Skip to content

vladjoh/ExternalAIHardeningBaseline

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 

Repository files navigation

ExternalAIHardeningBaseline

External AI hardening baseline for Windows 11

Prerequisites

Before importing the policies in this repository https://github.com/vladjoh/ExternalAIHardeningBaseline/tree/main/ExternalAiHardeningW11, ensure your Microsoft 365 environment meets the following requirements

Requirements

  • Microsoft Defender for Endpoint

    • Microsoft Defender for Endpoint must be activated and configured in your tenant.
  • Microsoft 365 Licensing

    • Users must be assigned one of the following licenses:
      • Microsoft 365 Business Premium with Defender Suite
      • Microsoft 365 E3 with Defender Suite
      • Microsoft 365 E5
      • Microsoft 365 E7
  • Microsoft Intune

    • Microsoft Intune must be configured as the Mobile Device Management (MDM) authority.

    intune.microsoft.com->Devices-> Enrollment -> Automatic Enrollment

    image
  • Microsoft Defender for Endpoint Integration

    • In the Microsoft Defender portal, navigate to:

      Settings -> Endpoint

    • Enable the Microsoft Intune connection.

image
  • Microsoft Defender for Cloud Apps Integration

    • In the Microsoft Defender portal, navigate to:

    Settings -> Endpoints

    • Microsoft Defender for Cloud Apps (MDCA)
    image
  • Endpoint Features

    • In the Microsoft Defender portal, navigate to:

      Settings -> Endpoints

    • Ensure the following features are enabled:

      • Custom Network Indicators
      • Web Content Filtering
    image

Importing the Policies

The policies contained in this repository are designed to be imported using MickeM's Intune Management Tool.

IMPORTANT - AppControl

App Control Managed Installer policy can't be improted as .json and needs to be setup manually, set it up before deploying App Control policy to your devices. Remember to double check that IME - Intune Managed Extension is installed on device, before enforcing policy for AppControl otherwise it wouldn't work. If it's not installing IME extension with Installer policy, than try to deploy an win32 app first

image

Blocking All Non-Microsoft AI Sites

Once Defender for Endpoint and Cloud App integration is setup and you have device group in Defender go to Cloud Apps-> Cloud Apps Catalog --> Select All Gen AI and other AI apps , exclude non MS apps by tagging NON MS apps as Microsoft and than create a filter like on last picture

image image

Than choose Select ALl and Tag them as Unsanctioned and select Device Group

Blocking known proxies

In Settings -> Endpoint -> Web Content Filtering create a pplicy to Block "Illegal software", Illegal Software category contains well known proxies image

Blocking 3 party Teams apps

Go to https://admin.teams.microsoft.com/policies/manage-apps Actions -> Org wide setings image

Choose this setting and save

image

Require phishing resistant MFA + compliant device on sign in with Conditional Access

Set up app protecton policies in Intune for BYOD devices

Set up app protection policies for BYID devices in Intune and require it with Conditional Access on sign ins. Restrict copy/paste, backup to external cloud, screenshots etc.

About

External AI hardening baseline for Windows 11

Topics

Resources

License

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors