Device Enrollment and Configuration:
- Automate Wi-Fi profiles to connect seamlessly to corporate networks.
- Deploy VPN configurations to secure remote connections.
- Set up email profiles for Outlook or other clients.
Security Policies:
- Enforce BitLocker encryption to secure data on drives.
- Configure Windows Defender Firewall to block unauthorized connections.
- Mandate the use of antivirus software with regular scanning schedules.
Compliance Policies:
- Require devices to run Windows 10 version 1909 or later.
- Enforce security patch installations within 15 days of release.
- Monitor and enforce compliance with corporate security standards.
Application Management:
- Deploy Microsoft Office 365 apps automatically upon device enrollment.
- Set rules for automatic updates of critical business applications.
- Manage permissions and access for software installation and removal.
Update Management:
- Use Windows Update for Business to schedule and manage OS updates.
- Configure maintenance windows to apply updates during non-business hours.
- Monitor update compliance across all devices.
Endpoint Protection:
- Integrate with Microsoft Defender for Endpoint for enhanced threat detection.
- Set up automated responses to security alerts.
- Review and adjust security policies based on threat analytics.
Data Protection:
- Implement DLP policies to prevent sensitive data from being emailed outside the organization.
- Restrict copying of data to external drives and other removable media.
- Monitor data usage and access to identify potential breaches.
Additional Configurations to Perform After Onboarding Microsoft Defender for Endpoint
- Enable and Configure Attack Surface Reduction (ASR) Rules
- Configuration: ASR rules need to be configured to reduce the attack surface by blocking risky behaviors and potentially malicious applications.
- Steps:
- Open the Microsoft 365 Defender portal.
- Go to
Settings
>Endpoints
>Attack surface reduction
. - Configure rules such as “Block Office applications from creating child processes” and “Block executable content from email and webmail clients.”
- Set Up Automated Investigation and Response (AIR)
- Configuration: Ensure that AIR is properly configured to automatically investigate and remediate low-level threats.
- Steps:
- In the Microsoft 365 Defender portal, navigate to
Settings
>Endpoints
>Automated investigations
. - Set the automation level (e.g., full automation) based on your organization’s policy.
- In the Microsoft 365 Defender portal, navigate to
- Configure Threat and Vulnerability Management
- Configuration: Enable and configure threat and vulnerability management to continuously assess and mitigate risks.
- Steps:
- Navigate to
Threat & Vulnerability Management
in the Microsoft 365 Defender portal. - Review the security recommendations and take action to address identified vulnerabilities.
- Navigate to
- Set Up Web Content Filtering
- Configuration: Configure web content filtering policies to block access to malicious or inappropriate websites.
- Steps:
- Go to
Settings
>Endpoints
>Web content filtering
in the Microsoft 365 Defender portal. - Define and apply filtering categories and policies to your devices.
- Go to
- Enable Ransomware Protection and Controlled Folder Access
- Configuration: Enable ransomware protection features like Controlled Folder Access to protect critical folders from unauthorized changes.
- Steps:
- In the
Virus & threat protection
settings, selectManage ransomware protection
. - Enable
Controlled Folder Access
and configure the protected folders.
- In the
- Configure Firewall and Network Protection
- Configuration: Set up firewall rules and network protection settings to safeguard against network-based threats.
- Steps:
- In the Microsoft 365 Defender portal, go to
Firewall & network protection
. - Configure firewall rules and settings to block or allow specific network traffic.
- In the Microsoft 365 Defender portal, go to
- Enable and Configure Credential Guard
- Configuration: Enable Credential Guard to protect against credential theft attacks.
- Steps:
- Configure via Group Policy: Navigate to
Computer Configuration
>Administrative Templates
>System
>Device Guard
. - Enable Credential Guard and configure relevant settings.
- Configure via Group Policy: Navigate to
- Apply Security Baselines
- Configuration: Apply security baselines to ensure all laptops comply with recommended security settings.
- Steps:
- Go to the Microsoft Endpoint Manager admin center.
- Navigate to
Endpoint security
>Security baselines
. - Assign the appropriate security baseline profile to your devices.
- Integrate with Microsoft Defender for Identity and Other Security Solutions
- Configuration: Integrate Defender for Endpoint with other Microsoft security tools for comprehensive protection.
- Steps:
- Use the Microsoft 365 Defender portal to configure integration settings under
Settings
>Integration
.
- Use the Microsoft 365 Defender portal to configure integration settings under
- Set Up Advanced Hunting and Custom Detection Rules
- Configuration: Use advanced hunting queries to proactively search for threats and create custom detection rules.
- Steps:
- In the Microsoft 365 Defender portal, go to
Advanced hunting
. - Use Kusto Query Language (KQL) to create custom detection rules tailored to your environment.
- In the Microsoft 365 Defender portal, go to
- Configure Device Isolation Policies
- Configuration: Set policies to automatically isolate compromised devices to prevent the spread of malware.
