Configuring Microsoft Defender for Endpoint settings is crucial for optimal security management in Microsoft 365, a significant portion of MS-101: Microsoft 365 Mobility and Security exam. You can configure these settings effortlessly through the Microsoft 365 Security Center.

Endpoint security in Microsoft 365 allows you to manage and review a wide range of on and off-network security settings, providing you with layer-by-layer visibility. Microsoft Defender for Endpoint is a robust enterprise-level platform designed to help enterprises prevent, detect, investigate, and respond to advanced threats.

Table of Contents

Configuring Microsoft Defender for Endpoint settings

To begin configuring Microsoft Defender for Endpoint settings, you must first go to the Microsoft 365 Security Center at ‘security.microsoft.com.’ In the left navigation pane, click ‘Endpoint security’ > ‘Settings.’

1. Microsoft Defender Antivirus

From here, you can manage your antivirus configurations. This settings page allows you to maximize the functionality of Microsoft Defender Antivirus, such as:

  • Real-Time Protection: Immediate scanning of files and programs upon access.
  • Cloud-Delivered Protection: Uses Microsoft’s cloud technology to detect the latest threats.
  • Automatic Sample Submission: Automatically send suspicious files for further analysis.

Each of these settings can be configured to either ‘enabled,’ ‘disabled,’ or ‘not configured.’

2. Attack Surface Reduction (ASR) Rules

ASR is a set of controls that prevent malware attacks, typically by blocking actions that malware often exploits. Here, you can configure different rules such as:

  • Block executable content from email and webmail
  • Use advanced protection against ransomware
  • Block credential-stealing from LSASS

Again, you can set policies for each rule as ‘enabled,’ ‘disabled,’ or ‘not configured.’

3. Account Protection

Account protection helps mitigate threats that take advantage of weak user credentials. This module is divided into ‘Local device sign-in options’ & ‘Windows Hello for Business.’ Under these sections, you can configure:

  • Prevent the use of security questions for local accounts
  • Require Windows Hello for Business
  • Use biometrics with Windows Hello for Business

4. Firewall

Under this configuration, you have the option to activate/deactivate your firewall settings as per your organizational needs.

To provide more practical insights, let’s take an example of how to configure ASR rules.

For instance, to enable the rule “Block executable content from email and webmail”, locate its corresponding setting, then:

  1. Set the value to ‘enabled.’
  2. Choose the mode:
    • ‘Audit’ mode: to test the effect of applying this rule.
    • ‘Block’ mode: to prevent the execution of such programs entirely.
  3. Set the user notification level.
  4. Select the ‘groups to exclude’ as required.

Be sure to save your policy after configuring each rule. Please note, the interface may direct you to use Intune or Configuration Manager for certain settings.

Remember, effective configuration of Microsoft Defender for Endpoint settings is of paramount importance. It helps in delivering wide-reaching threat intelligence, advanced threat hunting, post-breach detection, automated investigation, and response. By knowing how to utilize these resources, you can substantially maximize your preparation for the MS-101: Microsoft 365 Mobility and Security exam.

Practice Test

True or False: Microsoft Defender for Endpoint can be set up to send regular security reports to administrators.

• True
• False

Answer: True

Explanation: Microsoft Defender for Endpoint has a reporting feature that allows you to schedule regular security alert reports.

Which of the following can you configure in Microsoft Defender for Endpoint?

• A) Malware Protection
• B) Web Content Filtering
• C) Offline scanning
• D) All of the above

Answer: D) All of the above

Explanation: All these settings can be configured in Microsoft Defender for Endpoint, providing a comprehensive security solution.

True or False: Microsoft Defender for Endpoint is not designed to work with other security products.

• True
• False

Answer: False

Explanation: Microsoft Defender for Endpoint is designed to work alongside other security products, providing an additional layer of security.

What feature of Microsoft Defender for Endpoint helps prevent threats from penetrating the network?

• A) Threat and Vulnerability Management
• B) Attack surface reduction rules
• C) Network protection
• D) Both A and B

Answer: D) Both A and B

Explanation: Threat and Vulnerability Management and Attack surface reduction rules help minimize the attack surface and prevent threats from penetrating the network.

True or False: Microsoft Defender for Endpoint only provides protection for Windows devices.

• True
• False

Answer: False

Explanation: Microsoft Defender for Endpoint supports several platforms including MacOS, Linux, and Android, besides Windows.

Can you configure Microsoft Defender for Endpoint to quarantine threats without administrator approval?

• A) Yes
• B) No

Answer: A) Yes

Explanation: Microsoft Defender for Endpoint can be set up to automatically quarantine detected threats.

True or False: Microsoft Defender for Endpoint does not allow you to upload samples for analysis.

• True
• False

Answer: False

Explanation: Microsoft Defender for Endpoint has a feature that allows you to submit file samples for detailed analysis.

Which of the following is not a component of Microsoft Defender for Endpoint setting?

• A) Device control
• B) Audio monitoring
• C) Cloud-delivered protection
• D) Tamper protection

Answer: B) Audio monitoring

Explanation: Audio monitoring is not a component of Microsoft Defender for Endpoint settings.

