It is time for part 2 of the ultimate Microsoft Defender for Endpoint (MDE) series. After part 1 we are now going to deep-dive more into the initial configuration of Defender for Endpoint. In part 1 the question; what is Defender for Endpoint is answered – view the previous part here.

Introduction blog series

This ultimate blog series will contain as much information as possible based on my Defender experience in the past years. Not a copy of Microsoft Docs, but an addition based on practical experience combined with informational details – including the most frequent questions asked by customers focussing on the complete Windows platform. When it’s a success, other platforms like iOS, Android, Linux, and macOS will follow.

NOTE: Blog series is focussing on features in Microsoft Defender for Endpoint P2 all MDE P1 features are available in P2.

Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.


Configure Defender for Endpoint

Before we start configuring all the specific subset features it is essential to fully configure Defender for Endpoint via the Microsoft 365 Defender portal and prepare the environment for onboarding the first devices/endpoints via Defender for Cloud /Intune, MDE Security Management, or other methods.

Microsoft Defender for Endpoint (MDE) service configuration is entirely cloud-based and integrated with AzureAD and other components for setting up RBAC/ and other features.

Microsoft Defender for Endpoint configuration is applicable tenant-wide (which means all devices enrolled in the tenant to Defender for Endpoint). The configuration is part of the Microsoft 365 product and is available via security.microsoft.com.

Part of the online security.microsoft.com configuration:

Microsoft 365 Defender

  • Email notification
  • Preview features
  • Streaming API
  • Permissions and roles
  • Alert tuning

Microsoft Defender for Endpoint

  • General
    • Data retention
    • Email notifications
    • Advanced features (service features)
    • Auto remediation
  • Permissions
    • Roles
    • Device groups
  • Rules
    • Alert suppression
    • Indicators
    • Process Memory Indicators
    • Web content filtering
    • Automation uploads
    • Automation folder exclusions
  • Configuration management
    • Enforcement scope
  • Network assessments
    • Assessment jobs

Microsoft Defender for Endpoint contains a large set of features that can be directly configured from the cloud portal. It is critical to confirm Defender for Endpoint is correctly configured with the right decision to make sure endpoints are completely protected and using all of the available protection features. Let’s start some deep-diving into the Defender for Endpoint available features.

NOTE: Initial Defender for Endpoint tenant activation is not part of this blog. View Defender for Endpoint documentation for enabling the correct license and activating the Defender for Endpoint product. Important; for the data storage location; Once configured, there is no option for changing the location. Make the correct decision based on governance reasons and compliance.


General – Data Retention

As already mentioned it is not possible to change the location where the data is stored after the initial configuration. The data retention period can be changed. By default, data is retained for 180 days, you can specify the data retention for all data in Defender for Endpoint for specific compliance needs between 30 days up to 180. Personally, the advice (when no governance restrictions) is to store data for up to 180 days (maximum) to make sure all history is available. Advanced Hunting data is not included for 180 days; Advanced Hunting data is available for 30 days.

By default, the data retention is 180 days. Contact Microsoft support for lower data retention configuration. Via security.microsoft.com there is no configuration available for data retention.

Information Microsoft: Microsoft Defender for Endpoint data storage and privacy

General – Email notifications

Defender for Endpoint supports Email notifications that are only working for the source Defender for Endpoint. Email notifications can be configured for Alerts and Vulnerabilities. Based on my opinion I’m not advising the alert email notifications part of Defender for Endpoint. Reason; notifications in Defender 365 give more flexibility and integration with other Defender 365 sources.

Notifications part of Microsoft Defender 365 is possible via security.microsoft.com -> Settings -> Microsoft 365 Defender -> Email notifications Alerting via Microsoft Defender 365 is applicable for incidents.

When there is the preference to use notifications for vulnerabilities use the Email notification configuration in Defender for Endpoint. With Email vulnerabilities, it is impossible to send automated emails when new vulnerabilities are affected to organization assets (for example; When the Severity threshold is critical/CVSS 9.0 and a new public exploit is available)

General – Advanced features

Advanced Features are important for using most of the protection features and integration with other features like Microsoft Endpoint Manager. Currently, there are many advanced features and some of them are critical for the best EDR/protection posture.

