Exploring Microsoft Defender for Endpoint: Key Features and Benefits

Our last blog covered the features within the Microsoft Business premium license, from here we are taking more of an in-depth look at Microsoft Defender for Endpoint. Defender for Endpoint is one of the core components to Microsoft’s Defender ecosystem and acts as the endpoint detection and response solution.

The Defender ecosystem is popular within the New Zealand market as most of the Microsoft 365 licensing bundles include a variant of it. As Microsoft Defender is built into Windows these days, it has some unique functionality when it comes to Attack Surface Reduction and its super easy to deploy.

We generally see the more traditional antivirus solutions being replaced with the likes of Defender for Endpoint, or other MDR/EDR solutions. The traditional methods of scanning files for known bad hashes or indicators is no longer a sufficient means of detecting bad or malicious activity. Defender for Endpoint also integrates into the Defender XDR ecosystem, which provides a comprehensive detection and response capability across all of the defender suite.

Key Features

Defender for Endpoint has the following features:

• Next-generation Protection – designed to catch all types of emerging threats.
• Endpoint Detection and Response (EDR) – detect, investigate and response to advanced threats.
• Automated Investigation and Response (AIR) – Automatically investigate and remediate detections.
• Attack Surface Reduction – Blocking known techniques used to compromise devices.
• Vulnerability Management – Built in capability to detect vulnerable software.
• Secure Score for Devices – Asses the security state of your endpoints.

There are also some additional features which can be added on with additional licensing such as a more in-depth vulnerability management solution as well as Microsoft Threat Experts.

Versions

Defender for Endpoint comes in 3 different versions:

• Defender for Endpoint Plan 1 is included in Microsoft 365 A3/E3, it’s the base product which allows you to manage defender.
• Microsoft Defender for business has the features from Plan 1 and includes some of the core features in Plan 2, its available to Business Premium users.
• Defender for Endpoint Plan 2 is included with Microsoft 365 A5/E5, A5 Security, E3 Security and F5 Security. This suite includes all the features such as EDR, Automated Investigation and Response etc.

User licensing is either included in their M365 license or via the specific license for each SKU. Servers require their own license which also matches the SKU you are after. Servers can also be licensed via Defender for Cloud.

Requirements

The full list of requirements can be found here: https://learn.microsoft.com/en-us/defender-endpoint/minimum-requirements

The below is the high level requirements as of July 2024.

Operating Systems:

All supported windows operating systems are included (Windows 10/11, Windows Server 2012 R2 and above).

Onboarding for Server 2012R2 and 2016 are slightly different from 2019 and above, they require the md4ws installer to be run prior to being onboarded.

Some unsupported windows operating systems such as 2008R2, Windows 7 SP1 and Windows 8.1 are also supported using a legacy onboarding method (Microsoft Monitoring agent). These unsupported operating systems do not have feature parity when using Defender for Endpoint.

Defender for Endpoint also supports:

• MacOS/iOS (Monterey and above/iOS 15 and above)
• Linux (RHEL and variants, Ubuntu, Debian, SUSE, Oracle, Amazon, Fedora and Mariner)
• Android (8.0 and above)

Hardware requirements:

On both Windows and Linux it is recommended to have 4 CPU cores, 2 cores is the minimum requirement. 1GB of ram is the minimum requirement with 4GB being recommended.

Network Requirements:

There are 2 different sets of network requirements, there is the standard connectivity which is the older method and the streamlined connectivity (which requires a lot less URLs). Fenrir recommends using the Streamlined method if possible.

They can be found here:

• Streamlined: https://aka.ms/MDE-streamlined-urls
• Standard: https://aka.ms/MDE-standard-urls

If you are using SSL/TLS Decryption, some of these URLs will need to be excluded for them to work.

Tricks and Tips for a successful deployment

We’ve detailed the key areas where you should be looking when you are deploying Defender for Endpoint.

Platform Configuration

The Defender for Endpoint platform configuration sits within the Microsoft Defender portal (https://security.microsoft.com/securitysettings/endpoints).

