In the modern IT landscape, malicious actors are using more and more sophisticated methods to attack environments and devices. The average time it takes to detect a threat is believed to be approximately 250 days. Traditional anti-virus and anti-malware software are not enough to effectively defend against these attackers who are determined to cause disruption.

This is where Microsoft Defender for Endpoint (MDE) comes in. Microsoft Defender for Endpoint is a cloud-based online service that provides prevention, detection, and investigation methods that you can use to respond to advanced threats within your organization.

In this chapter, you will learn how to configure and manage MDE capabilities to provide the best protection for your organization, as well as how to enable and configure always-on protection and monitoring.

The chapter will cover these topics in the following order:

...

The MDE security platform enables organizations to investigate and respond to advanced threats that target their enterprise networks. It does so by providing information about advanced attack detections based on behavioral patterns. The threats detected by MDE are interpreted in terms of a forensic timeline. This timeline is then used to build and maintain a threat intelligence knowledge base.

This is achieved by using endpoint behavioral sensors that collect signals from the Windows operating system and send that data to MDE. Then, cloud security analytics use machine learning techniques to translate the collected data into insights and provide recommendations on how to resolve advanced threats. Finally, threat intelligence activities are carried out by Microsoft hunters and security experts. This allows MDE to recognize the tools and methods employed by malicious actors and to alert administrators when similar behavior is detected.

MDE provides...

Now that you have MDE set up and deployed to one or more workstations, there are several ways in which you can fine-tune the capabilities and monitor the service.

To maximize security protection in your environment, it is vital that you regularly and diligently monitor and manage your MDE instance. The following sections demonstrate how you can make the most of some of the available options. You can access these through the Microsoft 365 Defender security center at https://security.microsoft.com by navigating to the Endpoints section:

Figure 7.15: Endpoint configuration options in the security center

The following sections will discuss each of these items in detail.

Vulnerability management

The Vulnerability management section includes the items shown in the following screenshot:

Figure 7.16: Vulnerability management

The Dashboard section shows you your overall exposure score...

Now that you know how to manage and monitor MDE, let’s take a look at some of its associated features, starting with Microsoft Defender Application Guard.

Configuring Microsoft Defender Application Guard

Microsoft Defender Application Guard is a system designed to isolate devices so that malicious actors are unable to use their attack methodologies against them. It protects your company’s users on Windows, specifically on the Microsoft Edge browser, by isolating untrusted sites when users browse the internet.

Microsoft Defender Application Guard empowers Microsoft 365 security administrators to explicitly define the following categories:

• Trusted websites
• Trusted cloud resources
• Trusted internal networks

A zero-trust methodology is employed to ensure that anything that is not defined in the preceding categories is considered untrusted and is blocked...

In the modern IT landscape, it is more crucial than ever to protect your organization’s devices against data theft in case a device is stolen or lost. BitLocker is a feature that can be used to address this by encrypting Windows devices.

BitLocker Drive Encryption provides integrated data protection features for your Windows devices to combat the threat of stolen, lost, or poorly decommissioned Windows devices. BitLocker is most effective when used with Trusted Platform Module (TPM) version 1.2 or later. However, it also works on computers that do not have TPM version 1.2 or later by using a USB startup key instead. You can also apply a form of multi-factor authentication with BitLocker with the ability to block device startup until one of the following responses has been provided:

• A user PIN
• A removable device that contains a startup key

These methods help to ensure that the device does not start until the...

You cannot use BitLocker to configure and manage non-Windows device encryption. Instead, you need to use application protection policies. This approach comprises rules that ensure data safety within a managed app. This is done through the configuration of Mobile Application Management (MAM) policies in Microsoft Intune.

App protection policies may be configured for apps running on devices that are enrolled either in Microsoft Intune or in a third-party MDM solution. These devices are typically corporate-owned but personal devices can also be enrolled.

To create an app protection policy, go to the Intune admin center, browse to Apps | App Protection policies, and choose Create policy. The options available are shown in the following screenshot:

Figure 7.28: Policy creation options

As there are many different ways you can configure app protection policies, and three OS platforms you can choose from...

In this chapter, we examined how MDE can be used to protect your organization’s devices. You learned how to plan your MDE implementation by being aware of the licensing requirements and compatible operating systems, how to create your MDE instance, and how to manage and monitor the service. We also examined Microsoft Defender Application Guard and Microsoft Defender Exploit Guard, and learned about how these features can complement the core features and can be deployed by different methods, including System Center Configuration Manager, Group Policy, and Microsoft Intune. Finally, we explored how BitLocker can apply data protection and encryption to your Windows devices in order to safeguard them from loss, theft, or poor decommissioning practices, and how application protection policies can be used to protect non-Windows devices.

The next chapter will discuss message protection with Microsoft Defender for Office 365. You will learn how you can protect your emails...

1. Which of the following is not one of the features of MDE?
   1. Attack surface reduction
   2. Next-generation protection
   3. File encryption
   4. Endpoint detection and response
   5. Automated investigation and remediation
2. True or false? Microsoft Defender Application Guard can be used with the Google Chrome browser.
   1. True
   2. False
3. Which of the following URLs can be directly used to access device configuration profiles?
   1. admin.microsoft.com
   2. endpoint.microsoft.com
   3. compliance.microsoft.com
   4. portal.azure.com
4. Which template type do you need to configure to create a BitLocker deployment policy?
   1. Network boundary
   2. Endpoint protection
   3. Identity protection
   4. Trusted certificate
   5. Domain join
5. Where would you go on a Windows device to enable Microsoft Defender Application Guard?
   1. Control Panel | Windows Features
   2. Access work or school
   3. Settings
   4. Control Panel | Application Guard
6. True or false? macOS devices cannot be onboarded to MDE via the use of a local script.
   1. True
   2. False
7. Which of the following is not a feature of...

Please refer to the following links for more information:

• MDE: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide
• Onboarding devices: https://learn.microsoft.com/en-au/microsoft-365/security/defender-endpoint/onboard-configure?WT.mc_id=EM-MVP-4039827&view=o365-worldwide:
  • Onboarding Windows clients: https://learn.microsoft.com/en-au/microsoft-365/security/defender-endpoint/onboard-windows-client?view=o365-worldwide
  • Onboarding Windows servers: https://learn.microsoft.com/en-au/microsoft-365/security/defender-endpoint/onboard-windows-server?view=o365-worldwide
  • Onboarding non-Windows devices: https://learn.microsoft.com/en-au/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows?view=o365-worldwide
  • Onboarding for Mac: https://learn.microsoft.com/en-au/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac?view=o365-worldwide
  • Onboarding for Linux: https...