Automated investigation

Automated investigation enables various inspection algorithms and is designed for taking immediate actions to resolve breaches and start automated investigations. For getting automated investigation and response (AIR) capabilities it is needed to enable the feature. Based on device groups the level of remediation can be configured. It will automatically clean files, and if something is detected it will automatically clean systems based on created exes, registry keys, and scheduled tasks.

Advice: enable this feature and make remediation exceptions based on device groups when needed.

Live Response/ Live Response for Servers

Live Response is an MDE capability that provides security team members immediate remote console access to a device. This provides the ability to perform in-depth investigation, hunt for data, and further analysis. Live response can also be combined with device isolation for restricting the potential attack during investigations.

Advice: enable this feature, only be careful with the permissions, it is possible to run “custom” PowerShell scripts.

Live Response unsigned script execution

Live Response unsigned script execution enables the option for running unsigned PowerShell script in Live Response. Allowing the use of unsigned scripts directly from Live Response may increase your exposure to threats.

Advice: only use the future when there are no alternatives, ideally PowerShell scripts are correctly signed.

Restrict correlation within scoped device groups

This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to available device groups. By turning on this setting, an incident composed of alerts that cross-device groups will no longer be considered a single incident. SOC teams can view the alert. However, global SOC will see several different incidents by device group instead of one incident for all device groups.

Advice: Only enable when there are benefits of incident correlation across the organization. Changing this setting is only affected future alert correlation. Existing alerts are not affected after changing.

Enable EDR in block mode

When using third-party AV Defender for Endpoint in EDR in block mode it will override the third-party AV and clean items. The primary purpose of EDR in block mode is to remediate post-breach detections that were missed by a non-Microsoft antivirus product.

Enabled via Advanced Features the configuration is pushed to all supported onboarded systems. Since version 4.18.2202.x it is possible to enable EDR in block mode for specific devices using Intune CSPs.

Advice: Where the value is mostly based in combination with 3rd party AV solution it is recommended when endpoints are changing into passive/ EDR in block mode. There is completely no downside to having this feature enabled and works more as a post-breach fallback when Defender is not running in active mode or when attackers installing other AV solutions to bypass Defender AV protections. When deploying Defender for Endpoint in combination with other products, always confirm based on a small set of devices of there are unwanted blocks.

Automatically resolve alerts

This one is interesting and depends on the needs and size of the environment/ customers. Automatically resolving alerts works in combination with the Automated Investigation features; when the automated investigation is cleaning up the alert, it will close it automatically by automation.

Advice: There is one major reason for enabling this feature; when using a device risk-based conditional access will get the users faster back online. The downside; Microsoft is automatically resolving the alerts; which makes in large environments the alert “hidden” in the resolved history. Where malware is cleaned up it requires maybe some more investigation for tracking the initial action and in-depth investigation. Based on personal preference; the following is the advice;

Do you have the resources for tracking all incidents manually? disable the feature and check each incident more in-depth (don’t trust Microsoft completely). For smaller organizations, it is possible to automatically close the alerts which are cleaned by Automated Investigation and give more attention to the real ones. When enabled; always track weekly the action center history. If a security operations analyst manually sets the status of an alert to “In progress” or “Resolved” the auto-resolve capability will not overwrite it.

Allow or block file

When Defender Antivirus is running in active mode and cloud-based protection is enabled it is possible to block potentially malicious files from being read, written, or executed. When enabling the advanced features there is the option for adding custom hashes via indicators. Indicators can be completely scoped to specific device groups.

Advice: Enable the feature, it is useful for blocking files or whitelisting files centrally from the Defender for Endpoint. The Allow or block file feature can be used for allowing hash values. Indicators can be completely scoped to specific machine groups

Custom network indicators

Custom network indicators are needed for blocking specific network indicators (IP addresses, domains, or URLs) added via the Defender for Endpoint Indicators. To use this feature, network protection in block mode is required. Web protection is built on top of the custom network indicators.

