Microsoft Defender for Endpoint series – Configure AV/ next-generation protection – Part4
It is time for part 4 of the ultimate Microsoft Defender for Endpoint (MDE) series. All previous parts were focused on the initial Defender for Endpoint onboarding. Now it is time for the initial configuration of the additional components part of Defender for Endpoint; one of the main components is Defender Antivirus, also known as next-generation protection.
NOTE: The blog series focuses on features in Microsoft Defender for Endpoint P2 all Microsoft Defender for Endpoint P1 features are available in P2.
Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.
Defender for Endpoint contains lots of features that are part of MDE or AV policies which are part of the Defender AV/ NGAV solution. After the initial deployment of Defender for Endpoint there is a configuration required for the additional recommended protection, a common mistake from organizations where the servers are onboarded via Defender for Cloud without any additional configuration for Defender AV or environments where devices are only onboarded without Cloud Protection/ Network Protection and more critical features configured.
Microsoft Defender Antivirus is Microsoft Defender for Endpoint’s ‘next-generation protection component‘ that combines machine learning, big data analysis, threat research, and Microsoft’s cloud infrastructure to protect devices more in-depth with additional layers based on behavior, heuristics, and real-time protection.
In comparison with other vendors (Crowdstrike/ Symantec e.d) MDE integrates into the kernel from the Windows system. For many OS versions Defender AV is part of the OS and deeply integrated into the kernel for providing additional protections. Defender relies on the built-in Windows Registry items for the settings which can be delivered based on multiple tools.
What are the additional configurations?
Next to the configuration in Defender for Endpoint (security.microsoft.com), there are more additional configurations available related to Defender for Endpoint.
Next-generation protection/ Defender AV
- Cloud protection
- Real-time protection
- Block at first sight
- Signature update settings
- Scan settings
- Additional AV configuration
Attack surface reduction
- Attack Surface Reduction (ASR) Rules
- Controlled folder access
- Device control
- Exploit protection
- Network protection
- Web protection
- Ransomware protection
- Application control
- HW-based isolation
Additional Defender protections
- Windows Defender Credential Guard
- Microsoft Defender SmartScreen
- Windows Defender Firewall
As you can see; there is quite a list of additional features which can be configured. Defender AV/ Next-generation protection and Attack surface reduction increase the protection factor and collect additional events for MDE.
Why Defender Antivirus/ next-generation protection?
Defender AV/ next-generation protection is critical for Defender for Endpoint and protects against new modern threats/ fileless threats. Next-generation protection contains multiple levels of protection based on machine learning, big data analysis, in-depth research, and multiple methods of cloud protection and enables multiple features which can be used in Defender for Endpoint. (Image source: Microsoft)
Recommended read; some historic background (older Microsoft post) of the artificial intelligence concept behind Defender. In the last years, Microsoft improves a lot since the publishment of the blog; it gives some ideas on how Microsoft created the artificial intelligence layer.
- Metadata-based machine learning
- Reputation machine learning
- File classification machine learning
- Detonation-based machine learning
- Reputation machine learning
- Smart rules
- Client-side machine learning
- Behavior monitoring
- AMSI integration
- Memory scanning
- Network monitoring
More detailed information: View the ninja show Episode 5 where Microsoft employees explain Next-generation protection more in detail.
What is cloud protection?
Cloud-delivered protection combines client learning models with cloud-based learning. Important to know critical features and capabilities depend on cloud protection:
- Checking against metadata in the cloud
- Cloud protection and sample submission
- Tamper Protection (Enabled from service settings)
- Block at first sight
- Emergency signature updates
- EDR in block mode
- Attack surface reduction rules
- Block executable files from running unless they meet a prevalence, age, or trusted list criteria
- Use advanced protection against ransomware
- Block untrusted programs from running from removable drives
Defender part of the system?
