It is time for part 4 of the ultimate Microsoft Defender for Endpoint (MDE) series. All previous parts were focused on the initial Defender for Endpoint onboarding. Now it is time for the initial configuration of the additional components part of Defender for Endpoint; one of the main components is Defender Antivirus, also known as next-generation protection.

NOTE: The blog series focuses on features in Microsoft Defender for Endpoint P2 all Microsoft Defender for Endpoint P1 features are available in P2.

Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.


Introduction

Defender for Endpoint contains lots of features that are part of MDE or AV policies which are part of the Defender AV/ NGAV solution. After the initial deployment of Defender for Endpoint there is a configuration required for the additional recommended protection, a common mistake from organizations where the servers are onboarded via Defender for Cloud without any additional configuration for Defender AV or environments where devices are only onboarded without Cloud Protection/ Network Protection and more critical features configured.

Microsoft Defender Antivirus is Microsoft Defender for Endpoint’s next-generation protection component‘ that combines machine learning, big data analysis, threat research, and Microsoft’s cloud infrastructure to protect devices more in-depth with additional layers based on behavior, heuristics, and real-time protection. 

In comparison with other vendors (Crowdstrike/ Symantec e.d) MDE integrates into the kernel from the Windows system. For many OS versions Defender AV is part of the OS and deeply integrated into the kernel for providing additional protections. Defender relies on the built-in Windows Registry items for the settings which can be delivered based on multiple tools.


What are the additional configurations?

Next to the configuration in Defender for Endpoint (security.microsoft.com), there are more additional configurations available related to Defender for Endpoint.

Next-generation protection/ Defender AV

  • Cloud protection
  • Real-time protection
  • Block at first sight
  • Signature update settings
  • Scan settings
  • Additional AV configuration

Attack surface reduction

  • Attack Surface Reduction (ASR) Rules
  • Controlled folder access
  • Device control
  • Exploit protection
  • Network protection
  • Web protection
  • Ransomware protection
  • Application control
  • HW-based isolation

Additional Defender protections

  • Windows Defender Credential Guard
  • Microsoft Defender SmartScreen
  • Windows Defender Firewall

As you can see; there is quite a list of additional features which can be configured. Defender AV/ Next-generation protection and Attack surface reduction increase the protection factor and collect additional events for MDE.


Why Defender Antivirus/ next-generation protection?

Defender AV/ next-generation protection is critical for Defender for Endpoint and protects against new modern threats/ fileless threats. Next-generation protection contains multiple levels of protection based on machine learning, big data analysis, in-depth research, and multiple methods of cloud protection and enables multiple features which can be used in Defender for Endpoint. (Image source: Microsoft)

The antivirus uses both client-side and cloud machine learning (ML) models. With the help of these two models, artificial intelligence enables in-depth integrations. The first layer of the machine learning part of Defender AV is a lightweight ML model built into Defender Antivirus which runs locally on the computer. Many of these models are specialized for file types commonly abused by malware authors (Javascript, Visual Basic Script, Office Macro, and other portable executable files).

Recommended read; some historic background (older Microsoft post) of the artificial intelligence concept behind Defender. In the last years, Microsoft improves a lot since the publishment of the blog; it gives some ideas on how Microsoft created the artificial intelligence layer.

Cloud protection

  • Metadata-based machine learning
  • Reputation machine learning
  • File classification machine learning
  • Detonation-based machine learning
  • Reputation machine learning
  • Smart rules

Client protection

  • Heuristics
  • Emulation
  • Client-side machine learning
  • Behavior monitoring
  • AMSI integration
  • Memory scanning
  • Network monitoring

More detailed information: View the ninja show Episode 5 where Microsoft employees explain Next-generation protection more in detail.

What is cloud protection?

