Protecting Windows 10 and other devices with Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. - Microsoft (What is Microsoft Defender for Endpoint?)

Microsoft Defender for Endpoint secures your endpoints (Windows 10, Windows Server, macOS, Linux, Android, and iOS). It's anti-malware on steroids. Microsoft Defender for Endpoint can be easily deployed through your Microsoft 365 admin centers and once it's deployed it will protect and recommend enhancing the security of your devices. Microsoft Defender for Endpoint allows you to protect, investigate, and responds to risks and security threats across all your endpoint.

What licenses are required to set up Defender for Endpoint?

First, there are two plans for Microsoft Defender for Endpoint: Microsoft Defender for Endpoint Plan 1 (P1) & Microsoft Defender for Endpoint Plan 2 (P2).

Microsoft Defender for Endpoint Plan 1 (P1) is available as a standalone subscription and it's part of the Microsoft 365 E3 and Microsoft 365 A3 licenses.

Microsoft Defender for Endpoint Plan 2 (P2) is available as a standalone subscription and it's part of the following licenses:

  • Windows 11 Enterprise E5 & Windows 11 Enterprise A5
  • Windows 10 Enterprise E5 & Windows 10 Enterprise A5
  • Microsoft 365 E5 & Microsoft 365 A5 & Microsoft 365 G5
  • Microsoft 365 E5 & Microsoft 365 A5 & Microsoft 365 G5 & Microsoft 365 F5 Security
  • Microsoft 365 F5 Security & Compliance

Setup Microsoft Defender for Endpoint

Before we can install Defender for Endpoint on our endpoint we'll need to perform some setup on the back end.

Setup a connection from Endpoint to other services

You can connect Microsoft Defender for Identity, Office 365 threat intelligence, Microsoft Defender for Cloud Apps, and Microsoft Intune to Microsoft Defender for Endpoints. By enabling them all you get everything connected! Let's take a look.

1. Go to Microsoft 365 Defender admin center > Settings > Endpoints > Advanced Features.

2. Turn On Microsoft Defender for Identity integration, Office 365 Threat Intelligence connection, and Microsoft Defender for Cloud Apps, and

Microsoft Intune connection. Click Save preferences.

Enable Endpoint Connections

Connect Android, iOS, and Windows to Defender for Endpoint

Now we need to enable or connect our Intune connected devices to Endpoint.

1. Open Microsoft Endpoint Manager admin center > Endpoint security > Microsoft Defender for Endpoint. Enable the following settings: (then click save)

  • Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations
  • Connect Android devices to Microsoft Defender for Endpoint
  • Connect iOS devices to Microsoft Defender for Endpoint
  • Connect Windows devices to Microsoft Defender for Endpoint
  • Connect Android devices to Microsoft Defender for Endpoint for app protection policy evaluation 
  • Connect iOS devices to Microsoft Defender for Endpoint for app protection policy evaluation

Endpoint security | Microsoft Defender for Endpoint

Onboard Windows devices

Next, we'll create a device configuration profile to onboard the Windows devices.

1. Go to Microsoft Endpoint admin center > Endpoint security > Endpoint detection and response > Create Policy. Select Windows 10 and later as the platform and Endpoint detection and response as the profile. Click Create.

Create Endpoint detection and response policy

2. Name your policy Defender for Endpoint. Click Next.

3. Set Expedite telemetry reporting frequency to Yes. Click Next.

Set Defender for Endpoint values

4. Click Next for scope tags. Click Add all devices under Included groups. Click Next.

Add all devices to Defender for Endpoint deployment

5. Click Create.

Wait for the policy to deploy to your computers and you're all set!

Additional configuration for Defender for Endpoint

Now, the settings so far have been pretty basic. Let's fine tune the Defender for Endpoint setup.

1. Go to Microsoft Endpoint Manager admin center > Endpoint security > Antivirus. Click Create policy. Set Platform to Windows 10, Windows 11, and Windows Server. Set the profile to Microsoft Defender Antivirus.

Create Defender for Endpoint policy

2. Name the policy Microsoft Defender Antivirus. Click Next.

Now you'll see a whole slew of configuration settings to configure Defender Antivirus. Make a few setting configurations and finish the profile setup!

How to setup and manage Web content filtering

Okay, so now how do we block users from accessing certain sites on your Windows 10 / Windows 11 computers? It's multiple steps in multiple locations. First, we need to enable the web content filtering and network indicators on our tenant. Then we need to make sure SmartScreen and Network Protection is enabled on our devices. Finally, we can create a policy to allow or block certain categories and/or we can block certain sites.First, let's enable Microsoft Defender SmartScreen and Network Protection on the devices.

Turn on web content filtering and network indicators

1. Open Microsoft 365 Defender admin center > Settings > Endpoints > Advanced Features. Click On next to Web content filtering. Click On next to Custom network indicators.

Enable web content filtering and network indicators

Enable Microsoft Defender SmartScreen and Network Protection on the devices

Next, we need to make sure Microsoft Defender SmartScreen and Microsoft Defender Exploit Guard Network protection are both enabled. Let's create a device configuration profile to do that now.

1. Go to Microsoft Endpoint Manager admin center > Devices > Configuration profiles > Create profile. Set the Platform to Windows 10 and later. Set the Profile type to Templates. Click Endpoint protection > Create.