- Steps:
- Configure isolation settings in the Microsoft 365 Defender portal under
Device configuration
>Isolate devices
.
- Configure isolation settings in the Microsoft 365 Defender portal under
- Enable SmartScreen for Safer Browsing
- Configuration: Ensure Microsoft Defender SmartScreen is enabled to protect against phishing and malware websites.
- Steps:
- Go to the Microsoft Edge browser settings.
- Enable SmartScreen under
Privacy, search, and services
.
- Block Potentially Unwanted Applications (PUAs)
- Configuration: Configure settings to block PUAs, which can reduce the risk of unwanted software affecting system performance or security.
- Steps:
- In the Microsoft 365 Defender portal, go to
App & browser control
. - Enable the setting to block potentially unwanted applications.
- In the Microsoft 365 Defender portal, go to
- Implement Conditional Access Policies
- Configuration: Integrate with Azure Active Directory (AAD) to enforce conditional access policies based on device compliance status.
- Steps:
- Navigate to the Azure AD portal.
- Set up conditional access policies under
Security
>Conditional access
.
- Enable Exploit Protection Settings
- Configuration: Configure exploit protection settings to prevent common exploit techniques.
- Steps:
- Go to
Windows Security
>App & browser control
>Exploit protection settings
. - Configure settings for system and program-specific protections.
- Go to
- Set Up Incident Response Alerts and Playbooks
- Configuration: Configure alerts and automated response playbooks for specific security incidents.
- Steps:
- In Azure Sentinel (if integrated), go to
Playbooks
. - Create or customize playbooks for automated incident response actions.
- In Azure Sentinel (if integrated), go to
- Customize Device Compliance Policies
- Configuration: Set compliance policies to ensure devices meet security requirements and are protected.
- Steps:
- In the Microsoft Endpoint Manager admin center, go to
Devices
>Compliance policies
. - Create and assign compliance policies tailored to your organization.
- In the Microsoft Endpoint Manager admin center, go to
- Configure File Integrity Monitoring
- Configuration: Set up file integrity monitoring to detect unauthorized changes to critical files.
- Steps:
- Go to
Settings
>Endpoints
>Advanced features
in the Microsoft 365 Defender portal. - Enable and configure file integrity monitoring settings.
- Go to
- Enable Endpoint Analytics
- Configuration: Utilize endpoint analytics to monitor and optimize endpoint performance and security.
- Steps:
- In Microsoft Endpoint Manager, navigate to
Reports
>Endpoint analytics
. - Review and configure settings to enable endpoint analytics.
- In Microsoft Endpoint Manager, navigate to
- Configure Role-Based Access Control (RBAC)
- Configuration: Set up RBAC to manage access to Defender for Endpoint features based on the user’s role.
- Steps:
- In the Microsoft 365 Defender portal, go to
Settings
>Permissions & roles
. - Configure roles and permissions based on user roles within the organization.
- In the Microsoft 365 Defender portal, go to
- Set Up Email Notifications for Alerts
- Configuration: Configure email notifications for critical alerts and incidents to ensure timely response.
- Steps:
- In the Microsoft 365 Defender portal, go to
Settings
>Email notifications
. - Set up email notifications for specific alert types.
- In the Microsoft 365 Defender portal, go to
- Use Microsoft Secure Score
- Configuration: Leverage Microsoft Secure Score to identify opportunities for improving your security posture.
- Steps:
- Access the Microsoft 365 Defender portal and navigate to
Secure Score
. - Review recommendations and implement suggested improvements.
- Access the Microsoft 365 Defender portal and navigate to
- Update Group Policies and Device Configuration Profiles
- Configuration: Ensure all Group Policies and device configuration profiles are updated to enforce the latest security settings.
- Steps:
- In Group Policy Management, update policies related to security configurations.
- In Intune, ensure device profiles are correctly applied and configured.
- Create and Apply Device Security Groups
- Configuration: Organize devices into security groups based on department or risk level for better policy management.
- Steps:
- In Azure AD or Intune, create dynamic device groups.
- Assign devices to appropriate groups and apply specific policies.
- Monitor Security Baseline Compliance
- Configuration: Regularly monitor and enforce compliance with security baselines across all devices.
- Steps:
- In Microsoft Endpoint Manager, navigate to
Endpoint security
>Security baselines
. - Review compliance status and remediate non-compliant devices.
- In Microsoft Endpoint Manager, navigate to
Once you onboard your Windows laptops to Microsoft Defender for Endpoint, several security features are automatically enabled to enhance protection without requiring additional manual configuration for basic functionality. Here is a list of key security features that are typically activated automatically:
1. Real-Time Protection
- Function: Continuously scans files, programs, and activities on the device to detect and stop malware and other threats as they occur.
