Microsoft Defender for Endpoint Resources and Fast Steps to Configure

ht 好物分享

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Defender for Endpoint provides advanced threat protection that includes antivirus, antimalware, ransomware mitigation, and more, together with centralized management and reporting. Two plans are available:

Intune will be one of key apps to configure the policies:

Related Posts:

Microsoft Defender for Endpoint

Threat & Vulnerability Management
Threat & Vulnerability Management
Attack surface reduction
Attack surface reduction
Next-generation protection
Next-generation protection
Endpoint detection and response
Endpoint detection and response
Automated investigation and remediation
Automated investigation and remediation
Microsoft Threat Experts
Microsoft Threat Experts
Centralized configuration and administration, APIs
Microsoft 365 Defender

Activate Microsoft Defender using Group Policy

Turn on Microsoft Defender Antivirus from group policy

Complete the following steps to turn on Microsoft Defender Antivirus on your device.

  1. Select the Start menu.
  2. In the search bar, type group policy. Then select Edit group policy from the listed results. The Local Group Policy Editor will open.
  3. Select Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus.
  4. Scroll to the middle of the list in the left column and select Turn off Microsoft Defender Antivirus.
  5. Select Disabled or Not configured. It might feel counter-intuitive to select these options because the names suggest that you're turning Microsoft Defender Antivirus off. Don't worry, these options actually ensure that it's turned on.
  6. Select Apply > OK.


Turn on real-time and cloud-delivered protection

Complete the following steps to turn on real-time and cloud-delivered protection. Together, these antivirus features protect you against spyware and can deliver fixes for malware issues via the cloud.

  1. Select the Start menu.
  2. In the search bar, type Windows Security. Select the matching result.
  3. Select Virus & threat protection.
  4. Under Virus & threat protection settings, select Manage settings.
  5. Flip each switch under Real-time protection and Cloud-delivered protection to turn them on.

If you don't see these options on your screen, they may be hidden. Complete the following steps to make them visible.

  1. Select the Start menu.
  2. In the search bar, type group policy. Then select Edit group policy from the listed results. The Local Group Policy Editor will open.
  3. Select Computer Configuration > Administrative Templates > Windows Components > Windows Security > Virus and threat protection.
  4. Select Hide the Virus and threat protection area.
  5. Select Disabled > Apply > OK.


Onboarding - Device Management

Security.microsoft.com - > Settings -> Endpoints -> Device Management - > Onboarding


1. Onboard a device

First device onboarded: Completed 

Onboard devices to Microsoft Defender for Endpoint using the onboarding configuration package that matches your preferred deployment method. For other device preparation instructions, read Onboard and set up.

  • Group Policy

You can configure your devices using Group Policy.
For more information on how to configure and monitor Microsoft Defender for Endpoint devices see Configure devices using Group Policy section in the Microsoft Defender for Endpoint guide.

  • Local Script (for up to 10 devices)

You can configure a single device by running a script locally.
Note: This script has been optimized for usage with a limited number of devices (1-10). To deploy at scale, please see other deployment options above.
For more information on how to configure and monitor Microsoft Defender for Endpoint devices, see Configure devices using a local script
section in the Microsoft Defender for Endpoint guide.

2. Run a detection test

First device detection test: Completed 

To verify that the device is properly onboarded and reporting to the service,run the detection script on the newly onboarded device:

  1. Open a Command Prompt window
  2. At the prompt, copy and run the command below. The Command Prompt window will close automatically.
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C://test-WDATP-test//invoice.exe');Start-Process 'C://test-WDATP-test//invoice.exe'

Or you can try to download Eicar file from your windows Defender activated  machines, you will get alerts on those incidents.


Onboarding tool options

The following table lists the available tools based on the endpoint that you need to onboard.

Endpoint Tool options
Windows Local script (up to 10 devices)
Group Policy
Microsoft Endpoint Manager/ Mobile Device Manager
Microsoft Endpoint Configuration Manager
VDI scripts
Integration with Microsoft Defender for Cloud
macOS Local scripts
Microsoft Endpoint Manager
JAMF Pro
Mobile Device Management
Linux Server Local script
Puppet
Ansible
iOS Microsoft Endpoint Manager
Android Microsoft Endpoint Manager

