{"id":5739,"date":"2022-11-01T23:16:56","date_gmt":"2022-11-01T21:16:56","guid":{"rendered":"https:\/\/jeffreyappel.nl\/?p=5739"},"modified":"2024-01-03T21:39:54","modified_gmt":"2024-01-03T19:39:54","slug":"microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a","status":"publish","type":"post","link":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/","title":{"rendered":"Microsoft Defender for Endpoint series \u2013 Define the AV policy baseline \u2013 Part4A"},"content":{"rendered":"\n<p>It is time for part 4A of the ultimate Microsoft Defender for Endpoint (MDE) series. <a href=\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-configure-av-next-generation-protection-part4\/\">Part 4<\/a> explains the AV\/ next-generation protection component. Now it is time for some more detailed policy explanation, what do we need to enable, which setting is recommended and where is impact expected? <\/p>\n\n\n\n<p>NOTE: The blog series focuses on features in&nbsp;<strong>Microsoft Defender for Endpoint P2<\/strong>&nbsp;all&nbsp;<strong>Microsoft Defender for Endpoint P1<\/strong>&nbsp;features are available in P2.<\/p>\n\n\n\n<p><strong>Specific question or content idea part of Defender for Endpoint? Use the&nbsp;<a href=\"https:\/\/jeffreyappel.nl\/contact-form-content-request\/\">contact submission<\/a>&nbsp;form and share the post ideas.<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Microsoft Defender Antivirus is&nbsp;Microsoft Defender for Endpoint&#8217;s <strong>&#8216;<em><strong>next-generation<\/strong> protection component<\/em><\/strong>&#8216; that combines machine learning, big data analysis, threat research, and Microsoft\u2019s cloud infrastructure to protect devices more in-depth with additional layers based on behavior, heuristics, and real-time protection.&nbsp;<\/p>\n\n\n\n<p>For more AV\/ NGAV information see; <a href=\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-configure-av-next-generation-protection-part4\/\">Microsoft Defender for Endpoint series \u2013 Configure AV\/ next-generation protection \u2013 Part4<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What are the additional configurations?<\/h2>\n\n\n\n<p>Next to the configuration in Defender for Endpoint (security.microsoft.com), there are more additional configurations available related to Defender for Endpoint:<\/p>\n\n\n\n<p><strong>Next-generation protection\/ Defender AV<\/strong><\/p>\n\n\n\n<ul>\n<li>Cloud protection<\/li>\n\n\n\n<li>Real-time protection<\/li>\n\n\n\n<li>Block at first sight<\/li>\n\n\n\n<li>Signature update settings<\/li>\n\n\n\n<li>Scan settings<\/li>\n\n\n\n<li>Additional AV configuration<\/li>\n<\/ul>\n\n\n\n<p><strong>Attack surface reduction<\/strong><\/p>\n\n\n\n<ul>\n<li>Attack Surface Reduction (ASR) Rules<\/li>\n\n\n\n<li>Controlled folder access<\/li>\n\n\n\n<li>Device control<\/li>\n\n\n\n<li>Exploit protection<\/li>\n\n\n\n<li>Network protection<\/li>\n\n\n\n<li>Web protection<\/li>\n\n\n\n<li>Ransomware protection<\/li>\n\n\n\n<li>Application control<\/li>\n\n\n\n<li>HW-based isolation<\/li>\n<\/ul>\n\n\n\n<p><strong>Additional Defender protections<\/strong><\/p>\n\n\n\n<ul>\n<li>Windows Defender Credential Guard<\/li>\n\n\n\n<li>Microsoft Defender SmartScreen<\/li>\n\n\n\n<li>Windows Defender Firewall<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Cloud protection<\/h2>\n\n\n\n<p>As already explained in the previous part; cloud protection is critical and needs to be enabled correctly. <\/p>\n\n\n\n<p>Cloud protection is available based on 4 pre-configured levels; <\/p>\n\n\n\n<ul>\n<li>Not configured<\/li>\n\n\n\n<li>High<\/li>\n\n\n\n<li>High Plus<\/li>\n\n\n\n<li>Zero Tolerance<\/li>\n<\/ul>\n\n\n\n<p><em>Zero Tolerance<\/em> is blocking all unknown executables and is useful for the real restricted endpoints. Based on my experience<strong> <\/strong><em>High<\/em> is average good protection; where <em>High Plus<\/em> uses extra protection measures. <\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Recommendation<\/strong>: High plus when possible; or at least High. Never disable\/ not configure Cloud protection; without Cloud protection enabled there is a lack of protection and MDE functionalities. <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Configuration using Intune<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/10\/image-83-1024x485.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>Use Endpoint Security -&gt; Antivirus -&gt; Profile: Microsoft Defender Antivirus and configure: <\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Setting<\/strong><\/td><td><strong>Configuration<\/strong><\/td><\/tr><tr><td>Allow Behavior Monitoring<\/td><td>Allowed<\/td><\/tr><tr><td>Allow Cloud Protection<\/td><td>Allowed<\/td><\/tr><tr><td>Allow Realtime Monitoring<\/td><td>Allowed<\/td><\/tr><tr><td>Cloud Block Level<\/td><td>High\/ High Plus<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Sample submission<\/h3>\n\n\n\n<p>Sample submission is a key component of Cloud protection and sends file metadata to the cloud protection service when Defender Antivirus cannot make a clear determination based on the client-based machine learning models or local behavioral analysis. When the Defender Antivirus cloud protection cannot reach a verdict for the specific file; it can request a sample for further inspection. <\/p>\n\n\n\n<p>How works sample submission\/ Cloud-delivered protection feature: <a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide\">Source Microsoft<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"891\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-10-1024x891.png\" alt=\"\" class=\"wp-image-5753\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-10-1024x891.