Advice: Enable the feature, it is useful for blocking network indicators or whitelisting specific websites. Indicators can be completely scoped to specific machine groups

Tamper protection

Tamper Protection is critical in protection against attacks. Tamper Protection in Defender for Endpoint protects organizations from unwanted changes in the Defender configuration by unauthorized users. Tamper Protection prevents malicious actors from changing protection features. By default (without Tamper Protection), a local administrator can disable Microsoft Defender Antivirus.

During cyber attacks, bad actors are trying to disable security features, such as virus and threat protection and real-time /behavior monitoring.

Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents configured security settings from being changed through apps and other methods such as:

  • Registry Editor
  • PowerShell cmdlets
  • Group Policy

When enabled via Advanced Features Tamper Protection is globally enabled for all supported machines. Tamper Protection via Advanced Features requires dependency on cloud-delivered protection. Since Defender platform version 4.18.2111.5, if cloud-delivered protection is not turned on and Tamper Protection is enabled, it will automatically enable cloud-delivered protection.

It is possible to start configuring Tamper Protection via MEM/Intune during the initial deployment and switch directly to the global enablement after the initial deployment. For servers Tenant Attach is required for enforcing Tamper Protection from Intune.

When Tamper Protection is enabled globally it is possible to overwrite Tamper Protection using Intune for disabling Tamper Protection.

Advice: Configure from the portal is for all supported devices recommended; my advice is to enable Tamper Protection via de portal and not only in MECM or Intune, ideally configure both for the best protection state.

Based on my opinion tamper protection must be always enabled. The new troubleshooting mode can be used during troubleshooting situations to disable the features for troubleshooting. Sometimes customers like to disable Microsoft Defender during troubleshooting and not configure Tamper Protection, which makes a security cap. The new troubleshooting mode is fixing this request, where teams are having more flexibility. View the in-depth troubleshooting blog here.

Microsoft docs: Protect security settings with tamper protection

Recently Microsoft added the feature “Tamper protection for exclusions. With this new feature, there is more control for exclusions.

When tamper protection is combined with the DisableLocalAdminMerge setting exclusions and DisableLocalAdminMerge will be protected by tamper protection. This means that any exclusions configured by other processes will be explicitly ignored and only intended exclusions are applicable on the device.

Check the registry key:

HKLM\SOFTWARE\Microsoft\Windows Defender\Features and the Value TPExclusions for confirming that the feature is enabled. A value of 1 means the exclusions are protected and the functionality is correctly enabled.

Microsoft Defender for Identity integration

The integration with Microsoft Defender for Identity receives enriched user and device data from Defender for identity and forward Defender for Endpoint signals. In both products, there is better visibility, additional detections, and efficient investigations.

Advice: Always enable it when the license is available for Defender for Identity. There is no downside to having this feature enabled when Defender for Identity is available.

Update January 2023: Integration is not needed anymore; Defender for Identity is part of Microsoft Defender 365 and already enabled part of the Microsoft 365 Defender integration.

Show user details

When enabling this feature the user details stored in Azure Active Directory are visible in Microsoft Defender. Details include a user’s picture, name, title, and department information when investigating user account entities. Personal information is available in the following dashboard:

  • Security operation dashboard
  • Alert queue
  • Device details page

Advice: Enable when there is no specific reason for disablement.

Office 365 Threat Intelligence connection

The Office 365 Threat Intelligence connection is available when Office 365 E5 or the Threat Intelligence add-on is available. When enabling data from Defender for Office 365 is available in Defender for Endpoint.

Note: Additional configuration is required from the Security & Compliance dashboard.

Advice: Always enable it when the license is available. There is no downside to having this feature enabled.

Update January 2023: Integration is not needed anymore; Defender for Office is part of Microsoft Defender 365.

Microsoft Defender for Cloud Apps

This feature/ integration will be discussed later in this series during the integration part.

Web content filtering

This feature will be discussed later in this series.

Download quarantined files

Downloading quarantined files allows security teams to download quarantined files using the “Download file” button. All quarantined files will be collected and stored in a secure location.

Advice: This feature will benefit Security Admins and SecOps teams during an investigation, by permitting them to download the quarantined files directly from the portal, without any end-user involvement.