Recent versions of Windows 10/11 and Windows Servers are built-in with Microsoft Defender Antivirus. Previously Server 2012R2 was only supported with SCEP; the new unified agent supports Windows Servers 2012R2 and enabled similar features in comparison with other versions.
|Unified agent required?
|Windows Server 2008R2
|Only SCEP is available
|Windows Server 2012R2
|Windows Server 2016 (1)
|Windows Server 2019
|Windows Server 2022
(1) Defender Antivirus is part of Server 2016. The built-in version is based on an older version. For enabling the latest features it is required to install the new unified agent. For the unified agent, the built-in AV must be enabled and updated. More information: Install the new unified Microsoft Defender for Endpoint agent on Server 2012R2 and 2016
Passive or Active
To use the full feature set of Microsoft Defender for Endpoint and gain more visibility in the complete threat landscape, it is recommended to use Microsoft Defender Antivirus as the main and only antivirus solution. The power starts when Defender Antivirus is combined with the Defender for Endpoint capabilities. For AV migrations the different modes can be enabled to easily replace the already installed AV solution without any lack of protection. For example; when migrating from non-Microsoft protection solutions:
- Prepare environment (network/ proxy/ access)
- Enable Microsoft Defender Antivirus in passive mode
- Configure policy and settings
- Onboard Defender for Endpoint in passive mode
- Update/ validate Defender
- Remove non-Microsoft protection and remove the passive key
The following AV modes are available:
- Active mode
- Passive mode
- EDR in block mode
|Recommended: Use Defender AV in active mode in combination with Defender for Endpoint. When there is no 3rd party AV solution; NEVER use passive mode or disabled mode for Defender AV – which makes the system unstable and unprotected.
When using Defender AV in combination with 3rd party AV solution; configure EDR in block mode for additional protection.
Important: Never disable capabilities such as real-time protection, and cloud-delivered protection when using passive/ EDR in block mode.
|EDR Block mode
|Alert detection in MDE
|Attack Surface Reduction
|Update antimalware updates
|Update product update
On Windows 10/ 11 Defender AV is automatically configured in passive or EDR in block mode based on the installed AV solution. On Windows Server 2019 and higher and Windows Server 2012R2/2016 with the unified agent, Microsoft Defender Antivirus doesn’t enter passive mode automatically when you install a non-Microsoft antivirus product. For Windows Server, it is needed to configure manually the passive mode with the use of the following key when using Defender for Endpoint. NOTE: Defender for Endpoint onboarding is required.
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
What is EDR in block mode?
EDR in block mode makes it possible to remediate threats that are post-breach detected. With the use of EDR in block mode additional protection is added when MDAV is not the primary antivirus product.
When the primary agent missed the artifacts; Defender for Endpoint (EDR) is allowed to remediate Defender Antivirus by taking post-breach actions. EDR in block mode works if the primary antivirus solution missed something; or during post-breach detections.
For using EDR in block mode the following is important:
- Cloud-delivered protection agent
- Antivirus platform version must be up to date
- Antivirus engine version must be up to date
- Unified agent for Server 2012R2 and 2016
- EDR in block mode enabled in service settings (See Part 2)
More information: Endpoint detection and response (EDR) in block mode
Validate Defender AV mode
Defender Antivirus mode and installed versions can be validated using the PowerShell command; Get-MpComputerStatus (AMRunningMode contains the AV mode), AMProductVersion contains the Product version.
Daily/ Monthly Updates
Defender for Endpoint/ Defender AV needs to be updated with recent updates. The following updates are important:
More information for the signature updates in the next part of this series.
|Update for Defender antimalware platform (AmProductVersion)
|It is critical to make sure Defender platform is updated with the latest version, for getting latest technology and features
|Security Intelligence updates
|Defender AV requires Security Intelligence Updates/ Signature updates
|Update for EDR sensor (2012R2/ 2016)
|This update includes updates and fixes to the EDR sensor that is used by MDE for 2012R2/ 2016
How to manage Defender AV and additional configurations?
