Service-level configuration for Microsoft Defender for Endpoint are a set of configurations elements that are applicable tenant-wide (all devices enrolled in the tenant).
In order to find these settings, navigate to, scroll down on the left-hand side menu and select settings. Next up, choose Endpoints > Advanced features. There is also a direct URL for this page available at: https://security.microsoft.com/preferences2/integration.
Tamper Protection is the number one setting which should be enabled on every tenant. By default, a local administrator can disable Microsoft Defender Antivirus and thus bypass your security and monitoring. This should be avoided at all costs as this allows an attacker to fly under the radar.
Tamper Protection can be enabled in two different ways:
If you are deploying Microsoft Defender for Endpoint for the first time, I recommend starting by enabling tamper protection in a scoped way through MEM. This allows you to validate the impact before it is deployed tenant-wide.
After the initial deployment, look into enabling the advanced feature to ensure all of your devices are protected. While the MEM policy is great, it only works for servers if you are managing them through tenant attach and doesn’t support Operating Systems like Android and iOS.
When trying to enable this policy, I do receive some pushback sometimes as customers like to disable Microsoft Defender during troubleshooting, to pinpoint if issues are related to Defender AV. While this is a valid argument, the risk of an attacker disabling the AV does not outweigh the benefits. To alleviate this issue, I recommend looking into the new troubleshooting mode which allows you to disable MDAV temporarily for three hours to allow for targeted troubleshooting
EDR in Block
EDR in block is one of these settings which is disabled by default
, but provides a lot of value to an organization. By default, the EDR component of MDE is not able to block suspicious activity. This means malware can potentially remain running if the detection is made by EDR and not the Antivirus. To alleviate this issue, the EDR component can work together with AV to block malicious activity.
This is interesting in two different scenarios:
While EDR in block mode can be configurated by using an Intune policy, setting up this tenant-wide is recommended as it ensures the setting is configured on all supported Operating Systems, independent if they are managed and targeted by the policy.
One of the main strengths of Microsoft Defender for Endpoint is the connection to other products in the Microsoft 365 Defender stack and the ability to work together to protect your environment in multiple areas (Endpoints, Identities, Email and Cloud Applications). While the default configuration will share indicators across the Microsoft Security Graph API, there are a few connections which I recommend enabling. Configuring these connections will ensure the products exchange as much data as possible.
Automatically Resolving Alerts
This is the one configuration that might be debatable and will be up to personal preference. I like to keep the setting ‘automatically resolve alerts’ disabled. Why is that? Microsoft Defender for Endpoint has Automated Investigations, which will run after an alert is created. If the automated investigation is able to clean up the threat, it will automatically close the incident as the threat is remediated.
There are two main reasons why I don’t like to have this behavior active while running our SOC services:
Having this setting can be useful when the organization doesn’t have enough resources to monitor the incidents adequately. For these kinds of organizations, automatically closing alerts where the threat has been remediated can be useful
Limitations Of The Configuration
The main disadvantage of advanced features is the lack of an API to do the configuration. Historically, Microsoft 365 Defender has had a small number of API’s, which makes management at scale difficult. Unfortunately, this is no different for the advanced features. At the moment of writing, no API exists to retrieve the current values and update them.
This brings out two key issues:
The lack of API management opens the door for an attacker to update the configuration of your EDR tool and potentially blind you for certain targeted attacks.
This is feedback I have reported to the Microsoft product teams and I hope this limitation will be removed in the future
, by allowing this configuration through the Microsoft 365 Defender API.
Keep An Eye Out
While there are a lot more configurations available, this blog focused on some of the misconfigurations I have observed and should be handled with priority. It is important to monitor these settings continuously and ensure you have them all in the state you desire.
When Defender adds new capabilities, new advanced features will show up. So, it is recommended to log onto the portal periodically to ensure your configurations are up to date.