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-10-300x261.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-10-768x668.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-10-585x509.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-10.png 1074w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>There are 4 levels of sample submission;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Sample submission<\/th><th>Description<\/th><th>User notification for submission? <\/th><\/tr><\/thead><tbody><tr><td>Send safe samples automatically&nbsp;<\/td><td>Send safe samples considered to not contains PII data<\/td><td>Yes<\/td><\/tr><tr><td>Always Prompt<\/td><td>The users will always be prompted for consent before any file submission<\/td><td>Yes<\/td><\/tr><tr><td>Send all samples automatically<\/td><td>All samples will be sent automatically, without any additional prompt for the users<\/td><td>No<\/td><\/tr><tr><td>Do not send<\/td><td>Prevents the complete &#8216;block at first sight&#8217; feature<\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Recommendation<\/strong>: Send safe samples automatically or send all samples automatically. Send safe gives a prompt when the user needs to submit data with PIII files. Sens all samples automatically is sending all files without any prompt. Choose one of the options. <strong>NEVER <\/strong>use the option &#8220;Do not send&#8221; which disables the complete feature. When Sample submission is disabled; BAFS is also disabled and file analysis is limited to metadata only. <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>More information: <a href=\"http:\/\/Cloud protection and sample submission at Microsoft Defender Antivirus\">Cloud protection and sample submission at Microsoft Defender Antivirus<\/a><\/p>\n\n\n\n<p><strong><strong>Configuration using Intune<\/strong><\/strong><\/p>\n\n\n\n<p>Use Endpoint Security -&gt; Antivirus -&gt; Profile: Microsoft Defender Antivirus and configure the setting <em>Submit Samples Consent<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"258\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-2-1024x258.png\" alt=\"\" class=\"wp-image-5745\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-2-1024x258.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-2-300x76.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-2-768x193.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-2-585x147.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-2.png 1112w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Cloud block timeout period<\/h3>\n\n\n\n<p>Cloud Extended Timeout is a configuration where Defender Antivirus can prevent the file from running while it queries the verdict against the Defender Antivirus cloud service. By default; Microsoft blocks the file for 10 seconds. Extending the cloud block helps to receive a good result from the cloud service. <\/p>\n\n\n\n<p>Cloud Extended Timeout can be configured in seconds from 1 second to 50 seconds. Each configured time is added to the default 10 seconds. 50 makes the timeout 50+10= 60 seconds. <\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Recommendation<\/strong>: Configure 50 seconds additional timeout. <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Intune<\/strong><\/p>\n\n\n\n<p>Use Endpoint Security -&gt; Antivirus -&gt; Profile: Microsoft Defender Antivirus and configure the setting <em>Cloud Extended Timeout<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"137\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-3-1024x137.png\" alt=\"\" class=\"wp-image-5746\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-3-1024x137.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-3-300x40.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-3-768x103.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-3-585x78.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-3.png 1107w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Block at first sight<\/h3>\n\n\n\n<p>The combination of the above three settings enables block at first sight (BAFS). Block at first sight detects new malware and blocks it within some seconds. For getting BAFS enables it is needed to configure the above items; Cloud protection; submission timeout, and file blocking level of high or more strict (high+\/ Zero-tolerance). When all items are configured Block at first sight is correctly enabled. <\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Recommendation: <\/strong>Enable BAFS with the combination of the above features. <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Scan options<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Daily quick scan<\/h3>\n\n\n\n<p>Some years ago there was a &#8216;best practice&#8217; for scanning weekly the full scan drive. The full scan gives overlap and takes time and resources from the system. With the use of all cloud protection features and Automated Investigation, there is no need for scheduling the full scan. Real-time\/ cloud protection reviews all files that are opened and closed and any files that are in folders that are accessed by a user. <\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Recommendation: <\/strong>Configure daily quick scan. Running a full scan once after you&#8217;ve just enabled or installed Microsoft Defender Antivirus can be useful to scan systems for the initial time and detect existing threats. <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong><strong>Configuration using Intune<\/strong><\/strong><\/p>\n\n\n\n<p>Use Endpoint Security -&gt; Antivirus -&gt; Profile: Microsoft Defender Antivirus and configure the setting <em>Schedule Quick scan Time<\/em>. <\/p>\n\n\n\n<p>Schedule Scan Day is not needed. Schedule Quick Scan Time runs each day during the configured time. