How to configure Microsoft Defender for Endpoint Advanced Features

In my previous article we saw how to enable roles and provide RBAC to specific groups.

In this article I will explore on how to enable the advanced features in MDE so it will be on “God Mode” as I like to put it and start intergrate with other systems like Microsoft Endpoint Manager etc.

Go to > Settings > Endpoints > Advanced Features

Now let us look at the features

Automated Investigation – This is recommended to keep switched ON
You need to turn this ON in order to AIR (Automated Investigation and Response) to work. With this setting on, then you can create your Device Groups with the remediation level. Meaning, when you specify the remediation level to the device group and when there is a threat, it will automatically try to heal it depending on the remediation level. More on AIR

Live Response – If this feature is ON, and provided the RBAC groups have got the Live Response ON, then they can start access the devices and investigate them

Live response for servers – This is the server version of the Live Response feature

Live response unsigned script execution – Enabling this will help the admin who does the live response troubleshooting to run unsigned scripts if needed

Always remediate PUA (Potentially Unwanted Apps) – This is a nice feature to turn ON as devices may have unwanted applications installed, display unexpected adverts install apps that is potentially slow down the device and not required for the user. Enabling this feature will stop such acts and will remediate it for all the devices in the tenant.

Restrict correlation to within scoped device groups – When a device is a member of more than 1 device group, switching them ON will not corollate the alerts under the device, the main Security administrator will still be able to see all the alerts reported for a specific device.

Enable EDR in block mode – This will make sure the Endpoint Detection and Response will work in passive mode. That is when Defender is not the main anti-virus software in the device. This will still block the malicious activities in the device and will report.

Automatically resolve alerts – Resolves an alert if Automated investigation finds no threats or has successfully remediated all malicious artifacts.

Allow or block file – This will woek wnen Defender A/V is turned on and he cloud-based protetcion featire os enabled to use this feature

Custom network indicators – When this is ON, you can set custom IP addresses, domain names or URLs to the custom indicator list for blacklisting purposes. To enforce this feature on devices Windows 10 version 1709 or later is requires. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform
Note that network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Microsoft Defender for Endpoint data

Tamper protection – Keep tamper protection turned on to prevent unwanted changes to your security solution and its essential features. In this way, users or bad actors can’t is able the A/V features.

Show user details – Enables displaying user details: picture, name, title, department, stored in Azure Active Directory

Skype for business integration – This will enable the admins to perform a 1-click communication with the users

Microsoft Defender for Identity integration – Retrieves enriched user and device data from Microsoft Defender for Identity and forwards Microsoft Defender for Endpoint signals, resulting in better visibility, additional detections, and efficient investigations across both services. Forwarded data is stored and processed in the same location as your MDI data

Office 365 Threat Intelligence connection – Connects to Office 365 Threat Intelligence to enable security investigations across Office 365 mailboxes and Windows devices

Microsoft Defender for Cloud Apps – Forwards Microsoft Defender for Endpoint signals to Defender for Cloud Apps, giving administrators deeper visibility into both sanctioned cloud apps and shadow IT. It also gives them the ability to block unauthorized applications when the custom network indicators setting is turned on. Forwarded data is stored and processed in the same location as your Cloud App Security data. This feature is available with an E5 license for Enterprise Mobility + Security on devices running Windows 10 version 1709 (OS Build 16299.1085 with KB4493441), Windows 10 version 1803 (OS Build 17134.704 with KB4493464), Windows 10 version 1809 (OS Build 17763.379 with KB4489899) or later Windows 10 versions

Microsoft Secure Score – This will forward the Endpoint signals for better visibility on the secure score

Web content filtering – This will make sure the web filtering in the devices through the policy and the device groups is working

Download quarantined files – Backup quarantined files in a secure and compliant location so they can be downloaded directly from quarantine

Share endpoint alerts with Microsoft Compliance Center – Forwards endpoint security alerts and their triage status to Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data

Microsoft Intune connection – Connects to Microsoft Endpoint Manager so it can enforce policies and helps to onboard devices. Intune provides additional information about managed devices for secure score. It can use risk information to enforce conditional access and other security policies

Device discovery – Allows onboarded devices to discover unmanaged devices in your network and assess vulnerabilities and risks. For more information, see Device discovery settings to configure discovery settings

Preview features – Allow access to preview features. Turn on to be among the first to try upcoming features

Microsoft Threat Experts – Targeted Attack Notifications – Microsoft Threat Experts is a managed threat hunting service that provides expert level monitoring and analysis for critical threats facing their organization

You can check and enable the features as you go that best suites to your environment. Once you do that, it will open up many avenues and as I mentioned before, MDE will act on the god mode to provide the best in class EDR functions.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.