Protecting Windows 10 and other devices with Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. - Microsoft (What is Microsoft Defender for Endpoint?)
Microsoft Defender for Endpoint secures your endpoints (Windows 10, Windows Server, macOS, Linux, Android, and iOS). It's anti-malware on steroids. Microsoft Defender for Endpoint can be easily deployed through your Microsoft 365 admin centers and once it's deployed it will protect and recommend enhancing the security of your devices. Microsoft Defender for Endpoint allows you to protect, investigate, and responds to risks and security threats across all your endpoint.
What licenses are required to set up Defender for Endpoint?
First, there are two plans for Microsoft Defender for Endpoint: Microsoft Defender for Endpoint Plan 1 (P1) & Microsoft Defender for Endpoint Plan 2 (P2).
- Microsoft Defender for Endpoint Plan 1 (P1) is available as a standalone subscription and it's part of the Microsoft 365 E3 and Microsoft 365 A3 licenses.
- Microsoft Defender for Endpoint Plan 2 (P2) is available as a standalone subscription and it's part of the following licenses:
- Windows 11 Enterprise E5 & Windows 11 Enterprise A5
- Windows 10 Enterprise E5 & Windows 10 Enterprise A5
- Microsoft 365 E5 & Microsoft 365 A5 & Microsoft 365 G5
- Microsoft 365 E5 & Microsoft 365 A5 & Microsoft 365 G5 & Microsoft 365 F5 Security
- Microsoft 365 F5 Security & Compliance
Setup Microsoft Defender for Endpoint
Before we can install Defender for Endpoint on our endpoint we'll need to perform some setup on the back end.
Setup a connection from Endpoint to other services
You can connect Microsoft Defender for Identity, Office 365 threat intelligence, Microsoft Defender for Cloud Apps, and Microsoft Intune to Microsoft Defender for Endpoints. By enabling them all you get everything connected! Let's take a look.
1. Go to Microsoft 365 Defender admin center > Settings > Endpoints > Advanced Features.
2. Turn On Microsoft Defender for Identity integration, Office 365 Threat Intelligence connection, and Microsoft Defender for Cloud Apps, and
Microsoft Intune connection. Click Save preferences.
Enable automatic blocking of files
By default, Microsoft Defender for Endpoint won't block files. The option needs to be enabled.
Connect Android, iOS, and Windows to Defender for Endpoint
Now we need to enable or connect our Intune connected devices to Endpoint.
1. Open Microsoft Endpoint Manager admin center > Endpoint security > Microsoft Defender for Endpoint. Enable the following settings: (then click save)
- Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations
- Connect Android devices to Microsoft Defender for Endpoint
- Connect iOS devices to Microsoft Defender for Endpoint
- Connect Windows devices to Microsoft Defender for Endpoint
- Connect Android devices to Microsoft Defender for Endpoint for app protection policy evaluation
- Connect iOS devices to Microsoft Defender for Endpoint for app protection policy evaluation
Connect Microsoft Defender for Office 365 with Microsoft Defender for Endpoint
Last but not least, integrate Microsoft Defender for Office 365 with Microsoft Defender for Endpoint. It's in a different place than the rest of the settings.
1. Go to Microsoft 365 Defender admin center > Explorer > MDE Settings. Set Connect to Defender for Endpoint to On.
Onboard Windows devices
Next, we'll create a device configuration profile to onboard the Windows devices.
1. Go to Microsoft Endpoint admin center > Devices > Windows > Configuration profiles > Create Policy. Select Windows 10 and later as the platform and set the profile type to Templates. Lastly, click Microsoft Defender for Endpoint then click Create.
2. Name your policy Defender for Endpoint. Click Next.
3. Set Expedite telemetry reporting frequency to Yes. Click Next.
4. Click Add all devices under Included groups. Click Next.
5. Click Next on the Applicability Rules page.
6. Click Create.
Wait for the policy to deploy to your computers and you're all set!
Additional configuration for Defender for Endpoint
Now, the settings so far have been pretty basic. Let's fine-tune the Defender for Endpoint setup.