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"460\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-2-1024x460.png\" alt=\"\" class=\"wp-image-7665\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-2-1024x460.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-2-300x135.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-2-768x345.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-2-585x263.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-2.png 1278w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Other scan options<\/h3>\n\n\n\n<p>Defender Antivirus contains more scan features part of Defender AV. <\/p>\n\n\n\n<p><em>Table based on MDE Endpoint Security profile<\/em><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Configuration<\/th><th>Recommendation<\/th><\/tr><\/thead><tbody><tr><td>Allow Archive Scanning<\/td><td>Allowed<\/td><\/tr><tr><td>Allow Email Scanning<\/td><td>Allowed<\/td><\/tr><tr><td>Allow Full Scan on Mapped Network<\/td><td>Not Allowed<\/td><\/tr><tr><td>Allow Full Scan Removable Drive Scanning<\/td><td>Allowed<\/td><\/tr><tr><td>Allow scanning of all downloaded files and attachments<\/td><td>Allowed<\/td><\/tr><tr><td>Allow Scanning Network Files<\/td><td>Allowed<\/td><\/tr><tr><td>Allow Script Scanning<\/td><td>Allowed<\/td><\/tr><tr><td>Check for signatures before running scan<\/td><td>Allowed<\/td><\/tr><tr><td>Enable Low CPU priority<\/td><td>Enabled<\/td><\/tr><tr><td>AVG CPU Load Factor<\/td><td>20%<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Signatures<\/h2>\n\n\n\n<p>Defender Antivirus relies on the daily available signature updates. KB2267602 deploys security intelligence updates multiple times a day. With the use of cloud-delivered protection, Microsoft can deploy signature updates or critical updates. You can check which are the current versions on&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/defenderupdates\" target=\"_blank\" rel=\"noreferrer noopener\">this website<\/a> or check the <a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/definitions\/antimalware-definition-release-notes\">release notes<\/a> for the frequency. <\/p>\n\n\n\n<p>Defender Antivirus supports different sources for getting AV updates; <\/p>\n\n\n\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/help\/12373\/windows-update-faq\">Microsoft Update<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/administration\/windows-server-update-services\/get-started\/windows-server-update-services-wsus\">Windows Server Update Service<\/a>&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/configmgr\/core\/servers\/manage\/updates\">Microsoft Endpoint Configuration Manager<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/manage-protection-updates-microsoft-defender-antivirus?view=o365-worldwide#unc-share\">Network file share<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/manage-protection-update-schedule-microsoft-defender-antivirus\">Security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Common mistake; <\/strong>Sometimes customers slow down the frequency of the updates for &#8220;skipping&#8221; bad updates. Microsoft pushed immediate corrections when there were huge issues. With rapid frequency; the update is asap fixed with the newly released update. When configuring 48 hours; it takes hours before the fix is applied. <\/p>\n\n\n\n<p><strong>IMPORTANT:<\/strong> Do not use WSUS\/SCCM for the primary configuration of Defender AV signature updates. When using WSUS\/ SCCM you need to first sync the updates from the catalog (mostly daily or even weekly), after the sync it deploys to the system; now Microsoft releases a new patch with a critical fix; the customer needs to wait again for the update sync. WSUS\/SCCM makes it complex, causing overhead and giving always issues. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Signature source<\/h3>\n\n\n\n<p>Avoid WSUS\/ SCCM as configured update source. Ideally, use the MicrosoftUpdate source as the primary source to get updates directly from Microsoft. <\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Recommendation: <\/strong>Use MicrosoftUpdate as the primary source. Avoid WSUS\/ SCCM as the primary source for security updates.