Tutorial / Cram Notes
Microsoft Defender for Endpoint, formerly known as Windows Defender Advanced Threat Protection (ATP), is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. To leverage the full capabilities of Microsoft Defender for Endpoint, it is crucial to properly configure its settings. This configuration process plays an integral part in the MS-101 Microsoft 365 Mobility and Security exam, as it measures the examinee’s ability to manage and protect devices and data in an enterprise setting.
Configure Microsoft Defender Antivirus Settings
Microsoft Defender Antivirus is integrated into the Microsoft Defender for Endpoint solution. Here are the key steps to configure its settings:
- Open Microsoft Endpoint Manager Admin Center: Navigate to https://endpoint.microsoft.com and log in with appropriate admin credentials.
- Create an Antivirus Policy: Access ‘Endpoint security’ > ‘Antivirus’ and create a new policy. Choose the platform (Windows 10 and later) and profile (Microsoft Defender Antivirus).
- Configure the Settings: Tweak various settings related to real-time protection, cloud-delivered protection, exclusions, and advanced features. A common example is:
Setting Group Example Setting Real-time Protection Enable behavioral monitoring and real-time protection Cloud Protection Send samples automatically when further analysis is required Exclusions Define file types, processes, or folders to exclude from scanning Advanced Features Enable or disable tamper protection and other advanced capabilities - Deploy the Policy: Assign the policy to relevant groups that consist of the devices you want to protect.
Configure Attack Surface Reduction Rules
To enhance security against various attack vectors, configure Attack Surface Reduction (ASR) rules:
- Access Intune: Go to ‘Endpoint security’ > ‘Attack surface reduction’.
- Create a New ASR Rule Policy: Select the ‘Create Policy’ option and choose ‘Windows 10 and later’ as the platform.
- Set ASR Rules: Configure individual ASR rules such as blocking executable content from email client and webmail, blocking credential stealing from the Windows local security authority subsystem, and more. An example of ASR rule settings can be:
ASR Rule Description Configuration Block executable content from email Prevents users from running executable files from email Enabled Use advanced protection against ransomware Enables ransomware-specific mitigations Enabled
Configure Device Control and Removable Storage Access Control
This component ensures the secure usage of peripherals and removable storage:
- Navigate to Endpoint Security: Within the admin center, select ‘Endpoint security’ > ‘Device control’.
- Create a Policy: Click ‘Create Policy’, choose a platform, and create a policy for Removable Storage Access.
- Define Settings: Organize permissions which define which devices can connect, read, or write. Here’s an exemplary setup for removable storage:
Setting Configuration Read access Block Write access Block Execution access Allow
Lastly, it’s significant to review and update configurations as necessary to adapt to the evolving threat landscape and organizational needs.
Configure Endpoint Detection and Response
To set up and tune Endpoint Detection and Response (EDR) capabilities:
- Open the Security Center: Go to ‘Microsoft 365 security’ > ‘Endpoint detection & response’.
- Set up EDR Policy: Create a new policy or edit an existing one to control EDR settings.
- Define EDR Settings: Configure EDR settings, such as automated investigations and advanced features, that help detect and investigate endpoint threats. Examples include:
Feature Setting Example Automated investigation Enable automated investigation and remediation Alert notification level Set the threshold for notifications (e.g., high)
Regular Review and Compliance
It’s essential to ensure that the configured settings comply with your organization’s security policies and regulations. Conducting regular audits and reviewing the configuration settings. This process includes revisiting the effectiveness of the setup and adjusting the configurations as necessary to align with updated security requirements or operational changes.
Conclusion
In summary, configuring Microsoft Defender for Endpoint involves a series of systematic steps to ensure your organization’s endpoints are robustly safeguarded against the myriad of cyber threats. For the MS-101 exam, understanding these configurations in detail will be crucial for demonstrating competence in Microsoft 365 Mobility and Security managerial tasks.
Practice Test with Explanation
True or False: Microsoft Defender for Endpoint requires a separate license outside of Microsoft 365 E
- ( ) True
- ( ) False
Answer: False
Explanation: Microsoft Defender for Endpoint is included in the Microsoft 365 E5 license along with other security features.