Share endpoint alerts with Microsoft Purview Compliance Center

Forwards endpoint security alerts and their triage status to the Microsoft Purview compliance portal, which allows users to exchange insider risk management policies.

Advice: Enable and only disable when compliance sharing is not allowed with Microsoft Purview Compliance Center based on legal reasons.

Authenticated telemetry

Authentication telemetry prevents spoofing telemetry into Defender for Endpoint.

Advice: Always enable, giving protection against telemetry spoofing.

Microsoft Intune connection

This feature/ integration will be discussed later in this series during the onboarding part.

Device discovery

This feature will be discussed later in this series.

Preview features

When enabled Defender for Endpoint tenant receives earlier new improvements and features. All preview features released in public preview are fully supported by Microsoft.

The preview versions are provided with a standard support level and can be used for production environments. When enabled the features will be enabled for the generally available (GA) release.

Advice: Depending on the environment – some environments are only using Global Availablity features. Personally, I usually activate the preview features; to get a quicker hands-on experience with new features. Based on multiple years of experience; never had critical issues based on preview features.

Endpoint Attack Notification

Endpoint Attack Notification is part of Microsoft Threat Experts. Endpoint Attack Notifications provided proactive hunting based on real Microsoft Defender data. Endpoint attack notifications are recommended for enabling. These notifications show up as a new alert.

Endpoint Attack Notification is free when you apply and are approved. You can apply from security.microsoft.com -> From the navigation pane, go to Settings > General > Advanced features > Endpoint Attack Notification

Advice: Enable when possible, Endpoint Attack Notifications adds interesting threat information including proactive based on real Microsoft Defender data.


Permissions – Roles

Correct admin roles, permissions, and assigned Azure Active Directory groups are important for the tier-based/ role-based access model to assign and authorize access to different teams.

Defender for Endpoint supports different ways and options from basic permissions up to advanced permissions.

When configuring Defender for Endpoint for the first time it is based on basic permissions using the following build-in AAD roles:

GroupAAD build-in rolePermissions in MDE
Security AdministratorYesFull access
Global AdministratorYesFull access
Security ReaderYesReader-only access
Global ReaderYesReader-only access

Currently, there are two ways of enabling RBAC roles within Defender for Endpoint. In the product itself, there is a role feature. It is recommended to use the new Defender 365 unified RBAC. With the use of unified RBAC it is possible to create roles across all products.

Roles in Microsoft 365 Defender (Unified RBAC)

Recently Microsoft announced the new unified role-based access future. With the new unified RBAC, it is possible to enable roles with more permissions for other security apps. See: Defender unified RBAC

With the Microsoft 365 Defender RBAC model it is possible to use the existing permissions in the unified RBAC models. With this, it is possible to use single roles for access in Defender for Endpoint, Defender for Office 365, Defender for Identity, and more.

Microsoft explained the mapping between the Microsoft 365 Defender RBAC permissions within the existing RBAC permissions. See: Map Microsoft 365 Defender RBAC permissions to existing RBAC permissions

Unified RBAC is available via Microsoft 365 Defender and is currently supported for Endpoint/ Email & collaboration/ Security Security and Identity.

Roles in Defender for Endpoint

Personally, I prefer to use the Unified RBAC across Defender 365 Defender, since this RBAC feature is more ready for the complete EDR/XDR experience. The Defender for Endpoint standalone RBAC is available via the following method:

Enabling the Role-based access control (RBAC) future is possible in Defender using the button “Turn on roles” in the Roles section.

For each role the permissions can be configured; For example; allow Tier 1 – Local support (Servicedesk) to view data in security operations and threat and vulnerability management.

Where Tier 2 – Regional/Opco security operations teams are allowed to view data and managed active remediation actions, Exception handling, alert investigations, and basic live response capabilities.

Click on Assigned user groups for attaching AzureAD groups.


