Microsoft-Defender-for-Endpoint on Ru Campbell MVP

[Updated Feb 2024] Ultimate Comparison of Defender for Endpoint Features by OS

Fri, 16 Feb 2024 17:13:38 +0000

Finally, it’s time for a refresh. It’s been a while! Due to personal circumstances, I haven’t been able to keep the Ultimate Comparison of MDE by OS updated. I’ve had time to dive into the changes since v5 and it’s really been amazing to see MDE grow in scope.

What is MDE and why do we need an ‘ultimate comparison’?

Microsoft Defender for Endpoint (MDE) is a massive stack of endpoint protection and endpoint detection and response (EDR) capabilities. It integrates with the broader Microsoft Defender XDR and is available for almost any OS you’ll find in an enterprise. This cross-platform nature of MDE makes it difficult to understand and track what features and capabilities are available on each OS. It’s not always intuitive, and you may be in for some surprises. Hence by I began the Ultimate Comparison of Defender for Endpoint Features by OS up to date to keep you aware of what you’re getting and what you need to go start implementing if you haven’t already.

Entra Self Service Password Reset - Common Microsoft 365 Security Mistakes Series

Sat, 03 Feb 2024 11:32:34 +0000

It’s a trope in IT circles: users forget their passwords. The greater your scale, the more time this can occupy with tickets, service desk calls, and so on. If you use Microsoft Entra ID (previously Azure Active Directory), self service password reset (SSPR) is a capability that can help reduce this overhead. SSPR offers a user-driven admin-less approach, where users verify they are authorised to reset forgotten passwords then can do so.

Microsoft Defender Vulnerability Management - Common Microsoft 365 Security Mistakes Series

Sat, 03 Feb 2024 10:57:52 +0000

Microsoft Defender Vulnerability Management (MDVM) is an often overlooked service that can be licensed standalone or is included in other Microsoft Defender licenses. In my experience, I’ve never seen it licensed standalone, but customers with Defender for Endpoint (MDE) P2, Defender for Servers (MDS) P1, and Defender for Business (MDB) benefit from it’s core capabilities. In addition to the core capabilities, add-on capabilities are available in the standalone license, Defender for Servers P2, or as an upgrade to the P1 licenses.

Microsoft Improves and Simplifies Defender for Endpoint Management Capabilities

Mon, 10 Jul 2023 20:47:03 +0000

In one of the biggest changes to Microsoft Defender for Endpoint (MDE) in its product history, you no longer need a separate management engine to configure endpoint settings.

In this blog, we’ll look at what that change is, why it was necessary, initial impressions, and what you might want to do next.

Historic management architecture needed simplifying

MDE (and it’s Windows client, Microsoft Defender Antivirus (MDAV)) always stood out from the crowd of endpoint protection platforms as being, well, a bit weird in terms of management architecture. With most platforms, you get a central admin console which pushes out endpoint settings. Think scan schedules, quarantine rules, exclusions, CPU throttling, etc. MDE/MDAV, on the other hand, instead relied on an external management tool such as Intune (MDM), Configuration Manager, or Group Policy.

Updated March 2022: Ultimate Comparison of Defender for Endpoint Features by Operating System

Tue, 29 Mar 2022 07:27:18 +0000

It’s been about 5 months since I last updated my comparison of Defender for Endpoint features by OS. This is a “matrix” of the tons of features, services, and important components that make up Microsoft Defender for Endpoint.

Three months later, it’s overdue an update. So here it is :) I’ve also decided to rename it to The Ultimate Comparison of MDE Features by OS… because renaming’s what we do, right?

Updated October 2021: Availability of Defender for Endpoint Features by Operating System

Tue, 19 Oct 2021 20:36:54 +0000

In July, I released v1 of The Big Comparison of Defender for Endpoint Features by Operating System (or, what I think is much catchier, TBCMDEFOS). This was a “matrix” of the tons of features, services, and important components that make up Microsoft Defender for Endpoint.

Three months later, it’s overdue an update. So here it is :)

The headline news is that, in preview anyway, there’s a bunch of additions to Windows Server 2012 R2 and 2016 thanks to a new agent-based deployment (“unified solution”) that replaces the need for the Microsoft Monitoring Agent and System Centre Endpoint Protection. You now get almost feature parity with Windows Server 2019’s security features: ASR rules, next-generation protection, block at first sight, etc. For a guide on how to get up and running with it, check out my writeup on Petri.

Tons of Microsoft Defender for Endpoint Improvements for Server 2012 R2 & 2016

Fri, 08 Oct 2021 11:36:48 +0000

New protection capabilities for Microsoft Defender for Endpoint (MDE) customers have landed in public preview, Oct 7 ‘21, for Windows Server 2012 R2 and Windows Server 2016. With the public preview released today, Windows Server 2012 R2 and 2016 gain ’ functional equivalence’ to 2019, thanks to the use of a new agent that is being described as the ‘unified solution’.

