(87) Configuring Defender for Endpoint

Setting

Value

Description

Automated investigation

On

Enables the automation capabilities for investigation and response.

Live Response

On

Enables Live Response.

Live Response for Servers

On

Enables Live Response for servers.

Live response unsigned script execution

On

Enables using unsigned scripts in Live Response.

Restrict correlation to within scoped device groups​

Off

When this setting is turned on, alerts are correlated into separate incidents based on their scoped device group. By default, incident correlation happens across the entire tenant scope.

Enable EDR in block mode

On

When turned on, Microsoft Defender ATP leverages behavioural blocking and containment capabilities by blocking malicious artifacts or behaviours observed through post-breach endpoint detection and response (EDR) capabilities. This feature does not change how Microsoft Defender ATP performs detection, alert generation, and incident correlation.

Automatically resolve alerts

On

Resolves an alert if Automated investigation finds no threats or has successfully remediated all malicious artifacts.

Allow or block file

On

Make sure that Windows Defender Antivirus is turned on and the cloud-based protection feature is enabled in the organisation to use the allow or block file feature.

Custom network indicators

On

Configures devices to allow or block connections to IP addresses, domains, or URLs in your custom indicator lists. To use this feature, devices must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform (see KB 4052623). Note that network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Microsoft Defender ATP data.

Tamper Protection

On

Keep tamper protection turned on to prevent unwanted changes to your security solution and its essential features.

Show user details

On

Enables displaying user details: picture, name, title, department, stored in Azure Active Directory.

Skype for business integration

On

Enables 1-click communication with users.

Microsoft Defender for Identity integration

On

Retrieves enriched user and device data from Microsoft Defender for Identity and forwards Microsoft Defender for Endpoint signals, resulting in better visibility, additional detections, and efficient investigations across both services. Forwarded data is stored and processed in the same location as your MDI data.

Office 365 Threat Intelligence connection

On

Connects to Office 365 Threat Intelligence to enable security investigations across Office 365 mailboxes and Windows devices.

Microsoft Cloud App Security

On

Forwards Microsoft Defender ATP signals to Cloud App Security, giving administrators deeper visibility into both sanctioned cloud apps and shadow IT. It also gives them the ability to block unauthorized applications when the custom network indicators setting is turned on. Forwarded data is stored and processed in the same location as your Cloud App Security data. This feature is available with an E5 license for Enterprise Mobility + Security on devices running Windows 10 version 1709 (OS Build 16299.1085 with KB4493441), Windows 10 version 1803 (OS Build 17134.704 with KB4493464), Windows 10 version 1809 (OS Build 17763.379 with KB4489899) or later Windows 10 versions.

Microsoft Secure Score

On

Forwards Microsoft Defender ATP signals, giving Microsoft Secure Score visibility into the device security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data.

Web content filtering

On

Block access to websites containing unwanted content and track web activity across all domains. To specify the web content categories you want to block, create a web content filtering policy.

Download Quarantined Files

On

Backup quarantined files in a secure and compliant location so they can be downloaded directly from quarantine

Share endpoint alerts with Microsoft Compliance Center

On

Forwards endpoint security alerts and their triage status to Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.

Microsoft Intune connection

On

Connects to Microsoft Intune to enable sharing of device information and enhanced policy enforcement.

Intune provides additional information about managed devices for secure score. It can use risk information to enforce conditional access and other security policies.

Device Discovery

On

Allows onboarded devices to discover unmanaged devices in your network and assess vulnerabilities and risks. For more information, see

Preview features

On

Allow access to preview features. Turn on to be among the first to try upcoming features.

Group

AAD built-in role

Permissions in DfE

Security Administrator

Yes

Full access

Global Administrator

Yes

Full access

Security reader

Yes

Read-only access

Global reader

Yes

Read-only acces

Setting

Value

Device group name

All Windows workstations

Automation level

Full - Remediate threats automatically

Specify the matching rule that determines

Condition: OS

Operator: In

Value: Windows 10, Windows 11

Setting

Value

Adult content

Cults

Gambling

Nudity

Pornography/Sexually explicit

Sex education

Tasteless

Violence

High bandwidth

Download sites

Image sharing

Peer-to-peer

Streaming media & downloads

Legal liability

Child abuse images

Criminal activity

Hacking

Hate and intolerance

Illegal drug

Illegal Software

School cheating

Self-harm

Weapons

Leisure

Chat

Games

Instant messaging

Professional networking

Social networking

Web-based email

Uncategorized

Unknown