top of page
Search

(87) Configuring Defender for Endpoint

  • Writer: Mr B SOE way
    Mr B SOE way
  • Sep 6, 2023
  • 2 min read

What is Defender for Endpoint?

Microsoft Defender for Endpoint (MDE) is a comprehensive solution for preventing, detecting, and automating the investigation and response to threats against endpoints. Defender for Endpoint is supported for multiple platforms, including Windows, Linux, macOS, and mobile platforms iOS and Android. Microsoft Defender for Endpoint (MDE) is a massive platform of features and not a single product. It is a platform with tons of security features, services, and controls. Hopefully, this complete blog series gives more explanation in high-level overviews and in-depth technical information based on my own best practices.


Microsoft Defender for Endpoint is a key component of the Microsoft 365 Defender architecture and part of the Microsoft 365 Defender platform. It shares data/ signals and architecture with the following products;

  • Microsoft Defender for Endpoint (MDE)

  • Microsoft Defender for Office365 (MDO

  • Microsoft Defender for Cloud Apps (MDA)

  • Microsoft Defender for Identity (MDI)

  • Azure AD Identity Protection (AADIP)

Defender for Endpoint contains a couple of major components including;

  • Asset discovery

  • Threat & Vulnerability Management (TVM)

  • Attack Surface Reduction (ASR)

  • Next-Generation Protection (NGP)

  • Endpoint Detection & Response (EDR)

  • Automated Self-healing/ Automation investigation and remediation (AIR)

  • Microsoft Threat Experts


ree

How to configure Defender for Endpoint?

The configuration will be via security.microsoft.com, this will be broken with the following:

General - Email notifications:

  1. Navigate to security.microsoft.com then Settings then Microsoft 365 Defender then Email notifications.

  2. Enter a notification name under Basics

  3. Then select notification settings for the following highlighted and select Alert severity as "High"

ree


ree

General - Advanced features:

  1. Navigate to security.microsoft.com then Settings then Endpoints then Advanced features.

  2. By default, a number of the settings will be turned on.

  3. The key settings are listed in this table below and select "On" for the following preferences.

Setting

Value

Description

Automated investigation

On

Enables the automation capabilities for investigation and response.

Live Response

On

Enables Live Response.

Live Response for Servers

On

Enables Live Response for servers.

Live response unsigned script execution

On

Enables using unsigned scripts in Live Response.

Restrict correlation to within scoped device groups​

Off

When this setting is turned on, alerts are correlated into separate incidents based on their scoped device group. By default, incident correlation happens across the entire tenant scope.

Enable EDR in block mode

On

When turned on, Microsoft Defender ATP leverages behavioural blocking and containment capabilities by blocking malicious artifacts or behaviours observed through post-breach endpoint detection and response (EDR) capabilities. This feature does not change how Microsoft Defender ATP performs detection, alert generation, and incident correlation.

Automatically resolve alerts

On

Resolves an alert if Automated investigation finds no threats or has successfully remediated all malicious artifacts.

Allow or block file

On

Make sure that Windows Defender Antivirus is turned on and the cloud-based protection feature is enabled in the organisation to use the allow or block file feature.

Custom network indicators

On

Configures devices to allow or block connections to IP addresses, domains, or URLs in your custom indicator lists. To use this feature, devices must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform (see KB 4052623). Note that network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Microsoft Defender ATP data.

Tamper Protection

On

Keep tamper protection turned on to prevent unwanted changes to your security solution and its essential features.

Show user details

On

Enables displaying user details: picture, name, title, department, stored in Azure Active Directory.

Skype for business integration

On

Enables 1-click communication with users.

Microsoft Defender for Identity integration

On

Retrieves enriched user and device data from Microsoft Defender for Identity and forwards Microsoft Defender for Endpoint signals, resulting in better visibility, additional detections, and efficient investigations across both services. Forwarded data is stored and processed in the same location as your MDI data.

Office 365 Threat Intelligence connection

On

Connects to Office 365 Threat Intelligence to enable security investigations across Office 365 mailboxes and Windows devices.

