How do I turn on Endpoint in Windows Defender?
Show
Microsoft Defender for Endpoint will soon turn on tamper protection by default for all existing enterprise customers. The tamper protection feature prevents malicious apps from making unwanted changes to important security configuration settings on Windows, Windows Server, and macOS. Microsoft introduced tamper protection in its enterprise endpoint security solution back in 2019. Currently, the feature is turned on by default for new customers with an active Microsoft 365 E5 or Defender for Endpoint Plan 2 subscription. With this release, Microsoft also plans to enable it for all existing enterprise customers. “Tamper protection in Microsoft Defender for Endpoint protects your organization from unwanted changes to your security settings. Tamper protection helps prevent unauthorized users and malicious actors from turning off threat protection features, such as antivirus protection. Tamper protection also includes the detection of, and response to, tampering attempts,” Microsoft explained in a blog post. How to opt out of the tamper protection default settingMicrosoft will send notifications to organizations that haven’t configured tamper protection in their tenants. These notifications will alert customers that it will be switched on in 30 days. Microsoft encourages businesses to turn on the feature to prevent security threats such as human-operated ransomware attacks. However, there is also an option to explicitly opt out of this change by following the steps mentioned below:
Microsoft says that organizations can also choose to disable tamper protection on select devices due to application compatibility issues. IT admins can either use Security Management for Defender for Endpoint or create a profile in Microsoft Endpoint Manager. Let us know in the comments below if you have enabled tamper protection in your organization. Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. - Microsoft (What is Microsoft Defender for Endpoint?) Microsoft Defender for Endpoint secures your endpoints (Windows 10, Windows Server, macOS, Linux, Android, and iOS). It's anti-malware on steroids. Microsoft Defender for Endpoint can be easily deployed through your Microsoft 365 admin centers and once it's deployed it will protect and recommend enhancing the security of your devices. Microsoft Defender for Endpoint allows you to protect, investigate, and responds to risks and security threats across all your endpoint. What licenses are required to set up Defender for Endpoint?First, there are two plans for Microsoft Defender for Endpoint: Microsoft Defender for Endpoint Plan 1 (P1) & Microsoft Defender for Endpoint Plan 2 (P2).
Setup Microsoft Defender for EndpointBefore we can install Defender for Endpoint on our endpoint we'll need to perform some setup on the back end. Setup a connection from Endpoint to other servicesYou can connect Microsoft Defender for Identity, Office 365 threat intelligence, Microsoft Defender for Cloud Apps, and Microsoft Intune to Microsoft Defender for Endpoints. By enabling them all you get everything connected! Let's take a look. 1. Go to Microsoft 365 Defender admin center > Settings > Endpoints > Advanced Features. 2. Turn On Microsoft Defender for Identity integration, Office 365 Threat Intelligence connection, and Microsoft Defender for Cloud Apps, and Microsoft Intune connection. Click Save preferences. Enable automatic blocking of filesBy default, Microsoft Defender for Endpoint won't block files. The option needs to be enabled. Connect Android, iOS, and Windows to Defender for EndpointNow we need to enable or connect our Intune connected devices to Endpoint. 1. Open Microsoft Endpoint Manager admin center > Endpoint security > Microsoft Defender for Endpoint. Enable the following settings: (then click save)
Connect Microsoft Defender for Office 365 with Microsoft Defender for EndpointLast but not least, integrate Microsoft Defender for Office 365 with Microsoft Defender for Endpoint. It's in a different place than the rest of the settings. 1. Go to Microsoft 365 Defender admin center > Explorer > MDE Settings. Set Connect to Defender for Endpoint to On. Onboard Windows devicesNext, we'll create a device configuration profile to onboard the Windows devices. 1. Go to Microsoft Endpoint admin center > Devices > Windows > Configuration profiles > Create Policy. Select Windows 10 and later as the platform and set the profile type to Templates. Lastly, click Microsoft Defender for Endpoint then click Create. 2. Name your policy Defender for Endpoint. Click Next. 3. Set Expedite telemetry reporting frequency to Yes. Click Next. 4. Click Add all devices under Included groups. Click Next. 5. Click Next on the Applicability Rules page. 6. Click Create. Wait for the policy to deploy to your computers and you're all set! Additional configuration for Defender for EndpointNow, the settings so far have been pretty basic. Let's fine-tune the Defender for Endpoint setup. 1. Go to Microsoft Endpoint Manager admin center > Endpoint security > Antivirus. Click Create policy. Set Platform to Windows 10, Windows 11, and Windows Server. Set the profile to Microsoft Defender Antivirus. 2. Name the policy Microsoft Defender Antivirus. Click Next. Now you'll see a whole slew of configuration settings to configure Defender Antivirus. Make a few setting configurations and finish the profile setup! How to set up and manage Web content filteringOkay, so now how do we block users from accessing certain sites on your Windows 10 / Windows 11 computers? It's multiple steps in multiple locations. First, we need to enable the web content filtering and network indicators on our tenant. Then we need to make sure SmartScreen and Network Protection are enabled on our devices. Finally, we can create a policy to allow or block certain categories, and/or we can block certain sites. First, let's enable Microsoft Defender SmartScreen and Network Protection on the devices. Turn on web content filtering and network indicators1. Open Microsoft 365 Defender admin center > Settings > Endpoints > Advanced Features. Click On next to Web content filtering. Click On next to Custom network indicators. Enable Microsoft Defender SmartScreen and Network Protection on the devicesNext, we need to make sure Microsoft Defender SmartScreen and Microsoft Defender Exploit Guard Network protection are both enabled. Let's create a device configuration profile to do that now. 1. Go to Microsoft Endpoint Manager admin center > Devices > Configuration profiles > Create a profile. Set the Platform to Windows 10 and later. Set the Profile type to Templates. Click Endpoint protection > Create. 