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong><strong>Configuration using Intune<\/strong><\/strong><\/p>\n\n\n\n<p>For Intune, no additional configuration is needed for the AV signature source. The default configures the following update order; MicrosoftUpdateServer|MMPC<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Signature update interval<\/h3>\n\n\n\n<p>How quicker the interval is configured; how smaller the package is in size. Waiting some hours\/ days makes the delta larger; with the interval of 1-4 hours, the package is small and gives no network impact. <\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Recommendation: <\/strong>Use the 1-hour interval for Defender signature updates. <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong><strong><strong>Configuration using Intune<\/strong><\/strong><\/strong><\/p>\n\n\n\n<p>Use Endpoint Security -&gt; Antivirus -&gt; Profile: Microsoft Defender Antivirus and configure the setting <em>Signature Update Interval<\/em> <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"107\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-6-1024x107.png\" alt=\"\" class=\"wp-image-5749\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-6-1024x107.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-6-300x31.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-6-768x80.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-6-585x61.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-6.png 1094w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Additional protection<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Local Admin Merge <\/h3>\n\n\n\n<p>One of the most underrated policies, this policy needs personally enabled in each baseline. Without Local Admin Merge; administrators can manage the local AV exclusion list. Disabling Local Admin Merge applies only exclusions configured in the management tool (Intune, MECM&#8230;) <\/p>\n\n\n\n<p>For both MDAV and Windows Firewall the &#8220;disable local admin merge&#8221; needs to be enabled. Otherwise, a <strong>local<\/strong> <strong>admin<\/strong> can bypass most of your protections part of Defender AV via the UI or PowerShell module. And yes; there are still some bypass options for the exclusions. <\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Recommendation:<\/strong> there is no doubt about enabling this setting; when using the local admin merge watch out for apps that create rules during the installation; this needs to be managed centralized. (seen in practice with firewall rules)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong><strong>Configuration using Intune<\/strong><\/strong><\/p>\n\n\n\n<p>Use Endpoint Security -&gt; Antivirus -&gt; Profile: Microsoft Defender Antivirus and configure the setting <em>Disable Local Admin Merge <\/em>with the value Disabled.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"107\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-7-1024x107.png\" alt=\"\" class=\"wp-image-5750\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-7-1024x107.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-7-300x31.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-7-768x80.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-7-585x61.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-7.png 1139w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Disabled is disabling the Local Admin Merge feature and option for configuring local exclusions via the UI or PowerShell. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"465\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-8-1024x465.png\" alt=\"\" class=\"wp-image-5751\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-8-1024x465.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-8-300x136.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-8-768x349.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-8-585x266.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-8.png 1476w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">PUA protection<\/h3>\n\n\n\n<p>Potentially unwanted applications (PUA) is typically software that can cause slowness on the system, display ads, or installed other unwanted software, PUA is not considered&nbsp;a virus, malware, or other types of threats, but is mostly focused on endpoint performance or evasion software. Example of typical PUA detections:<\/p>\n\n\n\n<ul>\n<li>CCleaner<\/li>\n\n\n\n<li>Utorrent bundle<\/li>\n\n\n\n<li>Toolbar software<\/li>\n\n\n\n<li>Software with hidden ( toolbar) installations. <\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Recommendation:<\/strong> Enable PUA and start with testing in audit mode and review logs\/ Advanced Hunting for calculating possible impact. <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong><strong>Configuration using Intune<\/strong><\/strong><\/p>\n\n\n\n<p>Use Endpoint Security -&gt; Antivirus -&gt; Profile: Microsoft Defender Antivirus and configure the setting <em>PUA Protection<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"204\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-9-1024x204.png\" alt=\"\" class=\"wp-image-5752\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-9-1024x204.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-9-300x60.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-9-768x153.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-9-585x117.