> Defender for Endpoint
Microsoft Defender for Endpoint is where I spend at least 90% of my time working with customers today.
Why Microsoft Defender Didn't Block It
From helping customers POC, Pen Test, and creating the Microsoft FastTrack Quick Start for MDE I've had a lot of experience handling when MDE testing fails and determining cause. These lessons aren't just about POCs and Pen-Test, but translate to real world lessons that help prevent breaches.
Defender Performance Tuning
"Defender is causing performance issues" is the dreaded statement everyone who has deployed an AV and/or EDR tool fears hearing. Sure the system owners should probably do a better job of stating what is needed to minimize impact, but security professionals need to know how to address this. So let's tune Defender!
Defender Deployment Tool
The Defender Deployment Tool has been released, at least in public preview, and you should use it now.
Advanced Hunting Repository
I've been collecting some common queries often requested by customers I work with. Many of these are related to Vulnerability Management reporting, but some get into various threat detection activities.
MDE Policy Migration
I have intentionally and reluctantly avoided this topic for a while, but enough customer experience has occurred, and I feel the benefits are balanced with or outweigh the negatives. So, over the last week I wrote and have made available My-MdeMigration a PowerShell Module to help with MDE Migrations.
MDE Offline Update Container
MDE Offline update provides the ability for organizations to locally source MDE Security Intelligence Updates rather than using the provided Microsoft SIU service. Considering the repeat scripting and static file web server requirements it seemed that this could conventiently be addressed by containerization.
Export MDE Policies
Customers frequently ask about moving Defender policies between various environment. This generally requires manual efforts of replicating settings from one portal to another. However, this manual process is painful and error prone which makes the migration less that optimal.
MDE Get Healthy with MDfS Driven Migration
Recently I've been working with several customers on migrations from a third party EPP-EDR to Microsoft Defender for Servers (MDfS), and have found there is an important pattern that should be followed to predict, control, and minimize performance and business impacts during the migration. While Arc may perform the onboarding for your organization, other factors like change management and maintenance windows may require additional steps or procedures to limit & control what and when Arc performs actions.
MDE Linux Management from the Security Portal
These are running notes related to MDE on Linux and the ability to manage it with MDE's Security Management capability.
MDE Migration Script
For the last 2-3 years I've been working with customers on migrating to Defender for Endpoint from other AV/FW/EDR solutions. One of the big issues I've seen is there are a lot of checks to see what could prevent Defender from successfully onboarding. In order to make these checks more consistent and faster I decided to create a script to help identify and flag potential migration issues.
CVE-2023-28303 Detection
Recently I had a customer ask about an Advanced Hunting Query that could detect the Microsoft Screen Clipping vulnerability CVE-2023-28303. Some initial testing of the Threat and Vulnerability Management in Advanced Hunting tables this software is not being captured on my test machines. However, there are still some ways we can detect the potential of this vulnerability.
MDE Tamper Protection Forced Values
Recently an issue was raised that a customer had configured their Defender AV policies and then applied Tamper Protection. When they checked the local machine's settings they realized that some values in Defender AV were not consistent with their AV Policy which was unexpected. What was found is an undocumented/vaguely documented action by Tamper Protection.
How to map AAD Groups to MDE Device Groups
I've seen a lot of asks from customer about how they can use Azure AD Groups with MDE Device Groups. Unfortunately, there isn't a direct way to use Azure AD groups with the MDE Device groups, but there is an approach that provides a similar capability.
Announcement - Labs
I've decided to really document and push my Azure Labs so anyone can easily deploy environments for use with testing and learning the various Microsoft Defender products. This labs have been available for a while, but I've now committed some time to documenting and incorporating that information as part of [this site](/labs/).
Install MDE with SaltStack
MDE for Linux has serveral articles about using common deployment tools, but recently I was asked about using SaltStack which was a tool I'm not familiar with and that lacks/lacked official documentation.
Getting started with Defender Attack Surface Reduction - Part 2
In the previous post about ASR adoption, I recommended you enable ALL ASR rules in AUDIT mode. Now we will use the Security Baseline to build an ASR policy that *should* be minimally impactful to your systems and end users.
Getting started with Defender Attack Surface Reduction - Part 1
This post is intended as a starting point for organizations looking to adopt Attack Surface Reduction (ASR) rules. ASR rules can help improve an organization's security, but they can potentially disrupt normal user and application behaviors in certain environments. My recommendation to anyone looking to implement ASR rules is to always start with **Auditing**.
Get started with Defender AV - Part 2
This is the second post on switching to Defender Anti-Virus and using the Security Baselines published in Endpoint Manager to create a good starting point for your Defender AV settings. This post will focus on the settings in the **Security Baseline for Windows 10 and later** and how to create an AV only policy based on these settings.
Get Started with Defender AV - Part 1
When switching from one AV to another organizations want to know if they can keep their current AV settings, or if their AV Vendor has recommendations for better adoption, detection, and performance. For these types of conversations with Microsoft Defender AV I often recommend customers look at the Security Baseline rules as a good starting point.
MDE Exclusion Checker Go-Live
MDE Exclusion Checker is a tool to compare existing AV Exclusions against the list of exclusions that are native to Defender for Endpoint AntiVirus, and is now live!
Custom MDE Threat and Vulnerability Report
The [secuity portal](https://security.microsoft.com) comes with several nice vulnerability reports for customers to review that show a summary of the risks in their environment. However, some customers find that these reports are too *general*, so while they show summary data they cannot distribute these to system owners who could then go an patch their systems.
Defender for Endpoint Upgrade Script - FOR ALL!
Working with a customer on the MDE Unified Installer for Windows Server 2016/2012R2 we ran into the issue that SCEP was installed and thus blocking the Unified Installer. Therefore, instead of the Install approach we really needed to perform an Upgrade, but would that mean we needed an approach for servers where SCEP had been installed vs. servers where SCEP was not installed? Answer - No!
Defender for Endpoint Unified Package for Server 2016 and 2012 R2
Recently Microsoft [announced the public preview of a unified EPP and EDR](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292) package that allows a similar onboarding approach for these servers as Server 2019, Windows 10, and Windows 11. Recently, a customer I support wanted to test this new method and perform deployment using the GPO methodology.