Create a device configuration profile

2. Set the name to Enable Web content filtering. Click Next.

3. Expand Microsoft Defender SmartScreen. Click Enable next to SmartScreen for apps and files. Expand Microsoft Defender Exploit Guard > Network filtering. Click Network protection > Enable. Click Next.

Enable SmartScreen and Network Protection

4. Click Add all devices. Click Next > Next > Create.

Create a policy to block certain categories

Now, let's block certain categories. For example, we can block adult sites, gambling, illegal activity, or a whole list of other categories.

1. Go to Microsoft Defender admin center > Settings > Endpoints > web content filtering . Enter a policy name of Block sites. Click Next.

Create a web content filter

2. Expand the categories and check out the sub-catecorgies. Then check Adult content and Legal liability. Click Next.

block categories

3. Click Next > Save.

To test the policy wait an hour or so and open a website that features nudity in the browser.

This content is blocked

Allow or Block certain sites

Finally, how to allow or block certain sites. Let's jump right in.

1. Go to Microsoft Defender admin center > Settings > Endpoints > Indicators > URLs/Domains > Add item. Type the URL you want to block in the URL/Domain textbox. Click Next.

Block a URL in Microsoft 365

2. Set the response action to Block execution. Set an alert title, severity, and description. Click Next.

Choose an action for the URL

3. Click Next >Save.

Lastly, remember a couple of things. Block rules will block all subpages. So if you create a block rule for bing.com that will block bing.com and all subpages (for example bing.com/images). If you block bing.com/images then your users will still be able to access bing.com and bing.com/videos, etc. Finally, allow rules take precedence so if you create a block rule for bing.com and an allow rule for bing.com/images then users won't be able to go to bing.com (or it's subpages) except for bing.com/images.

How to setup Defender for Endpoint to work with other antivirus programs

Okay, so you're thinking of deploying Defender for Endpoint but you're still using a different antivirus program. How do you get the information and the advantage of using Defender for Endpoint without the antivirus scanning? Microsoft calls this passive mode. Passive mode will still send data from your devices to Microsoft 365 for tracking and analysis but it won't scan the computer for viruses. In order to set the computer in passive mode simply create a registry file on the computer:

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: ForceDefenderPassiveMode
Type: REG_DWORD
Value: 1

How to configure automatic remediation using Microsoft Defender for Endpoint

So now we have Microsoft Defender for Endpoint setup and detecting threats but how do we set up Microsoft Defender for Endpoint to simply resolve the threats for us? With automated remediation! And don't worry, we can turn off automated remediation for a group of devices, for example, executives. There's a multi-step process for setting up automated remediation. One, turn on automated remediation on the tenant level. Two setup groups to enable/disable automated remediation.

How to enable automated remediation for the tenant

1. Go to Microsoft Defender admin center > Settings > Endpoints > Advanced features. Set Automated investigation and Automatically resolve alerts to on. Click Save preferences.

enable automated remediation

Enable automated remediation for one group

Now let's set up automated remediation. Before we set up remediation let's create 2 groups of devices. One group is for automatic remediation and the other group will be manual remediation. This is a fairly common setup. For example, you may want executives to be manual while everyone else is automated.

1. Go to Microsoft 365 Defender admin center > Settings > Endpoints > Device groups. Click Add device group. Set the name to "Automated remediation". Set the automation level to Full.

Create a device group

2. Now let's select our filter. For my filter, it will be "name" and "starts with" "pc-" but your filter may be different. Once set up click Next.

set the device group filter

3. On the next page verify the devices in the group and click Next. Click Done.

Now go and create another group for your executives with no automated remediation.

How do we delegate permissions to certain users per group?

Let's take it a step further. Maybe some of your admins aren't allowed to work with all the devices in your organization. Maybe they can work with all devices but your executives. How do we delegate permissions so the admins can work with some of the computers but not all? First, create a user group in Azure AD. Let's call this group standard admins. Then we'll need to set up roles in Microsoft 365 Defender. Finally, we'll assign permissions to the standard admins.

Note: The following can only be done by a user that's assigned the Global Administrator role or Security Administrator role.

How to setup roles in Microsoft 365 Defender

1. Go to Microsoft 365 Defender > Settings > Endpoints > Roles . Click Turn on roles.

2. Name the role then review the permissions. Once ready click Assigned user groups.

Name the role

3. Find the group and click the checkbox. Then click Add selected groups. Finally, click Save.

Add the Azure AD Group

Assign the admins to the device group

So now we have device groups and admin roles. Let's set our admins to the device group.

1. Go to Microsoft 365 Defender admin center > Settings > Endpoints > Device groups. Click your automated remediation group. Click User access > Standard admins > Add selected groups > Done.

Assign the admin roles to the device group

2. Click Apply Changes.

Apply changes

Let's review devices

So now we have all our devices in Defender for Endpoint let's take a look at the alerts and risk levels.

1. Go to Microsoft 365 Defender admin center > Device inventory.

Here you'll see all the devices that have been onboarded with Defender for Endpoint. 

Understanding Risk Levels

Now, let's talk about risk levels.

The risk level reflects the overall risk assessment of the device based on combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.

The risk level can influence enforcement of conditional access and other security policies on Microsoft Intune and other connected solutions.