Deploy the Microsoft Defender for Endpoint environment

-

 Learn how to deploy the Microsoft Defender for Endpoint environment, including onboarding devices and configuring security.

Learning objectives

Upon completion of this module, the learner will be able to:

  • Create a Microsoft Defender for Endpoint environment
  • Onboard devices to be monitored by Microsoft Defender for Endpoint
  • Configure Microsoft Defender for Endpoint environment settings

Introduction

Deploying the Microsoft Defender for Endpoint environment involves configuring your tenant, onboarding your devices, and configuring security team access.

You're a Security Operations Analyst working at a company that is implementing Microsoft Defender for Endpoint. Your manager plans to onboard a few devices to provide insight into required changes to the SecOps team response procedures.

You start by initializing the Defender for Endpoint environment—next, you onboard the initial devices for your deployment by running the onboarding script on the devices. You configure security for the environment. Next, you create Device groups and assign the appropriate devices.

After completing this module, you'll be able to:

  • Create a Microsoft Defender for Endpoint environment
  • Onboard devices to be monitored by Microsoft Defender for Endpoint
  • Configure Microsoft Defender for Endpoint environment settings
Create your environment

When accessing your Microsoft 365 Defender portal settings for Endpoints for the first time, you'll be able to configure many attributes. You must be a global administrator or security administrator for the tenant. On the Set-up preferences page, you can set the:

Data storage location - Determine where you want to be primarily hosted: US, EU, or UK. You can't change the location after this set up and Microsoft won't transfer the data from the specified geolocation.

Data retention - The default is six months.

Enable preview features - The default is on, can be changed later.

To access the Microsoft 365 Defender portal settings for Endpoints do the following action:

  1. Go to (https://security.microsoft.com)
  2. Select Settings.
  3. Select Endpoints.
Network configuration

If the organization doesn't require the endpoints to use a Proxy to access the Internet, the following configuration isn't required.

The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service. The embedded Microsoft Defender for Endpoint sensor runs in the system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender for Endpoint cloud service. The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:

Autodiscovery methods:

  • Transparent proxy

  • Web Proxy Autodiscovery Protocol (WPAD)

If a Transparent proxy or WPAD has been implemented in the network topology, there's no need for special configuration settings.


Understand operating systems compatibility and features 

Microsoft Defender for Endpoint is available on the following Operating Systems:

  • Windows
  • macOS
  • Linux
  • Android
  • iOS
Windows 

Supported Windows versions

  • Windows 7 SP1 Enterprise (Requires ESU for support.)
  • Windows 7 SP1 Pro (Requires ESU for support.)
  • Windows 8.1 Enterprise
  • Windows 8.1 Pro
  • Windows 11 Enterprise
  • Windows 11 Education
  • Windows 11 Pro
  • Windows 11 Pro Education
  • Windows 10 Enterprise
  • Windows 10 Enterprise LTSC 2016 (or later)
  • Windows 10 Enterprise IoT
  • Windows 10 Education
  • Windows 10 Pro
  • Windows 10 Pro Education
  • Windows server
  • Windows Server 2008 R2 SP1 (Requires ESU for support)
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server, version 1803 or later
  • Windows Server 2019
  • Windows Server 2022
  • Windows Virtual Desktop

Microsoft Defender for Endpoint on macOS

Microsoft Defender for Endpoint on macOS offers antivirus, endpoint detection and response (EDR), and vulnerability management capabilities for the three latest released versions of macOS. Customers can deploy and manage the solution through Microsoft Endpoint Manager and Jamf. Just like with Microsoft Office applications on macOS, Microsoft AutoUpdate is used to manage Microsoft Defender for Endpoint on Mac updates.


Microsoft Defender for Endpoint on Linux

Microsoft Defender for Endpoint on Linux offers preventative antivirus (AV), endpoint detection and response (EDR), and vulnerability management capabilities for Linux servers. This includes a full command line experience to configure and manage the agent, initiate scans, and manage threats. We support recent versions of the six most common Linux Server distributions: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS, or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2. Microsoft Defender for Endpoint on Linux can be deployed and configured using Puppet, Ansible, or using your existing Linux configuration management tool.

Microsoft Defender for Endpoint on Android.

Microsoft Defender for Endpoint on Android is our mobile threat defense solution for devices running Android 6.0 and higher. Both Android Enterprise (Work Profile) and Device Administrator modes are supported. On Android, we offer web protection, which includes anti-phishing, blocking of unsafe connections, and setting of custom indicators. The solution scans for malware and potentially unwanted applications (PUA) and offers more breach prevention capabilities through integration with Microsoft Endpoint Manager and Conditional Access.