Cloud-delivered protection combines client learning models with cloud-based learning. Important to know critical features and capabilities depend on cloud protection:

  • Checking against metadata in the cloud
  • Cloud protection and sample submission
  • Tamper Protection (Enabled from service settings)
  • Block at first sight
  • Emergency signature updates
  • EDR in block mode
  • Attack surface reduction rules
    • Block executable files from running unless they meet a prevalence, age, or trusted list criteria
    • Use advanced protection against ransomware
    • Block untrusted programs from running from removable drives

Defender part of the system?

Recent versions of Windows 10/11 and Windows Servers are built-in with Microsoft Defender Antivirus. Previously Server 2012R2 was only supported with SCEP; the new unified agent supports Windows Servers 2012R2 and enabled similar features in comparison with other versions.

OS Antivirus built-in? Unified agent required?
Windows 10
Windows 11
Windows Server 2008R2Only SCEP is available
Windows Server 2012R2
Windows Server 2016 (1)
Windows Server 2019
Windows Server 2022

(1) Defender Antivirus is part of Server 2016. The built-in version is based on an older version. For enabling the latest features it is required to install the new unified agent. For the unified agent, the built-in AV must be enabled and updated. More information: Install the new unified Microsoft Defender for Endpoint agent on Server 2012R2 and 2016 

Passive or Active

To use the full feature set of Microsoft Defender for Endpoint and gain more visibility in the complete threat landscape, it is recommended to use Microsoft Defender Antivirus as the main and only antivirus solution. The power starts when Defender Antivirus is combined with the Defender for Endpoint capabilities. For AV migrations the different modes can be enabled to easily replace the already installed AV solution without any lack of protection. For example; when migrating from non-Microsoft protection solutions:

  1. Prepare environment (network/ proxy/ access)
  2. Enable Microsoft Defender Antivirus in passive mode
  3. Configure policy and settings
  4. Onboard Defender for Endpoint in passive mode
  5. Update/ validate Defender
  6. Remove non-Microsoft protection and remove the passive key
  7. Reboot

More information: Make the switch from non-Microsoft endpoint protection to Microsoft Defender for Endpoint | Microsoft Learn

The following AV modes are available:

  • Active mode
  • Passive mode
  • EDR in block mode
  • Disabled
Recommended: Use Defender AV in active mode in combination with Defender for Endpoint. When there is no 3rd party AV solution; NEVER use passive mode or disabled mode for Defender AV – which makes the system unstable and unprotected.

When using Defender AV in combination with 3rd party AV solution; configure EDR in block mode for additional protection.

Important: Never disable capabilities such as real-time protection, and cloud-delivered protection when using passive/ EDR in block mode.
#Active modePassive modeEDR Block modeDisabled
Protection
Detection information
File scanning✅ Limited
Threat remediation
Alert detection in MDE
Cloud-delivered protection
Network protection
Attack Surface Reduction
Real-time protection
Updating
Update antimalware updates
Update product update

More information: How Microsoft Defender Antivirus affects Defender for Endpoint functionality

On Windows 10/ 11 Defender AV is automatically configured in passive or EDR in block mode based on the installed AV solution. On Windows Server 2019 and higher and Windows Server 2012R2/2016 with the unified agent, Microsoft Defender Antivirus doesn’t enter passive mode automatically when you install a non-Microsoft antivirus product. For Windows Server, it is needed to configure manually the passive mode with the use of the following key when using Defender for Endpoint. NOTE: Defender for Endpoint onboarding is required.

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: ForceDefenderPassiveMode
Type: REG_DWORD
Value: 1

More information: Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions

What is EDR in block mode?

EDR in block mode makes it possible to remediate threats that are post-breach detected. With the use of EDR in block mode additional protection is added when MDAV is not the primary antivirus product.

When the primary agent missed the artifacts; Defender for Endpoint (EDR) is allowed to remediate Defender Antivirus by taking post-breach actions. EDR in block mode works if the primary antivirus solution missed something; or during post-breach detections.