This configuration includes:

• Advanced Features – What platform features should be enabled\disabled
• Notifications – Email Notifications
• Auto Remediation – What level of automation is applied to respond to detections
• Role Based Access Control (RBAC) – Assign access to the MDE portal\configuration
• Rules (Alert Suppression, Deception, Indicators, Web Filtering)
• Onboarding\Offboarding

Endpoint Configuration

Within Intune, there are 3 sections within the Endpoint Security section which contain much of the Defender configuration for your Windows endpoints.

The Antivirus Section gives you configuration options for:

• Defender Antivirus configuration – Real time scanning configuration, scheduled scans etc
• Update Controls – Deployment rings for engine, platform and intelligence updates
• Security Experience – End user experience for the alerts and Defender Security Centre

The Endpoint Detection and Response section gives you configuration options for onboarding the endpoints to Defender for Endpoint.

The Attack Surface Reduction section gives you configuration options for:

• Attack Surface Reduction Rules – Configure each rule and exclusions as required (deploy them all in audit mode initially)
• Device Control – Provides a few additional defender settings as well as a range of configuration options to restrict/manage functionality of windows (not all related to defender for endpoint).

These settings can also be applied by Group policy if you aren’t using Intune.

Deployment

There are several ways to onboard devices to Defender for endpoint, this can generally be done by your preferred management method (Intune, Group Policy, Endpoint Manager, MDM solution).

Fenrir recommends deploying in a couple of deployment groups to ensure it doesn’t impact your business.

Several components within Defender for Endpoint have a requirement of the real time scanning engine of Microsoft Defender to be functional. Some traditional antivirus solutions may disable this. This means some functionality may not start working until the old antivirus solution is removed.

Post Deployment

Audit Mode vs Block Mode

There may have been configuration deployed in Audit Mode for the initial deployment (EDR Mode, Attack Surface Reduction, Potentially Unwanted Apps, Network Protection etc) which should be reviewed and updated to blocking mode. The logs from the endpoints or built-in reporting, should be able to guide you with what the potential impact for these changes will be.

Just a note on Attack Surface Reduction, these rules are all built around common techniques which are used to compromise endpoints and servers. While these rules may have some false positives which need excluding, these go a long way in securing an endpoint so its well worth the time to get them setup properly.

Secure Score

Once your endpoints have been onboarded, after a few hours you will start to see telemetry in Secure Score relating to the Devices. These metrics provide some key indicators of the health and security of your endpoints. It includes:

• Defender for Endpoint Health – Missing agents, degraded functionality and out of date components
• Endpoint Health – Missing Updates
• Endpoint Security Configuration – Missing security configuration
• Vulnerable Software

Secure Score isn’t limited to just Devices, it also includes recommendations on Identity, Data and Applications. It provides historic reporting so you can track your progress overtime and is also prioritized based on the severity of the recommendations.

Monitoring and On-Going Management

Reporting

The Microsoft Defender portal provides several methods to monitor the on-going health of your defender for endpoint fleet:

• Secure Score (as detailed in the previous section)
• Built in Reports – There are Device Health reports which provide Sensor Health, Engine \ platform \ intelligence versions and scan results
• Advanced Hunting – You can build your own reports\queries directly against the telemetry provided from the endpoints (Plan 2 required).

Alerts

The Alerts will also end up in the Microsoft Defender portal. These can be triaged and managed directly within this portal, or they can be sent to a SIEM solution like Microsoft Sentinel. These alerts are also available via the API.

Troubleshooting

If you run into any issues with endpoints, Microsoft provides a tool called the ‘Microsoft Defender for Endpoint Client Analyzer’. This is supported on Windows/macOS/Linux and will be the starting point to begin troubleshooting any connectivity/sensor health issues.

More info on it can be found here: https://learn.microsoft.com/en-us/defender-endpoint/download-client-analyzer

In Summary

Hopefully this has provided you with some insight into the different versions of Defender for Endpoint and some high-level guidance into deploying it within your environment.

Fenrir Security have deployed, managed, reviewed and remediated many Defender for Endpoint deployments over the years. If you are looking for some help with planning, managing or deploying Defender for Endpoint, then please reach out to us via info@fenrir.nz for a chat.

Fenrir also provides a managed security offering which manages and maintains Defender for Endpoint, and the wider Microsoft Defender ecosystem.