The question I keep getting is “How to manage Defender AV and additional configuration?”. Defender for Endpoint can be deployed with the use of multiple management systems and techniques; currently the following most common methods;
- Microsoft Intune
- Microsoft Configuration Manager
- Security Management for Microsoft Defender for Endpoint
- Group Policy
- Desired State Configuration (DSC)
Microsoft Intune is the most common and modern method for managing Defender for Endpoint and Defender Antivirus. Intune integrates perfectly with Defender for Endpoint and can be used for additional compliance controls. In Intune there are multiple ways available to manage the same setting, let’s summarize the available options;
- Device Configuration profiles ( Templates/ ADMX/ Setting catalog)
- Security Baselines
- Endpoint Security profiles
|Important: The Endpoint Security profiles are the most frequent profiles that are supported for the new features. Always use the Endpoint Security profiles. Endpoint security profiles are supported for MDM,/ microsoftSense and are based on the latest schema and settings.
Location Endpoint Security policies: Endpoint.microsoft.com -> Endpoint security.
Security Baselines or Security profiles
Security baselines are pre-configured groups of settings and default values that are recommended by the Microsoft security teams. It’s a template that consists of multiple profiles. They are created based on the best practices and recommendations – for organizations a good starting point to quickly secure devices and configure all configurations which are needed for Defender for Endpoint.
|Avoid conflicts; Based on experience; there is a difference between the channel used for Endpoint Security and Security Baselines. Avoid conflicts from multiple profiles with the same setting or different settings (ASR gives some issues when using the same setting in baselines and Endpoint security profiles.
Personally, I use the security baselines for the hardening/ additional settings and remove all Defender AV-related settings which can be easily created with Endpoint security policies. I find it’s easier to manage multiple policies and give some extra options to include and exclude policies for specific groups.
The latest ASR rules are not part of the security baselines and support for MDE management is not yet added. Don’t forget to use the setting part of the Windows 10 security baseline for hardening and reducing the TVM recommendations in MDE.
For this baseline; I remove the Bitlocker, Firewall, Microsoft Defender, and SmartScreen settings and create separate policies in Intune.
|Important: Avoid conflicts and always test/ review each setting part of the Security baseline. It can easily block functions.
Microsoft Configuration Manager
When using Microsoft Configuration Manager, previously known as SCCM there are multiple ways to manage AV settings. Ideally; workstations are part of Intune for applying the configuration. When not possible there are a couple of options for managing endpoints;
- Use co-management and manage with Intune (workstations)
- Use tenant-attach and manage with Intune (server)
- Use endpoint protection Role in SCCM (server)
The downside of tenant-attach and the endpoint protection role in Microsoft Configuration Manager; not all settings are built-in available. Ideally, use co-management and manage the workstations via the more modern method.
|Important: The endpoint protection role and client settings are needed for managing AV settings. Without the role and client settings, the AV settings are not getting deployed on the system. Good to know – not all settings are available via the built-in SCCM policies, the latest ASR rules are not available – same for some more advanced settings for performance optimization/ audit collection.
More information: Endpoint Protection
Group Policy can be used for managing all additional settings in Defender. When using GPO my personal preference is always to use different profiles for exclusions and different profiles for the AV configuration. Avoid deploying exclusions – if it’s not necessary.
|Important: Before starting with Group Policy use always the latest available ADMX template for Windows 10/11 and Windows Servers.
PowerShell / DSC
It is not recommended but PowerShell can be used if there are no other options for managing Defender configurations. For environments with machines hosted in Azure where Security Management is no option, the management with the use of Desired State Configuration can be used. All policies can be packaged in DSC configuration files to keep track of changes and always push the same configuration.
Security Management for Microsoft Defender for Endpoint
Security Management for Microsoft Defender for Endpoint is the new method for managing security settings for devices and servers that are not enrolled yet in Intune. With the new feature, it is possible to deploy configurations from Intune directly to MDE onboarded devices without the need to completely onboard devices in Intune.
Microsoft releases recently the new V2 version of Security settings management. The new version improves the capabilities and removes the prerequisite of the AAD join requirement. Another improvement is the support for macOS and Linux.