2. Cloud-Delivered Protection
- Function: Enhances threat detection and improves response time to new threats by using cloud-based protection and intelligence.
3. Tamper Protection
- Function: Prevents malicious applications and actors from changing critical Windows Defender Antivirus settings, enhancing the resilience of the security on the device.
4. Behavior Monitoring
- Function: Analyzes behavior of applications and files in real time to detect and block behavior patterns that might indicate advanced attacks, such as zero-days or ransomware.
5. Antivirus and Anti-malware Protection
- Function: Provides comprehensive protection against viruses, spyware, and other malicious software through automatic scanning and removal.
6. Automatic Updates
- Function: Automatically updates virus and threat definitions and security intelligence, ensuring the device is always protected against the latest identified threats.
7. Network Protection
- Function: Helps to prevent employees from using any applications to access dangerous domains that might host phishing scams, exploits, and other malicious content on the internet.
8. Exploit Protection
- Function: Helps protect against malware that uses exploits to infect devices by configuring built-in exploit mitigation settings.
9. Attack Surface Reduction (ASR) Rules
- Function: Automatically applies certain rules to reduce the attack surface by blocking actions like executing macros from suspicious sources, blocking obfuscated or potentially harmful scripts, and more.
10. Device Health Assessment
- Function: Automatically monitors device health and security configuration to ensure compliance with corporate security policies.
11. Secure Boot
- Function: Helps ensure that the device boots using only software that is trusted by the OEM and Microsoft, protecting against rootkit infections.
12. BitLocker Integration
- Function: Automates the enforcement of disk encryption provided by BitLocker, ensuring that all device data is encrypted at rest and enhancing data protection.
13. Firewall Integration
- Function: Automatically integrates with Windows Firewall settings to manage network traffic rules, ensuring that unwanted or malicious network traffic is blocked.
14. Limited Periodic Scanning
- Function: When another antivirus app is the primary antivirus, Windows Defender can periodically scan to find and remove malware that might have been missed.
15. Sample Submission
- Function: Automatically configured to send samples of suspicious files to Microsoft for analysis, improving the accuracy and timeliness of protection for all users.
Define Sensitive Information Types
- Built-in and Custom Classifications: Utilize Microsoft Purview’s built-in sensitive information types like financial data, personally identifiable information (PII), or health records. Additionally, create custom sensitive information types tailored to your organization’s specific data protection needs.
2. Implement DLP Policies Across Environments
- Multiple Platforms: Configure DLP policies that apply across various platforms where your organization operates, including Microsoft 365 services (Exchange, Teams, SharePoint, OneDrive), as well as on-premises file shares and other cloud environments.
- Unified Policy Management: Manage your DLP policies from the Microsoft Purview compliance portal, ensuring a unified approach to policy enforcement across environments.
3. Configure DLP Rules and Actions
- Prevent Data Breaches: Set up rules to automatically block or restrict the sharing of sensitive information based on the context of the content and its destination. For example, prevent an employee from sending financial details to external contacts.
- Real-time Notifications: Configure alerts and notifications for end-users when they attempt to perform actions that violate DLP policies, providing immediate feedback and guidance on proper data handling.
4. Use Policy Tips
- Educate Users in Real-time: Implement policy tips within Office applications to warn users when they’re working with sensitive information in a way that could violate your organization’s policies. This real-time intervention helps educate users on compliance standards and prevents accidental data leaks.
5. Automate Protection with Labels
- Auto-apply Labels: Use automatic labeling to apply classification labels to content based on detection rules. These labels can carry associated protection actions, such as encryption or access restrictions, that travel with the content wherever it goes.
- Manual Labeling: Enable users to manually label documents when automatic classification isn’t clear or when nuanced understanding of the content is necessary.
6. Monitor and Analyze with Advanced Reporting
- Detailed Reports: Use Microsoft Purview’s advanced analytics and reporting tools to monitor the effectiveness of your DLP policies. Gain insights into how data is being used and shared across your organization and where your potential risk points are.
- Audit Trails: Maintain comprehensive logs of all data interactions and policy violations to aid in investigations and compliance audits.
7. Endpoint DLP
- Protect Data on Devices: Extend your DLP policies to endpoints (e.g., Windows 10 and 11 devices) to monitor and restrict the use of sensitive information outside of your corporate network. This includes blocking copying to USB drives, printing of sensitive documents, or even uploading to unapproved cloud applications.
8. Train and Educate Staff
- Ongoing Training: Regularly train your staff on the importance of data protection and the specific policies you have implemented. Ensure they understand the tools and methods you are using to protect data, including how to properly handle and classify sensitive information.
9. Integrate with Other Security Solutions
- Unified Security Ecosystem: Integrate Purview DLP with other security solutions such as Microsoft Defender for Identity, Endpoint, and Cloud Apps to provide a comprehensive security strategy that covers all aspects of your data protection needs.