Microsoft Defender for Endpoint offers several options to block applications; you have the following options, file hashes, IP addresses, URLs/Domains and Certificates. These settings can be found at the following location in the Microsoft Defender for endpoint security portal; navigate to settings, Endpoints and under the Rules heading you will find the Indicators option.
In this blog post I will explain step by step how you can use the certificate of an application to block it and also remove it if the user manage to install the application anyway. I will describe the other options in another blog later on this Year.
Application | Microsoft Defender for Endpoint |
Weblink |
MDATP Settings - Microsoft 365 security |
Topic | Block Firefox application |
Below are the steps that must be taken to block an application by extracting a certificate from an executable.
Download Firefox executable |
Download Firefox - Official website |
Extract Certificate from Firefox executable |
Steps are in the Post below - Follow the steps |
Create Policy in the Microsoft Defender for Endpoint Security Portal | MDATP Settings - Microsoft 365 security |
Remediate devices | Steps are in the Post below - Follow the steps |
It's important to understand the following requirements prior to creating indicators for certificates:
Below I describe step by step the process to block Firefox. I am talking about Firefox, you can use any application you want. I advise you to always test it first and not to deploy directly in production.
The first step is to download the application. I am using Firefox as an example, but you can use any application that provides a certificate.
Navigate to the location to create the policy - Step Eight
Microsoft has announced that "SecurityCenter" is going to disappear; for that reason I show you, that the best way to create the policy is in the new "security" portal.
Create indicator to block Firefox - Step elevenAttention:
This is an important choice. My advice is always to test new policies on a select number of devices first. So create a devices group with some test devices. I choose "all devices" since this is not a production environment but my test environment.
Below is the link to a Microsoft document how to create a device group.
Create indicator to block Firefox - Step thirteen
This is all to create the policy. The following points are to consider.
Create indicator to block Firefox - Step fourteen
Under incidents, it indicates that there was a device that tried to install Firefox.
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.