In Microsoft Defender for Endpoint, is it possible to set up rule-based restrictions on software?

• A) Yes
• B) No

Answer: A) Yes

Explanation: Rule-based restrictions on software can be configured using attack surface reduction rules in Microsoft Defender for Endpoint.

True or False: Microsoft Defender for Endpoint cannot block potentially unwanted applications (PUAs).

• True
• False

Answer: False

Explanation: Microsoft Defender for Endpoint is capable of blocking potentially unwanted applications, referred to as PUAs.

Which of the following can be a benefit of enabling cloud-delivered protection in Microsoft Defender for Endpoint?

• A) Faster detection of threats
• B) Lower false positive rates
• C) Immediate protection from new threats
• D) All of the above

Answer: D) All of the above

Explanation: Cloud-delivered protection in Microsoft Defender for Endpoint provides faster detection, lower false-positive rates, and immediate protection against new threats.

In Microsoft Defender for Endpoint, ‘Controlled folder access’ helps to:

• A) Protect against network threats
• B) Protect valuable data from ransomware
• C) Manage software updates
• D) Block potentially unwanted applications

Answer: B) Protect valuable data from ransomware

Explanation: “Controlled folder access” feature helps secure valuable data from ransomware attacks by limiting the folders that can be modified by untrusted processes.

True or False: It is not possible to disable Microsoft Defender for Endpoint on individual devices.

• True
• False

Answer: False

Explanation: Administrators can choose to disable Microsoft Defender for Endpoint on specific devices as per the needs and security strategies of the organization.

True or False: The ‘Endpoint detection and response in block mode’ of Microsoft Defender for Endpoint can automatically prevent malware and hacking tools.

• True
• False

Answer: True

Explanation: This feature helps construct a robust defense system against malware and hacking tools by blocking them as soon as a suspicious activity is detected.

True or False: External devices can be blocked from accessing your network through Microsoft Defender for Endpoint.

• True
• False

Answer: True

Explanation: Microsoft Defender for Endpoint offers a feature called Device control that can be set up to block or restrict external devices.

Interview Questions

What is the key use of Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint is a holistic, cloud-delivered endpoint security solution that includes risk-based vulnerability management and assessment, attack surface reduction, behavioral-based and next-generation protection, endpoint detection and response (EDR), automatic investigation and remediation, and managed hunting services.

How many types of Endpoint Detection and Response (EDR) settings are available in Microsoft Defender?

There are three types: On, Off, and Audit mode.

What can you do to limit exposure to attacks in regard to attack surface reduction rules?

You can configure attack surface reduction rules in Intune, System Center Configuration Manager, or Group Policy to limit behaviors to only what an organization needs.

What is the role of the ‘Suspicious system activities’ option in Microsoft defender?

The ‘Suspicious system activities’ option helps detect potential OS exploits by treating OS manipulation tools as severe alerts.

What can automatic sample submission do in Microsoft Defender for Endpoint?

Automatic sample submission sends the potential malware samples to Microsoft for review when Defender identifies potentially harmful files.

How do you set up Microsoft Defender Endpoint Protection?

You need to go to the Microsoft Endpoint Manager admin center, then go to Endpoint security > Antivirus > Create Policy > Windows 10 and later, and then follow the on-screen instructions.

How does Tamper Protection work on Microsoft Defender Endpoint Protection?

Tamper Protection prevents malicious apps from altering Microsoft Defender settings like Real-time protection and behavior monitoring.

Why are cloud-delivered protection settings important in Microsoft Defender Endpoint Protection?

Cloud-delivered protection provides faster updates to systems and responds to new threats quicker by using Microsoft cloud security service.

What is the role of Real-time protection in Microsoft Defender Endpoint Protection?

Real-time protection is used to inspect all files and programs that are opened, be it through a network or online, and blocks them if they are suspicious or identify as a threat.

How can you manually add or remove a file from the Microsoft Defender’s Endpoint protection scope?

You can manually specify files to be excluded from the scan if you think they are safe or you can manually add files for scanning if you think they are suspicious.

What is the use of automatic investigations in Microsoft Defender for Endpoint Protection?

Automatic investigations help in examining alerts and taking rapid action to resolve breaches significantly reducing alert volume.

What setting would you use to reduce vulnerability to web attacks?

The SmartScreen setting can be used. It warns users about potentially unsafe websites and downloads, providing an extra layer of defense against web-based attacks.

What happens if two contradictory settings are used on Microsoft Defender?

If contradicting settings are configured, the most restrictive setting will be applied. For example, if a rule is set to allow and another to block the same setting, the block rule will prevail.

What is the use of Security intelligence updates in Defender?

Security intelligence updates ensure that Microsoft Defender Antivirus is updated regularly to detect and neutralize the latest threats.

What is the function of Attack Surface Reduction (ASR) rules?

The ASR rules provide the first line of defense in the system. They aim at reducing the system’s attack surface by using techniques that block office communication application and script interactions, behavior in mail and browsers.

Leave a Reply

Your email address will not be published. Required fields are marked *