For using EDR in block mode the following is important:

  • Cloud-delivered protection agent
  • Antivirus platform version must be up to date
  • Antivirus engine version must be up to date
  • Unified agent for Server 2012R2 and 2016
  • EDR in block mode enabled in service settings (See Part 2)

More information: Endpoint detection and response (EDR) in block mode

Validate Defender AV mode

Defender Antivirus mode and installed versions can be validated using the PowerShell command; Get-MpComputerStatus (AMRunningMode contains the AV mode), AMProductVersion contains the Product version.

Daily/ Monthly Updates

Defender for Endpoint/ Defender AV needs to be updated with recent updates. The following updates are important:

More information for the signature updates in the next part of this series.

UpdateKBDescription
Update for Defender antimalware platform (AmProductVersion)KB4052623It is critical to make sure Defender platform is updated with the latest version, for getting latest technology and features
Security Intelligence updatesKB2267602Defender AV requires Security Intelligence Updates/ Signature updates
Update for EDR sensor (2012R2/ 2016)KB5005292This update includes updates and fixes to the EDR sensor that is used by MDE for 2012R2/ 2016

How to manage Defender AV and additional configurations?

The question I keep getting is “How to manage Defender AV and additional configuration?”. Defender for Endpoint can be deployed with the use of multiple management systems and techniques; currently the following most common methods;

  • Microsoft Intune
  • Microsoft Configuration Manager
  • Security Management for Microsoft Defender for Endpoint
  • Group Policy
  • PowerShell
  • Desired State Configuration (DSC)

Microsoft Intune

Microsoft Intune is the most common and modern method for managing Defender for Endpoint and Defender Antivirus. Intune integrates perfectly with Defender for Endpoint and can be used for additional compliance controls. In Intune there are multiple ways available for managing the same setting, let’s summarize the available options;

  • Device Configuration profiles ( Templates/ ADMX/ Setting catalog)
  • Security Baselines
  • Endpoint Security profiles
Important: The Endpoint Security profiles are the most frequent profiles that are supported for the new features. Always use the Endpoint Security profiles. Endpoint security profiles are supported for MDM,/ microsoftSense and are based on the latest schema and settings.

Location Endpoint Security policies: Endpoint.microsoft.com -> Endpoint security.

Security Baselines or Security profiles

Security baselines are pre-configured groups of settings and default values that are recommended by the Microsoft security teams. It’s a template that consists of multiple profiles. They are created based on the best practices and recommendations – for organizations a good starting point to quickly secure devices and configure all configurations which are needed for Defender for Endpoint.

Avoid conflicts; Based on experience; there is a difference between the channel used for Endpoint Security and Security Baselines. Avoid conflicts from multiple profiles with the same setting or different settings (ASR gives some issues when using the same setting in baselines and Endpoint security profiles.

Personally, I use the security baselines for the hardening/ additional settings and remove all Defender AV-related settings which can be easily created with Endpoint security policies. I find it’s easier to manage multiple policies and give some extra options to include and exclude policies for specific groups.

The latest ASR rules are not part of the security baselines and support for MDE management is not yet added. Don’t forget to use the setting part of the Windows 10 security baseline for hardening and reducing the TVM recommendations in MDE.

For this baseline; I remove the Bitlocker, Firewall, Microsoft Defender, and SmartScreen settings and create separate policies in Intune.

Important: Avoid conflicts and always test/ review each setting part of the Security baseline. It can easily block functions.

Microsoft Configuration Manager

When using Microsoft Configuration Manager, previously known as SCCM there are multiple ways to manage AV settings. Ideally; workstations are part of Intune for applying the configuration. When not possible there are a couple of options for managing endpoints;

  • Use co-management and manage with Intune (workstations)
  • Use tenant-attach and manage with Intune (server)
  • Use endpoint protection Role in SCCM (server)

The downside of tenant-attach and the endpoint protection role in Microsoft Configuration Manager; not all settings are built-in available. Ideally, use co-management and manage the workstations via the more modern method.

Important: The endpoint protection role and client settings are needed for managing AV settings. Without the role and client settings, the AV settings are not getting deployed on the system.