Microsoft Defender for Endpoint can be accessed from which of the following portals?
- ( ) Microsoft 365 admin center
- ( ) Microsoft Azure portal
- ( ) Microsoft Endpoint Manager admin center
- ( ) Microsoft 365 Defender portal
- ( ) All of the above
Answer: E) All of the above
Explanation: Microsoft Defender for Endpoint can be managed through various portals, including the Microsoft 365 admin center, Microsoft Azure portal, Endpoint Manager admin center, and directly from the Microsoft 365 Defender portal.
To enable automated investigation and remediation in Microsoft Defender for Endpoint, which configuration must be set?
- ( ) Real-time protection
- ( ) Tamper protection
- ( ) Advanced features
- ( ) Automated investigation
Answer: D) Automated investigation
Explanation: Automated investigation is a specific setting within Microsoft Defender for Endpoint that needs to be enabled for the feature to function.
True or False: Enabling tamper protection in Microsoft Defender for Endpoint prevents all users from changing security settings.
- ( ) True
- ( ) False
Answer: False
Explanation: Tamper protection is designed to prevent unauthorized users from changing security settings; however, IT administrators with appropriate permissions can still make changes.
Which of the following is a component of Microsoft Defender for Endpoint?
- ( ) Endpoint Detection and Response (EDR)
- ( ) Vulnerability Management
- ( ) Attack Surface Reduction (ASR) rules
- ( ) All of the above
Answer: D) All of the above
Explanation: Microsoft Defender for Endpoint includes EDR, Vulnerability Management, ASR rules, among other functionalities.
What is the primary purpose of configuring Attack Surface Reduction rules in Microsoft Defender for Endpoint?
- ( ) To reduce the number of endpoints in the network
- ( ) To provide real-time antivirus protection
- ( ) To decrease the areas of your systems attackers can target
- ( ) To manage software updates on endpoints
Answer: C) To decrease the areas of your systems attackers can target
Explanation: ASR rules are designed to minimize security risks by limiting the areas of your systems vulnerable to attack.
True or False: You can manage Microsoft Defender for Endpoint from the Windows Security app.
- ( ) True
- ( ) False
Answer: True
Explanation: The Windows Security app provides a local interface for managing aspects of Microsoft Defender for Endpoint on individual machines.
To perform a machine actions like isolating a machine using Microsoft Defender for Endpoint, which user role permission is required?
- ( ) Global Reader
- ( ) Security Operator
- ( ) Reports Reader
- ( ) All of the above
Answer: B) Security Operator
Explanation: The Security Operator role has the necessary permissions to perform active response actions such as isolating machines.
The threat and vulnerability management capability in Microsoft Defender for Endpoint is designed to:
- ( ) Respond to threats after a breach has occurred
- ( ) Proactively identify and remediate vulnerabilities
- ( ) Monitor network traffic only
- ( ) Enforce device compliance policies
Answer: B) Proactively identify and remediate vulnerabilities
Explanation: The Threat and Vulnerability Management feature helps organizations to proactively discover, prioritize, and remediate vulnerabilities and misconfigurations.
True or False: You need to be assigned the Security Administrator role to configure Microsoft Defender Antivirus exclusions in Microsoft Defender for Endpoint.
- ( ) True
- ( ) False
Answer: True
Explanation: The Security Administrator role, among others, allows a user to configure security features, including Microsoft Defender Antivirus exclusions within Microsoft Defender for Endpoint.
The ‘Block at First Sight’ feature in Microsoft Defender for Endpoint should be configured to:
- ( ) Improve the speed of cloud-delivered protection
- ( ) Block users from accessing the internet
- ( ) Provide an additional layer of web filtering
- ( ) Enable firewall rules
Answer: A) Improve the speed of cloud-delivered protection
Explanation: ‘Block at First Sight’ enhances protection by blocking new, never-before-seen threats within seconds through cloud-delivered protection.
Microsoft Defender for Endpoint supports which platforms?