2. Set the name to Enable Web content filtering. Click Next. 3. Expand Microsoft Defender SmartScreen. Click Enable next to SmartScreen for apps and files. Expand Microsoft Defender Exploit Guard > Network filtering. Click Network protection > Enable. Click Next. 4. Click Add all devices. Click Next > Next > Create. Create a policy to block certain categoriesNow, let's block certain categories. For example, we can block adult sites, gambling, illegal activity, or a whole list of other categories. 1. Go to Microsoft Defender admin center > Settings > Endpoints > web content filtering. Enter a policy name of Block sites. Click Next. 2. Expand the categories and check out the sub-categories. Then check Adult content and Legal liability. Click Next. 3. Click Next > Save. To test the policy wait an hour or so and open a website that features nudity in the browser. Allow or Block certain sitesFinally, how to allow or block certain sites. Let's jump right in. 1. Go to Microsoft Defender admin center > Settings > Endpoints > Indicators > URLs/Domains > Add item. Type the URL you want to block in the URL/Domain textbox. Click Next. 2. Set the response action to Block execution. Set an alert title, severity, and description. Click Next. 3. Click Next >Save. Lastly, remember a couple of things. Block rules will block all subpages. So if you create a block rule for bing.com that will block bing.com and all subpages (for example bing.com/images). If you block bing.com/images then your users will still be able to access bing.com and bing.com/videos, etc. Finally, allow rules take precedence so if you create a block rule for bing.com and an allow rule for bing.com/images then users won't be able to go to bing.com (or it's subpages) except for bing.com/images. How to setup Defender for Endpoint to work with other antivirus programsOkay, so you're thinking of deploying Defender for Endpoint but you're still using a different antivirus program. How do you get the information and the advantage of using Defender for Endpoint without the antivirus scanning? Microsoft calls this passive mode. Passive mode will still send data from your devices to Microsoft 365 for tracking and analysis but it won't scan the computer for viruses. To set the computer in passive mode simply create a registry file on the computer: Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection How to configure automatic remediation using Microsoft Defender for EndpointSo now we have Microsoft Defender for Endpoint setup and detecting threats but how do we set up Microsoft Defender for Endpoint to simply resolve the threats for us? With automated remediation! And don't worry, we can turn off automated remediation for a group of devices, for example, executives. There's a multi-step process for setting up automated remediation. One, turn on automated remediation on the tenant level. Two setup groups to enable/disable automated remediation. How to enable automated remediation for the tenant1. Go to Microsoft Defender admin center > Settings > Endpoints > Advanced features. Set Automated investigation and Automatically resolve alerts to on. Click Save preferences. Enable automated remediation for one groupNow let's set up automated remediation. Before we set up remediation let's create 2 groups of devices. One group is for automatic remediation and the other group will be manual remediation. This is a fairly common setup. For example, you may want executives to be manual while everyone else is automated. 1. Go to Microsoft 365 Defender admin center > Settings > Endpoints > Device groups. Click Add device group. Set the name to "Automated remediation". Set the automation level to Full. 2. Now let's select our filter. For my filter, it will be "name" and "starts with" "pc-" but your filter may be different. Once set up click Next. 3. On the next page verify the devices in the group and click Next. Click Done. Now go and create another group for your executives with no automated remediation. How do we delegate permissions to certain users per group?Let's take it a step further. Maybe some of your admins aren't allowed to work with all the devices in your organization. Maybe they can work with all devices but your executives. How do we delegate permissions so the admins can work with some of the computers but not all? First, create a user group in Azure AD. Let's call this group standard admins. Then we'll need to set up roles in Microsoft 365 Defender. Finally, we'll assign permissions to the standard admins. Note: The following can only be done by a user that's assigned the Global Administrator role or Security Administrator role. Before we assign permissions let's talk about what each permission can do:
How to setup roles in Microsoft 365 Defender1. Go to Microsoft 365 Defender > Settings > Endpoints > Roles. Click Turn on roles. 2. Name the role then review the permissions. Once ready click Assigned user groups. 3. Find the group and click the checkbox. Then click Add selected groups. Finally, click Save. Assign the admins to the device groupSo now we have device groups and admin roles. Let's set our admins to the device group. 1. Go to Microsoft 365 Defender admin center > Settings > Endpoints > Device groups. Click your automated remediation group. Click User access > Standard admins > Add selected groups > Done. 2. Click Apply Changes. How to run anti-virus scans on a computerNow that Defender for Endpoint is deployed and configured let's run an anti-virus scan on a computer. 1. Open Microsoft 365 Defender admin center > Device inventory. Click the device you want to run a scan on. 2. Click Run antivirus scan > Select the scan type > Type a comment in the section provided. Click Confirm. Let's review devicesSo now we have all our devices in Defender for Endpoint let's take a look at the alerts and risk levels. 1. Go to Microsoft 365 Defender admin center > Device inventory. Here you'll see all the devices that have been onboarded with Defender for Endpoint. Understanding Risk LevelsNow, let's talk about risk levels. The risk level reflects the overall risk assessment of the device based on a combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level. The risk level can influence the enforcement of conditional access and other security policies on Microsoft Intune and other connected solutions. Risk levels support Windows 10, Windows 11, Android, iOS, and Mac |