Microsoft Defender for Endpoint on iOS


Microsoft Defender for Endpoint on iOS is our mobile threat defense solution for devices running iOS 11.0 and higher. Devices that are registered within a customer's tenant (enrolled or unenrolled) are supported. Both supervised and unsupervised enrolled devices are supported. On iOS, we offer web protection, which includes anti-phishing, blocking unsafe connections and setting custom indicators, and jailbreak detection. 

Onboard devices

Initialize the Microsoft Defender for Endpoint environment

When accessing your Microsoft 365 Defender portal settings for Endpoints for the first time, you'll be able to configure many attributes. You must be a global administrator or security administrator for the tenant. On the Set-up preferences page, you can set the:

Data storage location - Determine where you want to be primarily hosted: US, EU, or UK. You can't change the location after this set up and Microsoft won't transfer the data from the specified geolocation.

Data retention - The default is six months.

Enable preview features - The default is on, can be changed later.

To access the Microsoft 365 Defender portal settings for Endpoints do the following action:

  1. Go to (https://security.microsoft.com)
  2. Select Settings.
  3. Select Endpoints.
Network configuration

If the organization doesn't require the endpoints to use a Proxy to access the Internet, the following configuration isn't required.

The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service. The embedded Microsoft Defender for Endpoint sensor runs in the system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender for Endpoint cloud service. The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:

Autodiscovery methods:

  • Transparent proxy

  • Web Proxy Autodiscovery Protocol (WPAD)

If a Transparent proxy or WPAD has been implemented in the network topology, there's no need for special configuration settings.

Defender for Endpoint is a comprehensive cloud-based endpoint security solution developed by Microsoft. It provides advanced protection against sophisticated threats across multiple platforms, including Windows, macOS, Linux, Android, and iOS.

The solution employs artificial intelligence and machine learning technologies to detect and prevent a wide range of attacks, including fileless, zero-day, and ransomware attacks. It also offers endpoint detection and response (EDR) capabilities, enabling security teams to investigate and respond to threats in real-time.

In summary, Defender for Endpoint is a robust endpoint security solution that offers advanced threat protection, machine learning-based detection and response capabilities, and centralized management of security policies across multiple platforms.





Comments

Post a Comment

Popular posts from this blog

What is Microsoft SharePoint ?

-
Microsoft SharePoint is a web-based collaborative platform that integrates with Microsoft Office. It's primarily used for document management and storage but also offers a wide range of capabilities such as intranet, content management, workflow management, business intelligence, and enterprise search. SharePoint allows users to create sites where they can share documents, information, and ideas within their organization. These sites can be customized to fit specific needs, such as team collaboration, project management, or departmental portals. Some key features of SharePoint include: Document Management: Users can upload, store, organize, and share documents within SharePoint sites. Version control ensures that users are always working with the latest version of a document. Collaboration: SharePoint facilitates collaboration among team members through features like document co-authoring, discussion boards, calendars, and task lists. Intranet and Portals: SharePoint can be used...
Read more

General Cybersecurity

-
What is perimeter security?  Perimeter security, in the context of cybersecurity, refers to the measures and strategies implemented to protect an organization's internal network from external threats. It establishes a boundary, or perimeter, between the organization's internal network and the external environment, such as the internet. The goal of perimeter security is to prevent unauthorized access, attacks, and breaches from reaching the internal network and its resources. Here are some key components and concepts related to perimeter security: Firewalls: Firewalls are the cornerstone of perimeter security. They inspect incoming and outgoing network traffic based on predefined rules and policies. Firewalls can block or allow traffic based on factors such as IP addresses, port numbers, and protocols. Intrusion Detection and Prevention Systems (IDPS): IDPS solutions monitor network traffic for signs of malicious activity or known attack patterns. They can detect and prevent i...
Read more

Well-Architected Framework | Solution Architect

-
The Well-Architected Framework is a set of best practices and guidelines designed to help cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications. The framework is developed by AWS (Amazon Web Services), but similar principles can be applied to other cloud platforms. The Well-Architected Framework consists of five pillars, each addressing a key aspect of building well-designed and well-operated systems. These pillars are: Operational Excellence: Focuses on operational practices that ensure efficient and effective use of cloud resources. Key considerations include monitoring, incident response, automation, and overall operational health. Security: Emphasizes the importance of implementing robust security measures to protect data, systems, and assets. Covers data protection, identity and access management, and incident response, among other security aspects. Reliability: Aims to ensure a system's ability to recover from failures ...
Read more