Microsoft Cloud App Security

On

Forwards Microsoft Defender ATP signals to Cloud App Security, giving administrators deeper visibility into both sanctioned cloud apps and shadow IT. It also gives them the ability to block unauthorized applications when the custom network indicators setting is turned on. Forwarded data is stored and processed in the same location as your Cloud App Security data. This feature is available with an E5 license for Enterprise Mobility + Security on devices running Windows 10 version 1709 (OS Build 16299.1085 with KB4493441), Windows 10 version 1803 (OS Build 17134.704 with KB4493464), Windows 10 version 1809 (OS Build 17763.379 with KB4489899) or later Windows 10 versions.

Microsoft Secure Score

On

Forwards Microsoft Defender ATP signals, giving Microsoft Secure Score visibility into the device security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data.

Web content filtering

On

Block access to websites containing unwanted content and track web activity across all domains. To specify the web content categories you want to block, create a web content filtering policy.

Download Quarantined Files

On

Backup quarantined files in a secure and compliant location so they can be downloaded directly from quarantine

Share endpoint alerts with Microsoft Compliance Center

On

Forwards endpoint security alerts and their triage status to Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.

Microsoft Intune connection

On

Connects to Microsoft Intune to enable sharing of device information and enhanced policy enforcement.

Intune provides additional information about managed devices for secure score. It can use risk information to enforce conditional access and other security policies.

Device Discovery

On

Allows onboarded devices to discover unmanaged devices in your network and assess vulnerabilities and risks. For more information, see

Preview features

On

Allow access to preview features. Turn on to be among the first to try upcoming features.

Permissions - Roles:

  1. Navigate to security.microsoft.com then Settings then Endpoints then Permissions then select Roles.

  2. Select Turn on roles

  3. Select Add role and configure with the following.

Group

AAD built-in role

Permissions in DfE

Security Administrator

Yes

Full access

Global Administrator

Yes

Full access

Security reader

Yes

Read-only access

Global reader

Yes

Read-only acces

Roles in Microsoft 365 Defender (RBAC):

Configuring and enabling RBAC roles with Defender for Endpoint, can be done by going to security.microsoft.com then Settings then Microsoft 365 Defender then Permissions and roles. Currently the workloads are set to "Not active", set it to "Active"


ree

Permissions - Device groups:

I generally configure device groups with the following setup unless the organisation has more than one or more different naming conventions, you can customise with the following:

Setting

Value

Device group name

All Windows workstations

Automation level

Full - Remediate threats automatically

Specify the matching rule that determines

Condition: OS

Operator: In

Value: Windows 10, Windows 11

Rules - Web content filtering:

Microsoft Defender for Endpoint enables web content filtering at the endpoint level negating the need for proxies or full-tunnel VPN connections. Web content filtering should be applied to workstations. Web content filtering in Microsoft Defender for Endpoint leverages services provided by Cyren. To check the classification of a URL or report a misclassified URL visit:


By navigating to security.microsoft.com then Settings then Endpoints then Rules then Web content filtering, select Add Policy.


ree

Specify a policy name such as "Web Content Filtering" then choose under "Block categories"

Setting

Value

Adult content

Cults

Gambling

Nudity

Pornography/Sexually explicit

Sex education

Tasteless

Violence

High bandwidth

Download sites

Image sharing

Peer-to-peer

Streaming media & downloads

Legal liability

Child abuse images

Criminal activity

Hacking

Hate and intolerance

Illegal drug

Illegal Software

School cheating

Self-harm

Weapons

Leisure

Chat

Games

Instant messaging

Professional networking

Social networking

Web-based email

Uncategorized

Unknown

Configuration manager - Enforcement scope:

Allow security setting in Intune to be enforced by Microsoft Defender for Endpoint (MDE).

This configuration setting will apply to devices that are not yet enrolled to Intune.


It is a requirement to turn on the integration in Microsoft Defender for Endpoint connector settings under Intune (which is done under "General - Advanced features"


ree

 
 
 

Comments

bottom of page