How to activate and configure Microsoft Defender for Endpoint from scratch

How to activate and configure Microsoft Defender for Endpoint from scratch

01/01/2024

This technical and educational article aims to provide a practical and detailed guide on how to enable and configure Microsoft Defender for Endpoint (MDE) from scratch. MDE is a unified endpoint security platform for preventative protection, post-breach detection, automated investigation and response. It is an essential tool for security analysts, IT administrators, and systems engineers looking to strengthen the security posture of their Microsoft environments.

Introduction

The cyber threat landscape is constantly evolving, with attacks becoming more sophisticated and targeted. Protecting endpoints — computers, servers, mobile devices — is a top priority for any organization. Microsoft Defender for Endpoint (MDE) offers a robust solution that goes beyond traditional antivirus by providing advanced Endpoint Detection and Response (EDR), Vulnerability and Threat Management, Attack Surface Reduction, Next Generation Protection, and Automated Investigation and Remediation capabilities [1].

This guide will cover the fundamental steps for implementing MDE, from initial prerequisites to essential resource configuration, validation, and best practices. Our focus is 100% practical, with step-by-step instructions, command examples and descriptions so that the reader can replicate the process in their own environment and validate the results.

Why Microsoft Defender for Endpoint?

MDE natively integrates with other Microsoft security solutions such as Microsoft 365 Defender, Azure Active Directory (now Microsoft Entra ID), Microsoft Intune, and Microsoft Sentinel, creating a cohesive security fabric. Its main benefits include:

  • Comprehensive Protection: Detect and block malware, ransomware and fileless attacks.
  • In-Depth Visibility: Continuous monitoring of endpoint activity to identify suspicious behavior.
  • Rapid Response: Automated investigation and remediation tools to quickly contain threats.
  • Posture Management: Assessment of vulnerabilities and recommendations to improve security hygiene.

Prerequisites

Before starting to configure Microsoft Defender for Endpoint, ensure that the following prerequisites are met:

  1. Licensing: A valid license for Microsoft Defender for Endpoint. This can be part of packages such as Microsoft 365 E5, Microsoft 365 E3 (with security add-on), Windows E5, or standalone licenses [2].
  2. Administrative Access: Accounts with Global Administrator or Security Administrator permissions in the Microsoft 365 Defender portal (security.microsoft.com).
  3. Network Connectivity: Endpoints must have internet access to communicate with MDE cloud services. Make sure the required URLs and ports are allowed on firewalls and proxies [3].
  4. Supported Operating Systems: MDE supports a wide range of operating systems, including:
    • Windows 10/11 Enterprise, Pro, Education
    • Windows Server (2008 R2 SP1, 2012 R2, 2016, 2019, 2022)
    • macOS (recent versions)
    • Linux (various distributions)
    • Android and iOS (via Microsoft Intune)
  5. Microsoft Intune (Optional, but Recommended): For centralized management and large-scale device onboarding, integration with Microsoft Intune is highly recommended.

Step by Step: Activation and Initial Configuration

1. Enable Microsoft Defender for Endpoint

The first step is to activate the service in your tenant. This is usually done automatically when purchasing the license, but it is crucial to check and ensure the service is provisioned.

  1. Go to the Microsoft 365 Defender portal: https://security.microsoft.com.
  2. In the left navigation pane, go to Settings (the gear icon) > Endpoints.
  3. Check the service status. If it is not active, follow the instructions to start the provisioning process. You may need to accept the terms of service.

2. General Settings and Advanced Features

After activation, it is important to review and configure the advanced features that enhance MDE's detection and response capabilities.

  1. In the Microsoft 365 Defender portal, under Settings > Endpoints, sselect Advanced Features.
  2. Enable the following features (if not already enabled) to maximize protection:
    • Allow sample analysis: Allows MDE to collect samples of suspicious files for analysis. Choose between 'Automatic' or 'Secure'.
    • EDR Detection in Block Mode: Allows MDE to block malicious artifacts detected by EDR, even if the next-generation antivirus is in passive mode.
    • Preview resources: Activates access to resources that are still in the preview phase. Recommended for test environments.
    • Integration with Microsoft Intune: Essential for managing devices and security policies.
    • Integration with Microsoft Cloud App Security: Extends visibility and control to cloud applications.
    • Integration with Azure Information Protection: Allows the protection of sensitive data.
    • File context access for automated analysis: Improves automated investigation capability.

3. Device Onboarding

The onboarding process connects devices to the MDE service, allowing them to send security data and receive policies. There are several ways to do onboarding, depending on the size and infrastructure of your organization.

Option A: Manual Onboarding (for few devices)

  1. In the Microsoft 365 Defender portal, go to Settings > Endpoints > Device Management > Onboarding.
  2. Select the operating system of the device you want to integrate (ex: Windows 10 and 11).
  3. Choose the deployment method. For manual onboarding, select Local Script.
  4. Download the onboarding package (a .zip file containing a PowerShell script).
  5. Copy the script to the target device and run it with administrator privileges.
# Example of executing the onboarding script
# Make sure the WindowsDefenderATPLocalScript.cmd file is in the current directory
.\WindowsDefenderATPLocalScript.cmd

Option B: Onboarding via Microsoft Intune (for large scale)

This is the most recommended way for corporate environments, as it allows you to automate onboarding and manage security policies.