Permissions – Device Groups

Device groups are based on my personal opinion critical in Defender for Endpoint environments. For the following reasons;

  • RBAC management: Allowing teams to only manage a subset of devices
  • Scoping for settings/ policies: Deploy policies based on device groups (Web content Filtering, indicators, hashes, etc)
  • Created target groups for Defender for Cloud Apps: Device groups can be used for Defender for Cloud Apps scoped profiles.
  • Configure automation level: Allows the flexibility for automated remediation
  • Filtering in Defender portal: Filter on device groups in TVM increases making it possible to view only TVM recommendations for a specific group; for example domain controllers)
  • Visibility for SOC/ SIEM/ Security: Direct visibility into different types of servers/ workstations (Kiosk, WVD, Domain Controller, SQL). Security knows direct the incident is scoped on one of the domain controllers.

You can define a membership rule that uses one or more of the following device attributes:

  • Device name
  • Device domain
  • Device operating system
  • Device tag

Device tags can be easily set by registry, PowerShell, API, Logic App, manual, or Intune. Device attributes can be used for configuring groups based on OS, name convention, or domain. It is possible to use the AND operator. For example; we can have a device group called NL devices with a membership rule: (“Device Name” starts with “NL” AND “OS” = “Windows 10 and Windows11”).

Devices can only be member of one device group. Device groups are assigned on a rank. When a device is matched to more than one group, it is only added to the highest-ranked group. Devices that are not matched to any groups are added to the Ungrouped devices group. In the below example; Server – all Windows Servers is the highest ranked group and ungrouped devices (default) the lowest.

User access makes it possible to restrict access for specific groups by selecting the configured Roles. For example; allow only admins in the US to view US-only devices. When configuring User access it is required to add the group first in one of the roles. When added in the Roles section it is possible to select the configured group in the device group user access settings.

With the use of the new Asset rule management feature, it is possible to create rule for different assets and tag devices automatically. Asset rule management is visible via Settings -> Endpoints -> Asset rule management. With the feature, it is possible to define rules based on conditions (Name, Domain, OS platform, internet facing, onboarding status, device tags). As an action, it is possible to tag devices with a custom tag. Based on the tag device groups can be created.


General – Auto remediation

When configuring device groups in Defender for Endpoint it is possible to select the Auto remediation level. By default, automated remediation is configured on Full for all devices. When Automated investigation and remediation (AIR) is enabled on tenants, Microsoft Defender will auto-create a remediation action that removes the malicious entity found after investigating suspicious activity. This process is completely automatic and part of the AIR configuration. Response actions can be configured using the Auto remediation settings. Based on the automation level the remediation actions are completely automatic or require manual approval. The following levels are available:

Automation levelExplanation

No automated response
Devices will not be investigated.
Semi – require approval for all foldersDevices are automatically investigated when an alert is received from a detection system, but require approval before any remediation action can be taken.

Semi – require approval for non-temp folders
Devices are automatically investigated when an alert is received from a detection system and automatically remediated within temp and download directories; all other remediation actions require approval.
Semi – require approval for core foldersDevices are automatically investigated when an alert is received from a detection system and remediated except those identified within core system directories; remediation actions for threats to core system directories require approval.
Full – remediate threats automaticallyDevices will be automatically investigated and remediated by MDE, without the need for any human intervention.

Advice: use Automation level Full – remediate threats automatically and make only exceptions when needed. When Full – remediate threats automatically is not possible (Critical devices, POS/Retail, KIOSK) it is recommended to configure one of the Semi automation levels. Don’t make exceptions for the Ungrouped devices (default) group), make the default always Full – remediate threats automatically.

For the new Attack Disruption functionality it is recommended to use the Full-Remediate threats automatically, since automated actions are based on the configuration.

Information Microsoft: Automation levels in automated investigation and remediation capabilities


Conclusion

Part 2 of the Microsoft Defender for Endpoint series is completed – focussed on the initial Defender for Endpoint service configuration. Stay tuned for the next parts; where more in-depth knowledge and experience will be shared around Defender for Endpoint focussing on all the components and additional settings.

Searching for specific Defender for Endpoint information? Use the contact submission form and share the post ideas or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.

View previous part – What is Defender for Endpoint? – Part1 

View next part – Onboard Defender for Endpoint – Part3