Get Smarter

You’ve just deployed a new application or client-side extension to your Windows laptops and suddenly their system performance and battery life begin to crater. The culprit could be Windows Defender. Windows Defender automatically scans new software and its activities for potential threats as part of its real-time scanning feature. Naturally, this scanning process will manifest as higher CPU usage. If the new software handles a lot of data, such as in the case of a web filter client app, it could create perpetual CPU spikes that can degrade system performance and consume battery power.

If you trust the new software you've installed and don't want Windows Defender to continuously monitor it (and thereby use up CPU resources), you can set an exclusion path for it. An exclusion path tells Windows Defender to skip scanning the files and activities associated with a specific directory where trusted applications are installed. You can create an exclusion path policy using either Group Policy or an MDM such as Intune. Exclusions should always be used judiciously to maintain a strong security posture so only use them when you need to.

Creating Path Exclusions with Group Policy

Let’s use a scenario in which I need to create an exclusion path for a web filter client application simply called WebFilter. Create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Exclusions and enable “Path Exclusions.”  Once enabled you must then add the path(s) to be excluded. In this case there are two paths.

C:\Program Files (x86)\WebFilter\AuthenticationAgent\bin

C:\Program Files (x86)\WebFilter\MobileZoneAgent\bin

The policy configuration is shown below.

Another option is to create a process exclusion which would exclude a designated process or executable from being scanned. In this case the process path might be C:\ProgramFiles\WebFilter\WebFilter.exe. You can also use wildcards in a process exclusion list such as C:\ProgramFiles\WebFilter\*

Creating Path Exclusions with Group Policy

Using the Microsoft Intune Center, go to Devices > Configuration Profiles > and create a new profile using Windows 10 and later as the Platform and Administrative Templates for the Profile type. Name the policy and then navigate to Computer Configuration > Windows Components > Microsoft Defender Antivirus and Enable “Path Exclusions” as I did earlier with Group Policy as shown below.

You will then be prompted to provide the exclusion paths as shown below. Process Exclusions are also available if you want to go that way.

After implementing these path exclusions, you should witness a notable decrease in CPU utilization, effectively resolving the issue of CPU spikes and battery depletion.

Group Policy veterans will recall when it was common practice to redirect user files from the Windows known folders (like Desktop, Documents, and Pictures) to a central shared directory on an on-prem server. This allowed for roaming profiles, easier backups, and kept files off client devices. Well, you can also redirect those same files to OneDrive for Business to accommodate real-time collaboration and accessibility, compliance, and control.

If you aren’t currently utilizing OneDrive, you should as it offers a list of great features. First off, it maintains the user familiarity with file locations so folder navigation is the same. Because OneDrive is cloud bases, your users can access their files from anywhere on any device. It also offers file versioning and deleted items capabilities that allows users to perform self-service file recovering.  Here I will show you how to redirect the Windows known folders to OneDrive as well as a couple of other tips.

Using Group Policy to Manage OneDrive

If you have any existing Folder Redirection Group Policies, you will need to disable those before moving forward. Then make sure you have the necessary administrative template files. If you have OneDrive installed on your management machine you can get them using this file path.

%localappdata%\Microsoft\OneDrive\BuildNumber\adm

Which will look something like this in Windows Explorer.

Copy both template files to your central store and then create a GPO. In the Group Policy Management Editor, go to Computer Configuration > Administrative Templates > OneDrive. If you don’t see OneDrive, then you are missing the template files. The screenshot below shows the available settings.

To redirect files from the Windows Known folders, enable the “Silently move Windows known folders to OneDrive” and provide the Tenant ID for your enterprise. By default, all three known folders are selected but you can choose to only redirect specific ones as shown in the screenshot below.

Before implementing this, you may want to alert users of your intention for them to transition to OneDrive for Business by enabling the “Prompt user to move Windows Known folders to OneDrive.” Once enabled, your tenant users that sync their OneDrive will see a popup message that reads “Your IT department wants you to protect your important folders" the next time they sign in. A reminder notification will then appear in the activity center until all three known folders are moved.

