Welcome back about this post on the Microsoft Security Stack offerings. Like in the previous posts we would like to begin with an overview of the Microsoft Security services. These have been depicted in the overview below.

In the previous posts, Part 1 & 2, we talked about the security offerings in the following areas:

  • Data
  • Cloud & Datacenter
  • Applications

This entire post, Part 3, will be dedicated to the security features Microsoft has been putting in place to better manage and secure the endpoint devices of the users.


Currently one could divide up the endpoints into the following type of devices.

  • BYOD (Bring your own device)/LMD (Lightly managed device)
  • CYOD (Choose your own device) – corporate owned
  • FMD – Fully managed devices – corporate owned
  • Mobile devices

Each of these devices has been identified and targeted by Microsoft to be manged using some sort of control and security mechanisms. Based on the type of device one or more security & management options are available to you.

Device Guard

  • Device Guard is a group of key features, designed to harden a computer system against malware. Its focus is preventing malicious code from running by ensuring only known good code can run.
  • A locked-down device configuration state that uses multiple enterprise-related hardware and software security features that run on Windows 10 Enterprise edition and Windows Server
  • When configured: Apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. 

Credential Guard

  • Aims to isolate and harden key system and user secrets against compromise (example pass-the-hash).
  • Following is provided:
  • Hardware security
  • Virtualization-based security
  • Better protection against advanced persistent threats
  • Hardware security: NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
  • Virtualization-based security: Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
  • Better protection against advanced persistent threats: When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Windows Defender Device Guard and other security strategies and architectures.


  • With Intune, you can:
  • Manage the mobile devices your workforce uses to access company data.
  • Manage the mobile apps your workforce uses.
  • Protect your company information by helping to control the way your workforce accesses and shares it.
  • Ensure devices and apps are compliant with company security requirements.

Bascially Intune is made up of two type of policies that can target the devices (there are more – and allot of Intune experts are going to shoot me for this, but just to give a general understanding of the targeting of policies). One part of these policies are the MAM (mobile application management) Policies. These target the applications and the data inside of these applications.

The other policies revolve around MDM (mobile device management). These target the device as a whole. As can be seen, one can be very granular on the level of control enforced on a device.

Windows Hello

  • Windows Hello is a solution that allows:
  • Sign-in with facial recognition or fingerprint scanner.
  • Makes it easy and fast for end users to sign into a device, while providing the organization with the security assurance they need.

You can always keep your PIN as a backup if Windows Hello might fail.

Windows Defender ATP

“A security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks. ”

WDATP provides:

  • Endpoint behavioral sensors
  • Cloud security analytics
  • Threat intelligence

Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system (for example, process, registry, file, and network communications) and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.

Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem (such as the Microsoft Malicious Software Removal Tool), enterprise cloud products (such as Office 365), and online assets (such as Bing and SmartScreen URL reputation), behavioral signals are translated into insights, detections, and recommended responses to advanced threats.

Threat intelligence: Generated by Microsoft hunters and security teams and augmented by threat intelligence provided by partners, threat intelligence enables Windows Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.

We hope this has been informative for you. If there are any questions or remarks please don’t hesitate to contact us!