PowerShell Command for Troubleshooting


PS C:/Users/test1> get-MPcomputerstatus
AMEngineVersion                  : 1.1.18900.3
AMProductVersion                 : 4.18.2201.10
AMRunningMode                    : Normal
AMServiceEnabled                 : True
AMServiceVersion                 : 4.18.2201.10
AntispywareEnabled               : True
AntispywareSignatureAge          : 0
AntispywareSignatureLastUpdated  : 03/04/2022 8:59:39 AM
AntispywareSignatureVersion      : 1.359.1366.0
AntivirusEnabled                 : True
AntivirusSignatureAge            : 0
AntivirusSignatureLastUpdated    : 03/04/2022 8:59:38 AM
AntivirusSignatureVersion        : 1.359.1366.0
BehaviorMonitorEnabled           : True
ComputerID                       : 580F14A1-4405-EEA6-2C71-96B3EA0C42C6
ComputerState                    : 0
DeviceControlDefaultEnforcement  : N/A
DeviceControlPoliciesLastUpdated : 03/04/2022 2:04:19 PM
DeviceControlState               : N/A
FullScanAge                      : 0
FullScanEndTime                  : 03/04/2022 1:48:27 PM
FullScanStartTime                : 03/04/2022 1:10:43 PM
IoavProtectionEnabled            : True
IsTamperProtected                : False
IsVirtualMachine                 : False
LastFullScanSource               : 2
LastQuickScanSource              : 2
NISEnabled                       : True
NISEngineVersion                 : 1.1.18900.3
NISSignatureAge                  : 0
NISSignatureLastUpdated          : 03/04/2022 8:59:38 AM
NISSignatureVersion              : 1.359.1366.0
OnAccessProtectionEnabled        : True
QuickScanAge                     : 481
QuickScanEndTime                 : 11/07/2020 9:36:57 PM
QuickScanStartTime               : 11/07/2020 9:35:40 PM
RealTimeProtectionEnabled        : True
RealTimeScanDirection            : 0
TamperProtectionSource           : Service Init
TDTMode                          : cm
TDTStatus                        : Disabled
TDTTelemetry                     : Disabled
PSComputerName                   :

PS C:/Users/test1> get-mppreference
AllowDatagramProcessingOnWinServer            : False
AllowNetworkProtectionDownLevel               : False
AllowNetworkProtectionOnWinServer             : False
AllowSwitchToAsyncInspection                  : False
AttackSurfaceReductionOnlyExclusions          : {N/A: Must be and administrator to view exclusions}
AttackSurfaceReductionRules_Actions           :
AttackSurfaceReductionRules_Ids               :
CheckForSignaturesBeforeRunningScan           : True
CloudBlockLevel                               : 0
CloudExtendedTimeout                          : 50
ComputerID                                    : 580F14A1-4405-EEA6-2C71-96B3EA0C42C6
ControlledFolderAccessAllowedApplications     : {N/A: Must be and administrator to view exclusions}
ControlledFolderAccessProtectedFolders        :
DefinitionUpdatesChannel                      : 0
DisableArchiveScanning                        : False
DisableAutoExclusions                         : False
DisableBehaviorMonitoring                     : False
DisableBlockAtFirstSeen                       : False
DisableCatchupFullScan                        : True
DisableCatchupQuickScan                       : True
DisableCpuThrottleOnIdleScans                 : True
DisableDatagramProcessing                     : False
DisableDnsOverTcpParsing                      : False
DisableDnsParsing                             : False
DisableEmailScanning                          : True
DisableFtpParsing                             : False
DisableGradualRelease                         : False
DisableHttpParsing                            : False
DisableInboundConnectionFiltering             : False
DisableIOAVProtection                         : False
DisableNetworkProtectionPerfTelemetry         : False
DisablePrivacyMode                            : False
DisableRdpParsing                             : False
DisableRealtimeMonitoring                     : False
DisableRemovableDriveScanning                 : False
DisableRestorePoint                           : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles                   : False
DisableScriptScanning                         : False
DisableSshParsing                             : False
DisableTlsParsing                             : False
EnableControlledFolderAccess                  : 0
EnableDnsSinkhole                             : True
EnableFileHashComputation                     : False
EnableFullScanOnBatteryPower                  : False
EnableLowCpuPriority                          : False
EnableNetworkProtection                       : 0
EngineUpdatesChannel                          : 0
ExclusionExtension                            : {N/A: Must be and administrator to view exclusions}
ExclusionIpAddress                            : {N/A: Must be and administrator to view exclusions}
ExclusionPath                                 : {N/A: Must be and administrator to view exclusions}
ExclusionProcess                              : {N/A: Must be and administrator to view exclusions}
ForceUseProxyOnly                             : False
HighThreatDefaultAction                       : 0
LowThreatDefaultAction                        : 0
MAPSReporting                                 : 1
MeteredConnectionUpdates                      : False
ModerateThreatDefaultAction                   : 0
PlatformUpdatesChannel                        : 0
ProxyBypass                                   :
ProxyPacUrl                                   :
ProxyServer                                   :
PUAProtection                                 : 0
QuarantinePurgeItemsAfterDelay                : 90
RandomizeScheduleTaskTimes                    : True
RealTimeScanDirection                         : 0
RemediationScheduleDay                        : 0
RemediationScheduleTime                       : 12:30:00
ReportingAdditionalActionTimeOut              : 10080
ReportingCriticalFailureTimeOut               : 10080
ReportingNonCriticalTimeOut                   : 1440
ScanAvgCPULoadFactor                          : 50
ScanOnlyIfIdleEnabled                         : True
ScanParameters                                : 2
ScanPurgeItemsAfterDelay                      : 15
ScanScheduleDay                               : 0
ScanScheduleOffset                            : 750
ScanScheduleQuickScanTime                     : 00:00:00
ScanScheduleTime                              : 12:30:00
SchedulerRandomizationTime                    : 4
ServiceHealthReportInterval                   : 60
SevereThreatDefaultAction                     : 0
SharedSignaturesPath                          :
SignatureAuGracePeriod                        : 0
SignatureBlobFileSharesSources                :
SignatureBlobUpdateInterval                   : 60
SignatureDefinitionUpdateFileSharesSources    :
SignatureDisableUpdateOnStartupWithoutEngine  : False
SignatureFallbackOrder                        : MicrosoftUpdateServer
SignatureFirstAuGracePeriod                   : 120
SignatureScheduleDay                          : 0
SignatureScheduleTime                         : 00:15:00
SignatureUpdateCatchupInterval                : 1
SignatureUpdateInterval                       : 1
SubmitSamplesConsent                          : 1
ThreatIDDefaultAction_Actions                 :
ThreatIDDefaultAction_Ids                     :
ThrottleForScheduledScanOnly                  : True
TrustLabelProtectionStatus                    : 0
UILockdown                                    : False
UnknownThreatDefaultAction                    : 0
PSComputerName                                :