1. Go to Microsoft Endpoint Manager admin center > Endpoint security > Antivirus. Click Create policy. Set Platform to Windows 10, Windows 11, and Windows Server. Set the profile to Microsoft Defender Antivirus.
2. Name the policy Microsoft Defender Antivirus. Click Next.
Now you'll see a whole slew of configuration settings to configure Defender Antivirus. Make a few setting configurations and finish the profile setup!
How to set up and manage Web content filtering
Okay, so now how do we block users from accessing certain sites on your Windows 10 / Windows 11 computers? It's multiple steps in multiple locations. First, we need to enable the web content filtering and network indicators on our tenant. Then we need to make sure SmartScreen and Network Protection are enabled on our devices. Finally, we can create a policy to allow or block certain categories, and/or we can block certain sites. First, let's enable Microsoft Defender SmartScreen and Network Protection on the devices.
Turn on web content filtering and network indicators
1. Open Microsoft 365 Defender admin center > Settings > Endpoints > Advanced Features. Click On next to Web content filtering. Click On next to Custom network indicators.
Enable Microsoft Defender SmartScreen and Network Protection on the devices
Next, we need to make sure Microsoft Defender SmartScreen and Microsoft Defender Exploit Guard Network protection are both enabled. Let's create a device configuration profile to do that now.
1. Go to Microsoft Endpoint Manager admin center > Devices > Configuration profiles > Create a profile. Set the Platform to Windows 10 and later. Set the Profile type to Templates. Click Endpoint protection > Create.
2. Set the name to Enable Web content filtering. Click Next.
3. Expand Microsoft Defender SmartScreen. Click Enable next to SmartScreen for apps and files. Expand Microsoft Defender Exploit Guard > Network filtering. Click Network protection > Enable. Click Next.
4. Click Add all devices. Click Next > Next > Create.
Create a policy to block certain categories
Now, let's block certain categories. For example, we can block adult sites, gambling, illegal activity, or a whole list of other categories.
1. Go to Microsoft Defender admin center > Settings > Endpoints > web content filtering . Enter a policy name of Block sites. Click Next.
2. Expand the categories and check out the sub-categories. Then check Adult content and Legal liability. Click Next.
3. Click Next > Save.
To test the policy wait an hour or so and open a website that features nudity in the browser.
Allow or Block certain sites
Finally, how to allow or block certain sites. Let's jump right in.
1. Go to Microsoft Defender admin center > Settings > Endpoints > Indicators > URLs/Domains > Add item. Type the URL you want to block in the URL/Domain textbox. Click Next.
2. Set the response action to Block execution. Set an alert title, severity, and description. Click Next.
3. Click Next >Save.
Lastly, remember a couple of things. Block rules will block all subpages. So if you create a block rule for bing.com that will block bing.com and all subpages (for example bing.com/images). If you block bing.com/images then your users will still be able to access bing.com and bing.com/videos, etc. Finally, allow rules take precedence so if you create a block rule for bing.com and an allow rule for bing.com/images then users won't be able to go to bing.com (or it's subpages) except for bing.com/images.
How to setup Defender for Endpoint to work with other antivirus programs
Okay, so you're thinking of deploying Defender for Endpoint but you're still using a different antivirus program. How do you get the information and the advantage of using Defender for Endpoint without the antivirus scanning? Microsoft calls this passive mode. Passive mode will still send data from your devices to Microsoft 365 for tracking and analysis but it won't scan the computer for viruses. To set the computer in passive mode simply create a registry file on the computer:
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
How to configure automatic remediation using Microsoft Defender for Endpoint
So now we have Microsoft Defender for Endpoint setup and detecting threats but how do we set up Microsoft Defender for Endpoint to simply resolve the threats for us? With automated remediation! And don't worry, we can turn off automated remediation for a group of devices, for example, executives. There's a multi-step process for setting up automated remediation. One, turn on automated remediation on the tenant level. Two setup groups to enable/disable automated remediation.