More information: Endpoint Protection

Group Policy

Group Policy can be used for managing all additional settings in Defender. When using GPO my personal preference is always in using different profiles for exclusions and different profiles for the AV configuration. Avoid deploying exclusions – if it’s not necessary.

Important: Before starting with Group Policy use always the latest available ADMX template for Windows 10/11 and Windows Servers.

More information: Use Group Policy settings to configure and manage Microsoft Defender Antivirus

PowerShell / DSC

It is not recommended but PowerShell can be used if there are no other options for managing Defender configurations. For environments with machines hosted in Azure where Security Management is no option, the management with the use of Desired State Configuration can be used. All policies can be packaged in DSC configuration files to getting track of changes and always push the same configuration.

Security Management for Microsoft Defender for Endpoint

Security Management for Microsoft Defender for Endpoint is the new method for managing security settings for devices and servers that are not enrolled yet in Intune. With the new feature, it is possible to deploy configurations from Intune directly to MDE onboarded devices without the need to completely onboard devices in Intune.

Two situations for workgroup and domain joined devices. Notice: For servers/workstations which are domain-joined and not connected with AzureAD, the Active Directory requirements are needed for using the new feature.

Situation 1: Device without a local domain (workgroup)

  1. Onboard device to MDE
  2. Trust is established between devices and AzureAD. Target AzureAD object is located in the configured MDE tenant. If not already available, the process will create a new trust.
  3. Devices use their Azure AD Identity to communicate with Endpoint Manager and create objects in MEM/Intune.
  4. Deploy policies to AzureAD Group
  5. Apply and report policy

Situation 2: Device with domain (Active Directory joined devices with AzureAD connected or not connected): 

  1. Onboard device to MDE
  2. Trust is established between devices and AzureAD with existing infrastructure to complete Hybrid Azure Active Directory Join. (AAD Connect or Federation provider)
    1. The device is part of the Azure AD Connect sync OUs
    2. Sync rule enabled for 2012R2
    3. Device synced to MDE tenant
  3. Devices use their Azure AD Identity to communicate with Endpoint Manager and create objects in MEM/Intune.
  4. Apply and report policy

Which profile is needed in Intune?

For configuring Defender for Endpoint using the new management option, use the Endpoint security profiles part of Intune – Endpoint Security.

Currently, not all security settings are supported for the new feature. The below configurations are currently supported:

  • Antivirus policies
  • Firewall policies
  • Firewall rule policies
  • Endpoint detection and response policies

More information is explained more in-depth in the following blog; Managing Microsoft Defender for Endpoint with the new Security Management feature in MEM


Do we need Firewall policies for MDE?

Another common question; do we need to enable Firewall policies for MDE – the answer is yes. Many organizations don’t realize the importance of Windows Firewall in combination with Defender for Endpoint.

Microsoft Defender for Endpoint supports different layers of network reporting and insights based on network traffic including native network detection and events in the DeviceNetworkEvents table.

Important to make sure Windows Firewall is enabled for all zones including the following audit events:

Intune:

PowerShell:

auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:enable
auditpol /set /subcategory:"Filtering Platform Connection" /failure:enable

What do we have after enabling and integrating the correct events?

After enabling the Firewall profiles and additional events, the following data is monitored:

  • Remote IP
  • Remote Port
  • Local Port
  • Local IP
  • Computer Name
  • Process across inbound and outbound connections

Conclusion

Part4 of the Microsoft Defender for Endpoint series is completed – focussed on the explanation of the additional configuration in Defender AV. In the next part; 4A, more information will be shared about the policies and best practices for the optional configuration. With the answer; do we need local admin merge, PUA protection, MAPS reporting, schedule scans, and more enabled?

Searching for specific Defender for Endpoint information? Use the contact submission form and share the post ideas or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.

View previous part – Microsoft Defender for Endpoint series – Onboard using MECM/ GPO – Part3D 


Sources

Microsoft: Defender Ninja Show

Microsoft: Overview of Next-generation overview