Microsoft Defender for Endpoint (MDE) Best Practices

    • Why? The first step in many APT attacks is to use a ‘Dropper’ to disable Antivirus or other security settings via the registry, PowerShell, GPO, etc.
    • This is a Microsoft Defender feature that does not require Windows 10 E5, but if you have E5 then you can leverage Intune to prevent the user from disabling this feature. The benefit of requiring Intune is that it abstracts the ability to disable antivirus to a separate management stack. Otherwise the attacker could use several methods of disabling AV. This advanced feature requires Windows 1903 or higher.
    • This can be enabled in two ways:
      • 1) Globally inside Defender for Endpoint’s advanced feature settings (here). You can also enable Troubleshooting Mode (see docs here) if you need to temporarily disable AV on some devices.
        OR
      • 2) Inside Endpoint Manager (aka Intune, at https://endpoint.microsoft.com). This was previously the only way to control Tamper Protection on a per device/group basis. However, now that option #1 above includes troubleshooting mode, the only reason you would use option 2 is if you had devices you never wanted Tamper protection enabled on (why would you do that anyway?!).
        • a) Using Endpoint Security > Antivirus > Windows Security Experience > TamperProtection (Device)
          OR
        • b) Using Intune Device Profiles:
          • Create a profile that includes the following settings:
          • Platform: Windows 10 and later
          • ProfileType: Endpoint protection
          • Settings > Windows Defender Security Center > Tamper Protection
    • ASR Rules are a feature of Windows 10 E3 and Windows 10 E5. The E5 version adds unique rules that are not available in the E3 version.
    • ASR rules can be enabled without MDE, but the benefit of using MDE is the centralized reporting, otherwise the audits would be decentralized in the local event viewer.
    • ASR Rules are branded as part of “Microsoft Defender Exploit Guard” which is a series of Windows 10 security features including Controlled Folder Access, Exploit Protection, and Network Protection.
    • Some of the ASR rules require cloud-delivered protection to be enabled. Read the ASR documentation page to identify important caveats before enabling ASR.
    • The ASR Rule “Executables that don’t meet a prevalence, age, or trusted list criteria” examines .exe, .dll, .scr to determine if they are in an allow-list that MSFT maintains.
    • In General, all rules should be enabled in Audit mode for 30 days so that you can assess the impact before turning them on in production, and then exclude files/paths that are not compatible.
    • ASR rules can be configured using: Microsoft Endpoint Manager (MEM), PowerShell, Group Policy, Microsoft System Center Configuration Manager (SCCM), and MEM OMA-URI.
    • The Microsoft Blog series “Demystifying ASR rules” is a great read.
    • In Endpoint Manager/Intune, you can enable it in either of two ways
      • Option 1) Endpoint Security > Attack surface reduction. Choose an existing ASR rule or create a new one.
      • Option 2) Device configuration – Profiles > Profile name > Endpoint Protection > Microsoft Defender Exploit Guard > Attack Surface Reduction.
    • This is a series of configuration items that submit a new executable or script to cloud. Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone
    • You can configure this using Intune, SCCM, or Group Policy.
    • In Endpoint Manager/Intune, you can enable it in either of two ways
      • Option 1) Endpoint Security > Antivirus. Choose an existing Policy targeting the Windows 10/11/Server Platform and the profile for Microsoft Defender Antivirus or create a new one.
        • Allow Cloud Protection : Enable
        • Cloud Block Level: High
        • Cloud Extended Timeout: 50 seconds
      • Option 2) Device configuration – Profiles > Profile name > Device restrictions > Windows Defender Antivirus.
        • Cloud-delivered protection: Enable
        • File Blocking Level: High
        • Time extension for file scanning by the cloud: 50
        • Prompt users before sample submission: Send all data without prompting
        • Submit samples consent: Send all samples automatically
  • Enable MDE Sample sharing for all files
    • In Endpoint Manager/Intune, you can enable it in either of two ways
      • Option 1) Endpoint Security > Endpoint detection and response. Choose an existing policy or create a new one.
      • Option 2) Device configuration – Profiles > Profile name > Microsoft Defender ATP (Windows 10) > Sample sharing for all files > Enable
        AND
      • Device configuration – Profiles > Profile name > Microsoft Defender ATP (Windows 10) > Expedite telemetry reporting frequency > Enable
    • Create a Role Group in MDE Settings > Permissions > Roles (select a group)
    • Create a MDE machine group, set it to all machines, and assign it to Full – Remediate threats automatically
    • Enable Automated Investigation in MDE Settings > Advanced Features
    • Enable *all* of the MDE Settings > Advanced Features (or as many as you are licensed for, ex: MDI, Intune, MD4CA, etc).
  • Block Manual Intune Unenrollment
    • In Intune, navigate to Device configuration – Profiles > Profile name > Device Restrictions > General > Manual unenrollment > Block
    • In Intune, navigate to Device configuration – Profiles > Profile name > Device Restrictions > General > Direct Memory Access > Enabled
    • Network protection expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
    • Network Protection is branded as part of “Microsoft Defender Exploit Guard” which is a series of Windows 10 security features including Controlled Folder Access, Exploit Protection, and ASR rules.
    • Network Protection can be enabled without MDE, but the benefit of using MDE is the centralized reporting, otherwise the audits would be decentralized in the local event viewer.
    • In Intune, navigate to Device configuration – Profiles > Profile name > Endpoint Protection > Microsoft Defender Exploit Guard > Network Filtering > Network Protection
  • Enable SmartScreen
    • Already Built-in to Microsoft Edge (and Chromium-Edge)
    • “Windows Defender Browser Protection” is available as an add-in to Chrome (here)
    • You can prevent users from disabling SmartScreen using Endpoint Manager
      Before doing this, have a phased rollout starting with a test group and then a broader pilot group for at least 90 days before going into production.