Now the good news; Microsoft has listened and collected all the feedback and improved the flow with new improvements. I have been involved from the start of the development; after many feedback sessions and preview releases, the new solution is way more flexible and future-proof.
What has changed? With the new solution, Microsoft changed the management capabilities and launched a new simplified device onboarding. The full Azure AD join requirement is no longer needed, it can be managed now without joining machines with Azure AD. So no longer changes in Azure AD connect/ sync rules and complexity across domains when one single MDE instance and Azure AD are used.
The new solution is not only supported for Windows 10/11/ Windows Server. Microsoft expanded the scope to macOS and Linux devices and all without the need to join Azure AD or Intune via the normal flow. So now we are finally able to manage Defender for Endpoint via Microsoft 365 Defender for macOS/ Windows and Linux. Sounds cool right – let’s deep dive further into the new solution.
In general with the new feature Microsoft released the following capabilities:
- Simplified device onboarding (Removal of Azure Active Directory hybrid join)
- Native security settings management in Defender for Endpoint
- Create policies directly from Microsoft 365 Defender portal
- Visibility in Microsoft 365 Defender portal in all settings
- Policies synced automatically between Microsoft 365 Defender and Intune
- Applied policies visible via device page
For Windows the following flow is used: View larger version here
For macOS and Linux the following flow is used: View larger version here
Which profile is needed in Intune?
For configuring Defender for Endpoint using the new management option, use the Endpoint security profiles part of Intune – Endpoint Security.
Currently, not all security settings are supported for the new feature. The below configurations are currently supported:
- Antivirus policies
- Firewall policies
- Firewall rule policies
- Endpoint detection and response policies
- Attack Surface Reduction Rules
When the device is successfully enrolled and managed by MDE it will take some time before the first initial sync is applied. When the enrollment is succeded the cadence (of 10 minutes) starts immediately when the enrollment succeeds – the first policy sync is after +-10 minutes. After the first policy sync, the policies will be synced based on a 90 minutes interval with Microsoft Intune.
Hopefully, in the future, Microsoft support more options for the policy sync. It would be great when it is possible to sync the policy in bulk (device group) or force a complete policy sync via the policy (emergency changes).Jeffreyappel.nl
With the use of the Policy Sync button from the MDE device page it is possible to enforce the policy refresh and receive the new policies (immediately sync in worst case up to 5/10 minutes). The policy sync button is available via the device page:
Simplified sync flow timings:
More information is explained more in-depth in the following blog, since this topic is a large one with multiple decisions. Blog: Manage Defender for Endpoint for Windows, macOS, and Linux via Security settings management
Do we need Firewall policies for MDE?
Another common question; do we need to enable Firewall policies for MDE – the answer is yes. Many organizations don’t realize the importance of Windows Firewall in combination with Defender for Endpoint.
|NOTE: The enablement of additional auditing events can increase the collected size of events. When connected with a SIEM/ Sentinel or other data warehouse; it is good to check the extra data and cost. Both success+failure generate more events and data.
Microsoft Defender for Endpoint supports different layers of network reporting and insights based on network traffic including native network detection and events in the DeviceNetworkEvents table.
Important to make sure Windows Firewall is enabled for all zones including the following audit events:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:enable
auditpol /set /subcategory:"Filtering Platform Connection" /failure:enable
What do we have after enabling and integrating the correct events?
After enabling the Firewall profiles and additional events, the following data is monitored:
- Remote IP
- Remote Port
- Local Port
- Local IP
- Computer Name
- Process across inbound and outbound connections
Part4 of the Microsoft Defender for Endpoint series is completed – focussed on the explanation of the additional configuration in Defender AV. In the next part; 4A, more information will be shared about the policies and best practices for the optional configuration. With the answer; do we need local admin merge, PUA protection, MAPS reporting, schedule scans, and more enabled?
Searching for specific Defender for Endpoint information? Use the contact submission form and share the post ideas or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.
Microsoft: Defender Ninja Show
Microsoft: Overview of Next-generation overview