Users also may have more than one OneDrive account so you may want to prevent them from uploading files to other organizations. You can do this by enabling the “Allow syncing OneDrive accounts to only specific organizations” and then list the allowed tenant IDs as is shown below.

Using Intune to Redirect Known Folders to Intune

Let’s do the same thing using Intune now. Using the Microsoft Intune Admin Center, navigate to Devices > Configuration profile > Create profile and select Windows 10 and later as the Platform and Administrative templates as the Profile type. Give a name to the profile and go to Computer Configuration > OneDrive and enable the “Silently move Windows known folders to OneDrive” setting as shown in the screenshot below.

To discourage users from uploading excessively large files or questionable file types, you can enable “Exclude specific kinds of files from being uploaded” and input keywords for the designated file types as shown below.

Blocking the C drive has always been one of the common restrictions that Group Policy admins enforced for standard user accounts. There are multiple reasons for restricting access to the C Drive for non admin users.

• The first is system stability because it prevents basic users from accessing, altering, or deleting critical system files on their computers, thus minimizing potential issues that disrupt desktop operations and initiate a help desk ticket.
• It reduces the chances of malware being introduced into the system and prevents users from installing unauthorized applications, opening suspicious files or clicking on malicious executables.
• Blocking the C drive in some cases may be required by compliance regulations to restrict user access to certain system resources.
• Keeping users out of the C drive can potentially simplify troubleshooting as it eliminates user file tampering.
• For shared desktop computers it can help protect the data of other users who have logged onto the device

Because Intune uses many of the same Windows Administrative Templates, it is easy to block C Drive access with Intune as well. Using the Microsoft Intune admin center, go to Devices > Configuration Profiles and click “Create profile.”  Select “Windows 10 and later” as the Platform and Administrative Templates as the profile. Name the configuration profile and go to User Configuration > Windows Components > File Explorer as shown in the screenshot below.

Scroll down through the settings and select “Prevent access to drives from My Computer” and choose Enabled. You can then select the drives you wish to block access to as shown below.

Click OK and click next. Then assign the configuration profile to the designated groups and you are done.

Personal Data Encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides an additional encryption capability to Windows. PDE is different than BitLocker in that it encrypts individual files while BitLocker encrypts entire volumes. PDE utilizes Windows Hello for Business to link encryption keys with user credentials. This means you need only log on a single time while BitLocker requires a separate PIN be inputted. Another difference is that unlike BitLocker that releases data encryption keys at bootup, PDE releases them once a user signs in using Windows Hello for Business. Until then, users cannot access the protected file content.

There are 3 prerequisites for PDE:

1. The computer must be Azure AD joined
2. It must be running the Enterprise or Education edition of Windows 11, version 22H2 or later
3. Windows Hello for Business Overview

Windows Hello provides fully integrated biometric authentication based on either facial recognition or fingerprint matching. Many laptops today have fingerprint readers or integrated compatible cameras to support it.

You should consider PDE as just another encryption layer for Windows on top of BitLocker that administrators can use to safeguard sensitive data. Don’t be confused by its name because standard users cannot initiate PDE, nor can they protect personal files with it. When you stop to think about it, it makes sense as you wouldn’t want malicious insiders to use it to hide data they shouldn’t have on their corporate devices. PDE can only be implemented by administrators who also selectively choose which filles to encrypt. PDE is ideal for business applications that work with sensitive files and should be heavily considered by those organizations that must adhere to compliance requirements.

You can enable PDE through Intune. By default, PDE on Windows 11 Devices in the Intune settings catalog is disabled. There are two ways to enable PDE in the Microsoft Intune Admin Center. The easiest way is to navigate to Devices > Configuration profiles and choose the Settings catalog as the profile. Using the Settings picker, search for personal data encryption and select the PDE category. Then check enable “Personal Data Encryption” as shown below.

Assign the policy to the designated groups or users and save it. You can also use OMA-URI settings to create the policy using:

./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption

as the OMA-URI path.  Then choose integer as the data type with an assigned value as 1. The final configuration should look like the screenshot below.

While support for PDE is limited currently, more applications will utilize it in the future.