsoft Defender for Endpoint Windows 10/11 Roll Out Strategy Part 2

When implementing Attack Surface reduction policies. The following configurations should be set in audit mode to allow you to compile an inventory of Microsoft Word, Excel , Outlook etc, add – in child processes.

If you simply block all the of the options illustrated below, then can possibly block Microsoft Office add-ins.

A good way to analyse Microsoft Office add-ins, is to review endpoint analytics in the Microsoft Intune portal.

Start with audit mode, compile an inventory of what Microsoft add – ins, create child processes, analyse the audit mode for the three controls illustrated below via KQL queries and finally a risk assessment on all Microsoft Office add-ins, only then can you whitelist line of business Microsoft add-ins that have passed a risk assessment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s