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-9.png 1312w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Custom settings<\/h3>\n\n\n\n<p>A couple of settings are currently not available in the Intune AV policies and need to be created via custom policies. The following configurations are important:<\/p>\n\n\n\n<p><strong>EnableFileHashComputation<\/strong>: The file hash computation adds a couple of benefits for the indicator mechanism for better\/ faster marching of file indicators the collection of more hashes for files\/ all files and better\/faster matching for custom file indicators. <\/p>\n\n\n\n<p>This setting requires additional testing since there can be some performance increase. May impact machines with large file transfers (file servers) &#8211; always test for performance!! This setting is a must for highly secure systems. <\/p>\n\n\n\n<p>The setting can be configured via the Settings catalog in Intune: <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"445\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-3-1024x445.png\" alt=\"\" class=\"wp-image-7666\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-3-1024x445.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-3-300x130.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-3-768x334.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-3-585x254.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-3.png 1528w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Disable exclusions for admins and local users<\/strong>: it is possible to restrict the view of exclusions for admins\/ local users. When users are admin it prevents the policy manager in the registry, which results in less bypass to edit the configuration\/ local exclusions. The following settings are available via the settings catalog in Intune: <\/p>\n\n\n\n<ul>\n<li>Hide Exclusions From Local Admins<\/li>\n\n\n\n<li>Hide Exclusions From Local Users<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"492\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-4-1024x492.png\" alt=\"\" class=\"wp-image-7667\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-4-1024x492.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-4-300x144.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-4-768x369.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-4-1536x738.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-4-585x281.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2024\/01\/image-4.png 1620w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Network protection<\/h2>\n\n\n\n<p>Network protection is critical in combination with Defender for Endpoint network indicators and web content filtering. For blocking indicators the Network protection feature must be enabled in block mode. Network protection is an attack surface reduction capability, and prevents access to dangerous domains or custom-blocked indicators. <\/p>\n\n\n\n<p>The network protection component of Defender for Endpoint identifies and blocks connections to C2 infrastructures used in ransomware attacks. Blocking C2 attacks makes Network Protection more important. <\/p>\n\n\n\n<p>For Microsoft Edge browsers SmartScreen must be enabled for working in cases with specific features. SmartScreen will be explained in the next blog part. <\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Feature<\/th><th>Microsoft Edge<\/th><th>3rd-party browsers<\/th><th>Non-browser processes<br>(e.g. PowerShell)<\/th><\/tr><\/thead><tbody><tr><td>Web Threat Protection<\/td><td>SmartScreen must be enabled<\/td><td>NP has to be in block mode<\/td><td>NP has to be in block mode<\/td><\/tr><tr><td>Custom Indicators<\/td><td>SmartScreen must be enabled<\/td><td>NP has to be in block mode<\/td><td>NP has to be in block mode<\/td><\/tr><tr><td>Web Content Filtering<\/td><td>SmartScreen must be enabled<\/td><td>NP has to be in block mode<\/td><td>Not supported<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>For Network protection, the features real-time protection and cloud-delivered protection must be enabled and activated. Network protection optimization is enabled by default and can help with app compatibility problems and reduce bandwidth. <em>-AllowSwitchToAsyncInspection<\/em> is enabled by default. <\/p>\n\n\n\n<p>For Windows Servers and Windows Multi-session additional configuration is required for network protection when not using Intune. Recently Microsoft added new policies and includes the following new policies:<\/p>\n\n\n\n<ul>\n<li>Allow network protection Down Level<\/li>\n\n\n\n<li>Allow Datagram Processing on Win Server<\/li>\n<\/ul>\n\n\n\n<p>With the new policies, it is possible to set the below keys automatically via Intune\/ MDE Management. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"486\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/06\/image-39-1024x486.png\" alt=\"\" class=\"wp-image-6942\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/06\/image-39-1024x486.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/06\/image-39-300x142.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/06\/image-39-768x364.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/06\/image-39-1536x729.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/06\/image-39-585x278.