  1. Check MDE-Intune Connection: In the Microsoft 365 Defender portal, under Settings > Endpoints > Advanced Features, ensure that Microsoft Intune Integration is enabled.
  2. Access the Microsoft Intune portal (Microsoft Endpoint Manager admin center): https://endpoint.microsoft.com.
  3. In the left navigation pane, go to Endpoint Security > Microsoft Defender for Endpoint.
  4. Check the Connection Status. It should appear as 'Enabled'. If not, configure the connection as instructed on the screen.
  5. Create a Device Configuration Policy for Onboarding: In Intune, go to Endpoint Security > Device Onboarding.
  6. Click Create profile.
  7. Select Windows 10 and later for Platform and Microsoft Defender for Endpoint for Profile.
  8. Give the policy a name and description.
  9. In settings, the onboarding type should be automatically configured by Intune due to the integration.
  10. Assign the policy to the desired device groups.

4. Configuring Security Policies (Example: Attack Surface Reduction)

After onboarding, it is crucial to configure policies to protect endpoints. We will use the Attack Surface Reduction (ASR) rules as an example.

  1. In the Microsoft 365 Defender portal, go to Settings > Endpoints > Attack surface reduction.
  2. Select Attack Surface Reduction Rules.
  3. You can configure specific rules to block malicious behavior. For example, enable the Block Windows Local Security Authority Subsystem Credential Theft rule to protect credentials.
  4. Set the rule mode to Audit (to monitor impact before blocking) or Block (to apply protection immediately).

Validation and Testing

Validating the configuration is a critical step to ensure MDE is working correctly and protecting your endpoints.

1. Check Sensor Status on Endpoint

On the onboarded device, you can check the MDE service status.

  1. OpenCommand Prompt or PowerShell as administrator.
  2. Run the following command to check the status of the Sense service (the MDE sensor):
sc query Sense
  • Expected Result: The status must be RUNNING.

2. Check Onboarding Status on the Portal

  1. In the Microsoft 365 Defender portal, go to Assets > Devices.
  2. Search for the name of the device you onboarded. It should appear in the list with a status of 'Active' and a risk and exposure level.
  3. Click the device to view details, including alerts, timeline, and compliance status.

3. Test EDR Detection (EICAR Test File)

To test detection capability without causing real harm, you can use the EICAR test file. The MDE should detect it and generate an alert.

  1. On an onboarded device, open a browser and navigate to https://www.eicar.org/download/eicar.com.txt.
  2. Try downloading or copying the contents of the EICAR file to your device.
  3. The MDE must block the action and generate an alert. Check the Microsoft 365 Defender portal under Incidents and alerts > Alerts to see the generated alert.

Security Tips and Best Practices

  • Keep MDE Updated: Ensure that MDE security agents and definitions are always up to date. Microsoft continually releases updates to improve protection.
  • Integrate with Other Solutions: Leverage MDE integration with Microsoft Intune, Microsoft Sentinel, Azure AD Identity Protection, and Microsoft Cloud App Security for a unified view and layered protection.
  • Actively Monitor: Regularly review alerts and incidents in the Microsoft 365 Defender portal. Configure email notifications for critical alerts.
  • Use Audit Mode for ASR: When implementing new Attack Surface Reduction rules, start in audit mode to understand the impact and avoid outages before applying blocking mode.
  • Segment the Network: Implement network segmentation to limit lateral propagation of attacks, even if an endpoint is compromised.
  • Train Users: User awareness is a crucial line of defense. Educate employees on cybersecurity best practices.

Common Troubleshooting

  • Device does not appear in the portal: Check network connectivity, the status of the Sense service on the endpoint and whether the onboarding script ran correctly. In environments with Intune, check the status of the Intune-MDE connection.
  • Missing alerts: Make sure advanced detection features are enabled. Check for antivirus exclusions that may be preventing detection.
  • Performance issues: MDE is optimized for low performance impact, but in rare cases conflicts with other security software may occur. Review Microsoft's compatibility guidelines.
  • Falha no script de onboarding: Verifique os logs de eventos do sistema no endpoint para mensagens de erro. Make sure the script was run with administrator privileges.

Conclusion

Microsoft Defender for Endpoint is a powerful and essential tool for modern defense against cyber threats. By following this guide, you will be able to enable, configure, and validate MDE in your environment, establishing a solid foundation for the security of your endpoints. Remember that security is an ongoing process that requires constant monitoring, adjustments, and updates. Effectively implementing MDE is a significant step toward protecting your organization against the ever-evolving threat landscape.

References:

[1] Microsoft Learn. Microsoft Defender for Endpoint. Available at: https://learn.microsoft.com/pt-br/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide [2] Microsoft Learn. Minimum requirements for Microsoft Defender for Endpoint. Available at: https://learn.microsoft.com/pt-br/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-worldwide [3] Microsoft Learn. Configure the network environment for Microsoft Defender for Endpointt. Available at: https://learn.microsoft.com/pt-br/microsoft-365/security/defender-endpoint/configure-network?view=o365-worldwide '''