How to enable automated remediation for the tenant
1. Go to Microsoft Defender admin center > Settings > Endpoints > Advanced features. Set Automated investigation and Automatically resolve alerts to on. Click Save preferences.
Enable automated remediation for one group
Now let's set up automated remediation. Before we set up remediation let's create 2 groups of devices. One group is for automatic remediation and the other group will be manual remediation. This is a fairly common setup. For example, you may want executives to be manual while everyone else is automated.
1. Go to Microsoft 365 Defender admin center > Settings > Endpoints > Device groups. Click Add device group. Set the name to "Automated remediation". Set the automation level to Full.
2. Now let's select our filter. For my filter, it will be "name" and "starts with" "pc-" but your filter may be different. Once set up click Next.
3. On the next page verify the devices in the group and click Next. Click Done.
Now go and create another group for your executives with no automated remediation.
How do we delegate permissions to certain users per group?
Let's take it a step further. Maybe some of your admins aren't allowed to work with all the devices in your organization. Maybe they can work with all devices but your executives. How do we delegate permissions so the admins can work with some of the computers but not all? First, create a user group in Azure AD. Let's call this group standard admins. Then we'll need to set up roles in Microsoft 365 Defender. Finally, we'll assign permissions to the standard admins.
Note: The following can only be done by a user that's assigned the Global Administrator role or Security Administrator role.
Before we assign permissions let's talk about what each permission can do:
- View data - Security Operations: The view data security operations permissions give the ability to view data related to security operations. For example, they can view the Security operations dashboard, Incidents, Alerts, Automated investigations, Advanced Hunting security operations data schemas, and more.
- View data - Threat and vulnerability management: This permission gives the user the ability to view data related to threats and vulnerabilities. For example, view the TVM dashboard, security recommendations, and more.
- Active remediation actions - Security operations: This permission gives the user the ability to take response actions, for example, isolating a device. The user can also approve or dismiss pending remediation actions, and manage allowed/blocked lists for automation.
- Active remediation actions - Threat and vulnerability management - Exception handling: Gives the user the ability to Create new TVM exceptions and manage active exceptions.
- Active remediation actions - Threat and vulnerability management - Remediation handling: Gives the user the ability to manage remediation requests, tickets, and activities
- Active remediation actions - Threat and vulnerability management - Application handling: Give the user the ability to block and unblock apps.
- Threat and vulnerability management – Manage security baselines assessment profiles: Give the user the ability to create and manage profiles so you can verify if your devices are compliant.
- Alerts investigation: Give the user the ability to manage alerts, initiate automated investigations, run anti-virus scans, collect investigation packages, and manage device tags.
How to setup roles in Microsoft 365 Defender
1. Go to Microsoft 365 Defender > Settings > Endpoints > Roles . Click Turn on roles.
2. Name the role then review the permissions. Once ready click Assigned user groups.
3. Find the group and click the checkbox. Then click Add selected groups. Finally, click Save.
Assign the admins to the device group
So now we have device groups and admin roles. Let's set our admins to the device group.
1. Go to Microsoft 365 Defender admin center > Settings > Endpoints > Device groups. Click your automated remediation group. Click User access > Standard admins > Add selected groups > Done.
2. Click Apply Changes.
How to run anti-virus scans on a computer
Now that Defender for Endpoint is deployed and configured let's run an anti-virus scan on a computer.
1. Open Microsoft 365 Defender admin center > Device inventory. Click the device you want to run a scan on.
2. Click Run antivirus scan > Select the scan type > Type a comment in the section provided. Click Confirm.
Let's review devices
So now we have all our devices in Defender for Endpoint let's take a look at the alerts and risk levels.
1. Go to Microsoft 365 Defender admin center > Device inventory.
Here you'll see all the devices that have been onboarded with Defender for Endpoint.
Understanding Risk Levels
Now, let's talk about risk levels.
The risk level reflects the overall risk assessment of the device based on a combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.
The risk level can influence the enforcement of conditional access and other security policies on Microsoft Intune and other connected solutions.
Risk levels support Windows 10, Windows 11, Android, iOS, and Mac