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/06\/image-39.png 1608w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Test always the setting; <em>AllowDatagramProcessingOnWinServer<\/em> which is scoping on inspection of UDP connections on Windows Servers on high load servers (Exchange, SQL..) <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Set-MpPreference -EnableNetworkProtection Enabled\nSet-MpPreference -AllowNetworkProtectionOnWinServer 1\nSet-MpPreference -AllowNetworkProtectionDownLevel 1\nSet-MpPreference -AllowDatagramProcessingOnWinServer 1     <\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Recommendation:<\/strong> Enable Network protection in block mode. Audit mode can be used for evaluating first. Important: Audit mode is not blocking any website or network traffic. <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Configuration using Intune<\/strong><\/p>\n\n\n\n<p>Use Endpoint Security -&gt; Antivirus -&gt; Profile: Microsoft Defender Antivirus and configure the setting <em>Enable Network Protection<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"219\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-11-1024x219.png\" alt=\"\" class=\"wp-image-5764\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-11-1024x219.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-11-300x64.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-11-768x164.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-11-585x125.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-11.png 1152w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Tamper Protection<\/h2>\n\n\n\n<p>Tamper Protection must be enabled. Ideally, enable Tamper Protection in MDE. See the earlier part of this series for the Tamper Protection enablement via security.microsoft.com. Don&#8217;t disable or not use Tamper Protection. <a href=\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-troubleshooting-mode-how-to-use-it\/\">Troubleshooting mode<\/a> can be used for troubleshooting situations. <\/p>\n\n\n\n<p>Blog:<a href=\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-troubleshooting-mode-how-to-use-it\/\"> Microsoft Defender for Endpoint Troubleshooting mode \u2013 how to use it?<\/a><\/p>\n\n\n\n<p>Bad actors like to disable your security features to get easier access to data, install malware, or exploit your data, identity, and devices.<\/p>\n\n\n\n<p>Tamper Protection prevents against the following actions: <\/p>\n\n\n\n<ul>\n<li>Disabling virus and threat protection<\/li>\n\n\n\n<li>Disabling real-time protection<\/li>\n\n\n\n<li>Turning off behavior monitoring<\/li>\n\n\n\n<li>Disabling antivirus protection, such as IOfficeAntivirus (IOAV)<\/li>\n\n\n\n<li>Disabling cloud-delivered protection<\/li>\n\n\n\n<li>Removing security intelligence updates<\/li>\n\n\n\n<li>Disabling automatic actions on detected threats<\/li>\n\n\n\n<li>Suppressing notifications in the Windows Security app<\/li>\n\n\n\n<li>Disabling scanning of archives and network files<\/li>\n<\/ul>\n\n\n\n<p><strong>Tamper protection for exclusions<\/strong><\/p>\n\n\n\n<p>When enabled Tamper Protection via Intune and the Defender service settings there is additional protection for exclusions in combination with the DisableLocalAdminMerge policy. When enabled each exclusion added by other processes will be explicitly ignored. <\/p>\n\n\n\n<p>When managed via Intune, it ensures that&nbsp;<strong>ONLY<\/strong>&nbsp;settings coming from Intune and its related processes are effective on the device. All settings from other methods\/ applications or GPOs will be ignored. This prevents the default behavior of many applications in terms of adding unwanted exclusions on the background during the installation. <\/p>\n\n\n\n<p><strong>Validation<\/strong><\/p>\n\n\n\n<p>Under the registry key\u202f<strong>HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features<\/strong>, find the value\u202f<strong>TPExclusions<\/strong>. A value of <strong>1 <\/strong>means exclusions are being protected. A value of 0 or the absence of the value indicates it\u2019s not yet enabled. Changing this key does not affect the protection being enabled. It should be used as an indicator only.&nbsp;<\/p>\n\n\n\n<p>More information: <a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide\">Protect security settings with tamper protection<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Validation<\/h2>\n\n\n\n<p>PowerShell can be used for validating the state of Defender for Endpoint. Use the following commands:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Get-MpPreference\nGet-MpComputerStatus<\/code><\/pre>\n\n\n\n<p>Get-MpPreference shows the configuration of Defender AV. Check always of the key components are enabled:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"574\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-1024x574.png\" alt=\"\" class=\"wp-image-5743\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-1024x574.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-300x168.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-768x431.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-585x328.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image.png 1428w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The&nbsp;<strong>Get-MpComputerStatus<\/strong>&nbsp;cmdlet gets the status of the Defender AV product. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"583\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-1-1024x583.png\" alt=\"\" class=\"wp-image-5744\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-1-1024x583.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-1-300x171.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-1-768x437.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-1-585x333.