Update-MpSignature -UpdateSource InternalDefinitionUpdateServer 


PS C:/Program Files/Windows Defender> ./MpCmdRun.exe -SignatureUpdate Signature update started . . . Signature update finished. PS C:/Program Files/Windows Defender> 


PS C:/Program Files/Windows Defender> ./MpCmdRun.exe -removeDefinitions You need administrator privilege to execute this command.


PS C:/windows/System32> Get-MpPreference

AllowDatagramProcessingOnWinServer            : False
AllowNetworkProtectionDownLevel               : False
AllowNetworkProtectionOnWinServer             : False
AllowSwitchToAsyncInspection                  : False
AttackSurfaceReductionOnlyExclusions          : {N/A: Must be and administrator to view exclusions}
AttackSurfaceReductionRules_Actions           :
AttackSurfaceReductionRules_Ids               :
CheckForSignaturesBeforeRunningScan           : True
CloudBlockLevel                               : 0
CloudExtendedTimeout                          : 50
ComputerID                                    : 580F14A1-4405-EEA6-2C71-96B3EA0C42C6
ControlledFolderAccessAllowedApplications     : {N/A: Must be and administrator to view exclusions}
ControlledFolderAccessProtectedFolders        :
DefinitionUpdatesChannel                      : 0
DisableArchiveScanning                        : False
DisableAutoExclusions                         : False
DisableBehaviorMonitoring                     : False
DisableBlockAtFirstSeen                       : False
DisableCatchupFullScan                        : True
DisableCatchupQuickScan                       : True
DisableCpuThrottleOnIdleScans                 : True
DisableDatagramProcessing                     : False
DisableDnsOverTcpParsing                      : False
DisableDnsParsing                             : False
DisableEmailScanning                          : True
DisableFtpParsing                             : False
DisableGradualRelease                         : False
DisableHttpParsing                            : False
DisableInboundConnectionFiltering             : False
DisableIOAVProtection                         : False
DisableNetworkProtectionPerfTelemetry         : False
DisablePrivacyMode                            : False
DisableRdpParsing                             : False
DisableRealtimeMonitoring                     : False
DisableRemovableDriveScanning                 : False
DisableRestorePoint                           : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles                   : False
DisableScriptScanning                         : False
DisableSshParsing                             : False
DisableTlsParsing                             : False
EnableControlledFolderAccess                  : 0
EnableDnsSinkhole                             : True
EnableFileHashComputation                     : False
EnableFullScanOnBatteryPower                  : False
EnableLowCpuPriority                          : False
EnableNetworkProtection                       : 0
EngineUpdatesChannel                          : 0
ExclusionExtension                            : {N/A: Must be and administrator to view exclusions}
ExclusionIpAddress                            : {N/A: Must be and administrator to view exclusions}
ExclusionPath                                 : {N/A: Must be and administrator to view exclusions}
ExclusionProcess                              : {N/A: Must be and administrator to view exclusions}
ForceUseProxyOnly                             : False
HighThreatDefaultAction                       : 0
LowThreatDefaultAction                        : 0
MAPSReporting                                 : 1
MeteredConnectionUpdates                      : False
ModerateThreatDefaultAction                   : 0
PlatformUpdatesChannel                        : 0
ProxyBypass                                   :
ProxyPacUrl                                   :
ProxyServer                                   : 14.10.3.41:8080
PUAProtection                                 : 0
QuarantinePurgeItemsAfterDelay                : 90
RandomizeScheduleTaskTimes                    : True
RealTimeScanDirection                         : 0
