Use advanced protection against ransomware

"Advanced Protection against Ransomware" is a security feature offered by Microsoft 365 that provides an additional layer of protection against ransomware attacks.

The Advanced Protection against Ransomware feature in Microsoft 365 uses machine learning models and behavioral analytics to detect and respond to ransomware attacks in real time. It works by monitoring the activity of files in your OneDrive, SharePoint, and Microsoft Teams accounts and detecting any suspicious behavior such as rapid file encryption or changes to file extensions.

If the system detects a ransomware attack, it will immediately halt the attack and notify you of the incident. The infected files will be isolated, and a notification will be sent to the IT admin to take action. Additionally, the feature can automatically restore the affected files to a previous version, allowing you to recover your data without paying a ransom.

Overall, this feature provides an added layer of security against ransomware attacks, helping to safeguard your important files and data from cybercriminals.

Why would you not want to use advanced protection against ransomware in Microsoft 365?

Some third-party software applications or tools may not be fully compatible with the Advanced Protection feature, which could cause conflicts or interruptions in workflow. For example, maybe you or a part of your organization use a third-party encryption tool to encrypt all the data stored in OneDrive. Advanced protection against ransomware may pick this up as a ransomware attack and block the encryption from happening.

How to use advanced protection against ransomware

First, you'll need to make sure Microsoft Defender Antivirus is turned on as the primary antivirus solution, with Real-Time Protection enabled. To verify Defender Antivirus is turned on with real-time protection enabled go to Security recommendations and search for "Turn on real-time protection". From there click "Turn on real-time protection". Finally, click Exposed devices.

Next, you need to verify that cloud-delivered protection is enabled in your organization. To verify that cloud-delivered protection is enabled go to Security recommendations and search for "cloud-delivered protection". From there click on "Enable cloud-delivered protection" and check for exposed devices.

Now that our devices are ready, let's go ahead and enable advanced protection against ransomware using Intune.

1. Go to Microsoft Intune admin center (Microsoft Endpoint Manager) > Endpoint security > Attack surface reduction.
2. Click Create Policy.
3. Set Platform to Windows 10 Windows 11, and Windows Server.
4. Set Profile to Attack Surface Reduction Rules.
5. Click Create.
6. Name your policy and click Next.
7. Set Use advanced protection against ransomware to Block. Click Next.
8. Add your inclusions and exclusions. Click Next > Next > Create.

How do I test the

In short, you simply need to download a benign file with the .wannacry extension. I've already created one you can use.

1. Download hello.wannacry