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/image-1.png 1416w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">PowerShell commands (example)<\/h2>\n\n\n\n<p>Example PowerShell script for configuring Defender AV. Important: only use PowerShell when no other management toolings are available. See part 4 for the available management options. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#Cloud protection\n\"Cloud DeliveredProtection level\"\nSet-MpPreference -MAPSReporting Advanced\n\n\"Set cloud block level to 'High\"\n Set-MpPreference -CloudBlockLevel High\n\n\"Set cloud block timeout to 1 minute\"\nSet-MpPreference -CloudExtendedTimeout 50\n\n\"Cloud Delivered sample submission consent (Send All Samples)\"\nSet-MpPreference -SubmitSamplesConsent 3\n\n\"Block at first seen\"\nSet-MpPreference -DisableBlockAtFirstSeen $False\n\n\"Behaviormonitoring enable\"\nSet-MpPreference -DisableBehaviorMonitoring $False\n\n\"Realtime protection enabling\"\nSet-MpPreference -DisableRealtimeMonitoring $False\n\n\"Enable IOAV protection\"\nSet-MpPreference -DisableIOAVProtection $False\n\n#SCANNING AV settings\n\"Configure Defender AV scan settings\"\nSet-MpPreference -scanAvgCPULoadFactor 20\nSet-MpPreference -DisableScriptScanning $false\nSet-MpPreference -DisableEmailScanning $false\nSet-MpPreference -Disableremovabledrivescanning $false\nSet-MpPreference -DisableCatchupFullScan $False\nSet-MpPreference -DisableCatchupQuickScan $False\nSet-MpPreference -DisableScanningMappedNetworkDrivesForFullScan $True\nSet-MpPreference -RandomizeScheduleTaskTimes $True\nSet-MpPreference -CheckForSignaturesBeforeRunningScan $True\nSet-MpPreference -RealTimeScanDirection 0\n\n#SCANNING AV SCHEDULE\n\"Configure scan schedule settings\"\nSet-MpPreference -SignatureUpdateInterval 1\nSet-MpPreference -SignatureUpdateCatchupInterval 1\n\n#SIGNATURE SCHEDULE\n\"Configure scan settings\"\nSet-MpPreference -ScanScheduleQuickScanTime 02:00:00\n\n#QUARANTINE\n\"Configure Quarantine removal\"\nSet-MpPreference -QuarantinePurgeItemsAfterDelay 60\n\n#Applicationcontrol\n\"Configure potentially unwanted apps in audit mode\"\nSet-MpPreference -PUAProtection AuditMode\n\n\"Enable network protection mode in block mode\"\nSet-MpPreference -EnableNetworkProtection Enabled\n\n\"Configure additional network protection for servers\"\nSet-MpPreference -AllowNetworkProtectionOnWinServer 1\nSet-MpPreference -AllowNetworkProtectionDownLevel 1\nSet-MpPreference -AllowDatagramProcessingOnWinServer 1\n\n#Defender for Endpoint\n\"Defender Latency\" \nSet-ItemProperty -Path \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Advanced Threat Protection\" -Name \"latency\" -Value expedite -Force<\/code><\/pre>\n\n\n\n<p>More information: <a href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/module\/defender\/set-mppreference?view=windowsserver2022-ps\">Set-MpPreference PowerShell Cmdlet<\/a><\/p>\n\n\n\n<p>Firewall configuration and additional configuration (SmartScreen, Attack Surface Reduction, Windows Firewall) will be explained in the next part. Performance troubleshooting and testing will be included in one of the latest parts.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p><strong>Part4A&nbsp;<\/strong>of the&nbsp;<a href=\"https:\/\/jeffreyappel.nl\/tag\/mde-series\/\">Microsoft Defender for Endpoint series is completed<\/a>&nbsp;\u2013 focussed on the explanation of the Defender AV policies. In the next part; 4B, more information will be shared about the additional policies scoped on SmartScreen, Attack Surface Reduction, Windows Firewall, and additional settings. <\/p>\n\n\n\n<p>Searching for specific Defender for Endpoint information? Use the&nbsp;<a href=\"https:\/\/jeffreyappel.nl\/contact-form-content-request\/\">contact submission<\/a>&nbsp;form and share the post ideas or contact using&nbsp;<a href=\"https:\/\/www.linkedin.com\/in\/jeffrey-appel-671400198\/\">Linkedin<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/twitter.com\/JeffreyAppel7\">Twitter<\/a>. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.<\/p>\n\n\n\n<p><a href=\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-configure-av-next-generation-protection-part4\/\"><strong>View previous part \u2013 Microsoft Defender for Endpoint series \u2013 Configure AV\/ next-generation protection \u2013 Part4<\/strong><\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-attack-surface-reduction-and-additional-protection-part4b\/\"><strong>View next part \u2013 Attack Surface reduction and additional protection \u2013 Part4B<\/strong><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>It is time for part 4A of the ultimate Microsoft Defender for Endpoint (MDE) series. Part 4 explains the AV\/ next-generation protection component. Now it is time for some more detailed policy explanation, what do we need to enable, which&#8230;<\/p>\n","protected":false},"author":1,"featured_media":5758,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[189],"tags":[219,239],"table_tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Microsoft Defender for Endpoint series \u2013 Define the AV policy baseline \u2013 Part4A<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft Defender for Endpoint series \u2013 Define the AV policy baseline \u2013 Part4A\" \/>\n<meta property=\"og:description\" content=\"It is time for part 4A of the ultimate Microsoft Defender for Endpoint (MDE) series. Part 4 explains the AV\/ next-generation protection component. Now it is time for some more detailed policy explanation, what do we need to enable, which...