RemediationScheduleDay                        : 0
RemediationScheduleTime                       : 12:30:00
ReportingAdditionalActionTimeOut              : 10080
ReportingCriticalFailureTimeOut               : 10080
ReportingNonCriticalTimeOut                   : 1440
ScanAvgCPULoadFactor                          : 50
ScanOnlyIfIdleEnabled                         : True
ScanParameters                                : 2
ScanPurgeItemsAfterDelay                      : 15
ScanScheduleDay                               : 0
ScanScheduleOffset                            : 750
ScanScheduleQuickScanTime                     : 00:00:00
ScanScheduleTime                              : 12:30:00
SchedulerRandomizationTime                    : 4
ServiceHealthReportInterval                   : 60
SevereThreatDefaultAction                     : 0
SharedSignaturesPath                          :
SignatureAuGracePeriod                        : 0
SignatureBlobFileSharesSources                :
SignatureBlobUpdateInterval                   : 60
SignatureDefinitionUpdateFileSharesSources    :
SignatureDisableUpdateOnStartupWithoutEngine  : False
SignatureFallbackOrder                        : MicrosoftUpdateServer
SignatureFirstAuGracePeriod                   : 120
SignatureScheduleDay                          : 0
SignatureScheduleTime                         : 00:15:00
SignatureUpdateCatchupInterval                : 1
SignatureUpdateInterval                       : 1
SubmitSamplesConsent                          : 1
ThreatIDDefaultAction_Actions                 :
ThreatIDDefaultAction_Ids                     :
ThrottleForScheduledScanOnly                  : True
TrustLabelProtectionStatus                    : 0
UILockdown                                    : False
UnknownThreatDefaultAction                    : 0
PSComputerName                                :

Compare Defender plans

Defender for Endpoints P1 vs P2

The following table describes what's included in each plan at a high level.

Defender for Endpoint Plan 1 Defender for Endpoint Plan 2
Next-generation protection
(includes antimalware and antivirus)

Attack surface reduction

Manual response actions

Centralized management

Security reports

APIs

 Defender for Endpoint Plan 1, plus:

Device discovery

Threat and vulnerability management

Threat Analytics

Automated investigation and response

Advanced hunting

Endpoint detection and response

Microsoft Threat Experts
Support for Windows 10, iOS, Android OS, and macOS devices Support for Windows (client and server) and non-Windows platforms
(macOS, iOS, Android, and Linux)
To try Defender for Endpoint Plan 1, visit https://aka.ms/mdep1trial. To try Defender for Endpoint Plan 2, visit https://aka.ms/MDEp2OpenTrial.

Defender for Endpoint Plan 1 diagram

Defender for Servers P1 vs P2

https://www.linkedin.com/pulse/microsoft-defender-servers-has-two-plans-now-saeed-nouri/

Microsoft Defender for Server Plan 2 only from Azure Monetary Commitment, Microsoft 365 E5 has Microsoft Defender for Endpoint Plan 2, subscription for users a their devices. Defender for servers is not included in Micrsoft 365 E5. 

Define Defender Policies in Endpoint Manager (Intune)

Go to Microsoft Endpoint Manager Admin Center - Endpoint Security - Manage

Manage
  • Antivirus

  • Disk encryption

  • Firewall

  • Endpoint detection and response

  • Attack surface reduction

  • Account protection

  • Device compliance

  • Conditional access

    • Create Notification Rules

    Go to Microsoft 365 Defender - Settings - Endpoints

    Click Email notifications - Alerts - Add items

    Create a notification rule for high severity alert

    Also you can create a notification rule for critical/high vulnerability event:

    Reports


    Take response actions


    On a device

    On a file

    Training

    Security Operations Fundamentals

    Module 1. Technical overview

    Module 2. Getting started

    Module 3. Investigation – Incident

    Module 4. Threat Analytics

    Module 5. Advanced hunting

    Module 6. Self-healing

    Module 7. Community (blogs, webinars, GitHub)