      • Endpoint Security > Attack Surface Reduction > Create Policy > Application Control
        • Leave App locker application control unconfigured (unless you know what you are doing)
        • Block users from ignoring SmartScreen Warnings: Yes
        • Turn on Windows SmartScreen: Yes
  • Enable EDR Block Mode.
    • Originally, it was assumed this feature was only applicable when Defender was in passive mode behind another AV client. While that is the primary use case for EDR Block mode, Microsoft’s documentation recommends enabling this feature even when Defender is in Active mode.
      “We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode provides another layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.”
  • Block Macros (config.office.com)
    • You can configure macro security centrally through config.office.com or through Endpoint Manager > Apps > Policies for Office apps here: https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/AppsMenu/officeProPlusPolicies
    • Disable Trust Bar Notification for unsigned application add-ins and block them
    • Disable all Trust Bar notifications for security issues
    • VBA Macro Notification Settings: Enable with “Disable without Notification”
    • Disable VBA for Office applications
    • Block macros from running in Office files from the Internet
      • To avoid problems with users who need valid/trusted Macros, you can enable two additional settings:
        • Allow Trusted Locations on the network
          • Lock down the NTFS and/or Share Permissions to only allow authorized users (admins?) from adding Macros to this path (Ask each Department to provide Macros for review)
        • Trusted Location #1 (through #20)
          • This is where you can specify the network path of where the authorized Macros can run from

I will be updating this blog periodically as I encounter additional settings that are particularly helpful for blocking threats.

Update: @djteller (Tomer Teller) pointed out that the Threat and Vulnerability Management (TVM) feature inside MDE has a Security Recommendations section which includes these recommendations, and many other great ones (69 total). Check it out inside your MDE Tenant here:
https://security.microsoft.com/security-recommendations

One of my customers pointed me to this YouTube Video which shows how some of these hardening settings did against 800 malware samples, click (here) to watch the video. Note: the author was working with the standard version of Windows Defender, and I imagine the four threats that got through would have been blocked if ASR had been enabled (ASR is not available in the free edition of Defender).

Disclaimer: This is for educational purposes only, you assume all risk for testing these in your lab first before deploying to production.