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/\" \/>\n<meta property=\"og:site_name\" content=\"Jeffrey Appel - Microsoft Security blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-01T21:16:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-01-03T19:39:54+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/IMG145.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"720\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jeffrey\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jeffrey\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/\",\"url\":\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/\",\"name\":\"Microsoft Defender for Endpoint series \u2013 Define the AV policy baseline \u2013 Part4A\",\"isPartOf\":{\"@id\":\"https:\/\/jeffreyappel.nl\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/IMG145.png\",\"datePublished\":\"2022-11-01T21:16:56+00:00\",\"dateModified\":\"2024-01-03T19:39:54+00:00\",\"author\":{\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42\"},\"breadcrumb\":{\"@id\":\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/#primaryimage\",\"url\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/IMG145.png\",\"contentUrl\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/IMG145.png\",\"width\":1280,\"height\":720},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jeffreyappel.nl\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft Defender for Endpoint series \u2013 Define the AV policy baseline \u2013 Part4A\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jeffreyappel.nl\/#website\",\"url\":\"https:\/\/jeffreyappel.nl\/\",\"name\":\"Jeffrey Appel - Microsoft Security blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jeffreyappel.nl\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42\",\"name\":\"Jeffrey\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g\",\"caption\":\"Jeffrey\"},\"url\":\"https:\/\/jeffreyappel.nl\/author\/contact\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft Defender for Endpoint series \u2013 Define the AV policy baseline \u2013 Part4A","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft Defender for Endpoint series \u2013 Define the AV policy baseline \u2013 Part4A","og_description":"It is time for part 4A of the ultimate Microsoft Defender for Endpoint (MDE) series. Part 4 explains the AV\/ next-generation protection component. Now it is time for some more detailed policy explanation, what do we need to enable, which...","og_url":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/","og_site_name":"Jeffrey Appel - Microsoft Security blog","article_published_time":"2022-11-01T21:16:56+00:00","article_modified_time":"2024-01-03T19:39:54+00:00","og_image":[{"width":1280,"height":720,"url":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/IMG145.png","type":"image\/png"}],"author":"Jeffrey","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jeffrey","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/","url":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/","name":"Microsoft Defender for Endpoint series \u2013 Define the AV policy baseline \u2013 Part4A","isPartOf":{"@id":"https:\/\/jeffreyappel.nl\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/#primaryimage"},"image":{"@id":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/#primaryimage"},"thumbnailUrl":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/IMG145.png","datePublished":"2022-11-01T21:16:56+00:00","dateModified":"2024-01-03T19:39:54+00:00","author":{"@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42"},"breadcrumb":{"@id":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/#primaryimage","url":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/IMG145.png","contentUrl":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/11\/IMG145.png","width":1280,"height":720},{"@type":"BreadcrumbList","@id":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jeffreyappel.nl\/"},{"@type":"ListItem","position":2,"name":"Microsoft Defender for Endpoint series \u2013 Define the AV policy baseline \u2013 Part4A"}]},{"@type":"WebSite","@id":"https:\/\/jeffreyappel.nl\/#website","url":"https:\/\/jeffreyappel.nl\/","name":"Jeffrey Appel - Microsoft Security blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jeffreyappel.nl\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42","name":"Jeffrey","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g","caption":"Jeffrey"},"url":"https:\/\/jeffreyappel.nl\/author\/contact\/"}]}},"amp_enabled":false,"_links":{"self":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/5739"}],"collection":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/comments?post=5739"}],"version-history":[{"count":24,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/5739\/revisions"}],"predecessor-version":[{"id":7682,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/5739\/revisions\/7682"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/media\/5758"}],"wp:attachment":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/media?parent=5739"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/categories?post=5739"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/tags?post=5739"},{"taxonomy":"table_tags","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/table_tags?post=5739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}