Historically, a significant gap

Previously, as I’ve detailed here and here, there was a large feature gap between Windows Server 2019 and these “down-level” OSs. The onboarding process was also different. To get devices into MDE, you had to deploy the Microsoft Monitoring Agent (MMA). This was required as the EDR sensor wasn’t built-in, unlike with Server 2019. While Server 2016 shipped with Microsoft Defender Antivirus (MDAV) installed already, to get any kind of scanning and endpoint protection capability in Server 2012 R2, you had to install System Centre Endpoint Protection.

The Big Comparison of Defender for Endpoint Features by Operating System

Sun, 11 Jul 2021 09:59:10 +0000

Microsoft Defender for Endpoint (MDE) is a massive platform. It’s not a single product, and it’s more than just a service. It’s a platform of tons of security features, portals, services, and controls. The more you dig in, the more elements of general Microsoft security have been included in the MDE “branding”. It’s not only endpoint detection and response (EDR), but also Windows 10 security settings. It’s not just the security software on the device, it’s also ongoing threat and vulnerability management.

Microsoft Defender Antivirus – Schedule & Install Updates via Network Shares

Sat, 13 Mar 2021 21:28:12 +0000

Although not common, there are scenarios out where you will have LAN-only devices onboarded in Microsoft Defender for Endpoint (MDE), or at least using Microsoft Defender Antivirus (MDAV). With no line of sight to the internet, you can use options such as WSUS, but in this blog, I’ll explore using a network share, as WSUS isn’t always an option.

Create a directory on your file server with subdirectories for the different CPU architectures you’ll be supporting.

2. On the server, we’ll be installing a script provided by Microsoft. In PowerShell with elevated rights:

Microsoft Defender Network Protection - Not Enabling via Intune - Troubleshooting & Fix

Sun, 07 Mar 2021 13:27:29 +0000

When configuring Defender for Endpoint (MDE) customer recently, I ran into a problem when trying to enable network protection. Network protection is a feature of MDE and Microsoft Defender Antivirus (MDAV) that takes the filtering capabilities of SmartScreen and applies them to all network traffic. It is a prerequisite for things such as MDE’s web content filtering and URL/domain indicators of compromise.

This blog details the specific problem I had enabling it with Intune (Microsoft Endpoint Manager), and general troubleshooting steps to follow that will help for that problem and hopefully others you may experience.

Microsoft Defender for Endpoint - Offline Onboarding for Windows 10 via a Proxy

Thu, 18 Feb 2021 07:30:40 +0000

Getting your devices into Defender for Endpoint is referred to as onboarding and can be done in lots of different ways, depending on the scenario. The tools you use for Windows Server 2008 R2, for example, are different from the tools you use for Windows Server 2019, which are different from the tools you use for Windows 10, and so on.

The common denominator behind most onboarding methods is internet connectivity. Your device connects directly to the cloud service and provides all that telemetry goodness via a direct line of sight.

Block LSASS.exe using Attack Surface Reduction

Sat, 13 Feb 2021 21:10:23 +0000

Use Intune to Manage Microsoft Defender for Endpoint Tags and Device Groups

Thu, 11 Feb 2021 21:24:59 +0000

In Microsoft Defender for Endpoint (MDE), tags can be attached to a device for reporting, filtering, and as a dynamic attribute for membership of a device group. Device groups (previously machine groups), are used to assign devices different rules and administrative ownership. A device can only belong to one group and controls settings such as auto-remediation level and which Role-Based Access Control (RBAC) roles have administrative permissions over it.

While you can assign tags, and therefore determine group membership, manually from the Security Center, this doesn’t exactly scale well.

Microsoft Defender for Endpoint Web Content Filtering - Migrate Rules from Existing Security Software

Sat, 04 Jul 2020 14:15:32 +0000

In my last blog, I wrote about web content filtering in MDATP and how it now allows you to block website categories on the client across all apps. Category blockers are great because, with one easy checkbox, you ban hundreds of thousands of dangerous on inappropriate websites. Nothing is perfect, though, and anyone who’s ever worked a helpdesk or SOC will attest that false positives and false negatives are common.

The engine for MDATP web content filtering is Cyren, and you can check if a website is caught by its category rules using their online category check tool. This takes a bit of time, as each check is subject to a Google reCAPTCHA test. If you’re migrating anything of scale to MDATP, you don’t have the time to do this, and also do not want to risk important websites later being swept up by category rules even if they are fine for now. When you allowed or blocked websites on your existing solution, it’s assumed you’ve done the due diligence, and you want to take the remediation you’ve applied against those (potential) false positives and false negatives with you.

Microsoft Defender for Endpoint Web Content Filtering - Administration, Limitations, and User Experience

Sun, 28 Jun 2020 16:37:29 +0000

Historically, one of the big features missing “out of the box” with MDATP was web content filtering. Customers typically look at MDATP as an option when their existing endpoint security is due for license renewal, and compare their existing solution against it. They would be moving from one of the big security vendors such as Sophos, Norton, and McAfee, which all supported web content filtering. Higher lever stakeholders often listed the ability to block websites as essential, and as Microsoft did not maintain such a categorisation database, if you wanted it with Defender ATP, you’d be looking at other solutions too. This took away from Defender ATP’s “single pane of glass” selling point.