    Module 8. Partner

     

    > Ready for the Fundamentals Knowledge Check

     

    Security Operations Intermediate

    Module 1.  Architecture

    Module 2. Investigation

    Module 3. Advanced hunting

    Module 4. Automated investigation and remediation

    Module 6. Self-healing

    Module 5. Build your own lab

    Module 7. Reporting

    Module 8. Microsoft Threat Experts

     

    > Ready for the Intermediate Knowledge Check

     

    Security Operations Expert

    Module 1. Incidents

    Module 2. Advanced hunting

    Module 3. APIs, custom reports, SIEM & other integrations

     

    > Ready for the Expert Knowledge Check

    Microsoft Learn learning paths

    Use these Microsoft Learn learning paths and their modules to build an understanding of Microsoft 365 Defender and Microsoft Defender for Endpoint, one module and unit at a time.

    Deployment Steps

    1. Onboarding Devices

    Check the onboarding sections for how to onboarding devices.  It has all devices types and you will be able to generate scripts for each type of machine. 

    1.1 (Option) Azure Arc - Onboarding On-Prem Machines

    By default, Defender for Servers is enabled as a subscription-wide setting, covering all Azure VMs, Azure Arc-enabled Servers and VMSS nodes at the same time. However, there are scenarios in which it makes sense to downgrade individual machines from Defender for Servers Plan 2 to Plan 1, or only enable Defender for Servers Plan 1 on a subset of machines in a subscription.

    This folder contains a PowerShell script that allows you to select machines based on Azure resource tags, or a resource group to configure them individually rather than using the same plan setting for all machines in a subscription.

    Create a specific Resource Group for Arc machines.
    Run PS script to enable MDE on certain RG (Defender for Servers activation on resource level)
    1.2 Workstations / servers
    1.3 Linux
    1.4 Mac

    2. Security Configuration Change

    2.1 Security (Defender) Portal

    2.2 Intune configuration change
    Intune - Endpoint Security - Setup - Microsoft Defender for Endpoints

    2.3 Security Group Changes (Dynamic Group)
    Four Entra ID Dynamic Device Security Groups
    - Windows Workstations
    Dynamic query as follows: (device.managementType -in ["microsoftSense", "MDM"]) and (device.deviceOSType -eq "Windows")
    - Windows Servers
    Dynamic query as follows: (device.managementType -eq "microsoftSense") and (device.deviceOSType -eq "Windows Server")
    - MacOS
    Dynamic query as follows: (device.managementType -in ["microsoftSense", "MDM"]) and (device.deviceOSType -contains "mac")
    - Linux Servers
    Dynamic query as follows: (device.managementType -eq "microsoftSense") and (device.deviceOSType -eq "Linux")
    One confirmed machines are onboared into resource group and security group has right members, you will need to run powershell script to get machines in that specific resource group activated for MDE. 
    It might take 5 hours to finish activation. 

    3. Security Policy Creation

    Intune - Endpoint Security -  Manage - AntiVirus

    Configuration Setttings:

    Intune - Endpoint Security -  Manage - Attack surface reduction

    For workstations:

    4. Remove existing Antivirus / Enable MDE

    For workstations, once installed / activated MDE, MDE will be in passive mode. But if you removed existing third party antivirus, such as Sentinel One, MDE will become active automatically. 
    For servers, it will be both on Active. You will have to immediately to remove other antivirus software. 
    Here is a solution for that, using a registry key to control if MDE is in block mode or active mode.
    4.1 Registry key - put MDE on passive mode in servers

    • Path: HKLM/SOFTWARE/Policies/Microsoft/Windows Advanced Threat Protection
    • Name: ForceDefenderPassiveMode
    • Type: REG_DWORD
    • Value: 1


    Or PowerShell Script:

    $RegistryPath = 'HKLM/SOFTWARE/Policies/Microsoft/Windows Advanced Threat Protection'
    $Name         = 'ForceDefenderPassiveMode'
    $Value        = '1'
    New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType REG_DWORD -Force

     

    $RegistryPath = 'HKLM/SOFTWARE/Policies/Microsoft/Windows Advanced Threat Protection'
    $Name         = 'ForceDefenderPassiveMode'
    $Value        = '0'
    New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType REG_DWORD -Force

     

    https://blog.51sec.org

    版权声明:
    作者:ht
    链接:https://www.techfm.club/p/186741.html
    来源:TechFM
    文章版权归作者所有,未经允许请勿转载。

    THE END
    分享
    二维码
    < <上一篇
    下一篇>>