- ( ) Windows
- ( ) macOS
- ( ) Linux
- ( ) Android
- ( ) iOS
- ( ) All of the above
Answer: F) All of the above
Explanation: Microsoft Defender for Endpoint has expanded its support to cover a wide range of platforms, including Windows, macOS, Linux, Android, and iOS.
Interview Questions
What is the first step in configuring Microsoft Defender for Endpoint?
The first step in configuring Microsoft Defender for Endpoint is to enable the various capabilities that the service provides.
What are the various capabilities that Microsoft Defender for Endpoint provides?
The capabilities include Endpoint detection and response (EDR), Automated investigation and remediation, Device control and application control, Network protection, and Attack surface reduction.
How do you enable or disable the capabilities of Microsoft Defender for Endpoint?
Go to the Microsoft Defender Security Center portal and click on the Settings option. From there, you can enable or disable each capability as needed.
What is Conditional Access, and how can you configure it for Microsoft Defender for Endpoint?
Conditional Access allows you to control access to your organization’s resources based on certain conditions, such as device compliance or risk level. To configure Conditional Access for Microsoft Defender for Endpoint, go to the Azure portal and create a new policy, configuring it as needed.
What is Microsoft Cloud App Security, and how can you configure it for Microsoft Defender for Endpoint?
Microsoft Cloud App Security provides additional visibility and control over your organization’s cloud applications. To enable Microsoft Defender for Cloud Apps in Microsoft Defender for Endpoint, go to the Microsoft Defender Security Center portal and click on the Settings option. From there, click on the Microsoft Cloud App Security configuration option and enable the setting.
What is the purpose of Endpoint detection and response (EDR)?
EDR provides advanced threat detection and response capabilities for endpoints, allowing you to detect and respond to advanced attacks.
How does Automated investigation and remediation work in Microsoft Defender for Endpoint?
Automated investigation and remediation automates the investigation and remediation of alerts, allowing you to quickly identify and respond to potential threats.
What is Device control and application control in Microsoft Defender for Endpoint?
Device control and application control allow you to control access to devices and applications within your organization, ensuring that only authorized users and devices have access.
What is Network protection in Microsoft Defender for Endpoint?
Network protection helps protect your organization’s network from cyber threats by identifying and blocking malicious network traffic.
How does Attack surface reduction work in Microsoft Defender for Endpoint?
Attack surface reduction helps reduce the attack surface of your organization by blocking or restricting access to potentially vulnerable areas of your network and devices.
Can you configure different policies for different devices in Microsoft Defender for Endpoint?
Yes, you can configure different policies for different devices based on their device type, location, or other characteristics.
How can you monitor and manage alerts in Microsoft Defender for Endpoint?
You can monitor and manage alerts in the Microsoft Defender Security Center portal, where you can view and respond to alerts, investigate potential threats, and take remediation actions.
What is the benefit of using Microsoft Cloud App Security with Microsoft Defender for Endpoint?
Microsoft Cloud App Security provides additional visibility and control over your organization’s cloud applications, allowing you to detect and respond to potential threats in these applications.
How can you ensure that only authorized devices have access to your organization’s resources in Microsoft Defender for Endpoint?
You can use Conditional Access to require devices to be compliant with Microsoft Defender for Endpoint before granting access to a resource.
What is the benefit of using Automated investigation and remediation in Microsoft Defender for Endpoint?
Automated investigation and remediation can help reduce the time it takes to detect and respond to potential threats, allowing you to quickly identify and remediate potential security incidents.
Can anyone explain how to enable the Microsoft Defender for Endpoint feature in Microsoft 365 security center?
I’m having trouble configuring endpoint detection and response (EDR) sensors. Any tips?
Appreciate the comprehensive blog post!
Enabling threat and vulnerability management is always greyed out for me. What could be the problem?
The automation investigation and response settings are very tricky. Any guidance here?
Thanks for the detailed guide!
I followed the steps, but the device onboarding status isn’t updating. What’s wrong?
Could someone list the types of alerts Microsoft Defender for Endpoint can generate?