Defender Deployment

The Defender Deployment page allows you to set up default defender policies for your tenants or create specific policies. The form includes several sections:

• Tenant Selection: Select one or more tenants to apply the policies. This is a required field, and at least one tenant must be selected.

• Defender Setup Options: Configure various defender settings such as compliance, telemetry, and device connections.

  • Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations (Compliance): Enables Defender to enforce compliance configurations.

  • Connect iOS/iPadOS devices version 13.0 and above to Microsoft Defender for Endpoint (Compliance): Connects iOS devices to Defender for compliance.

  • Connect Android devices version 6.0.0 and above to Microsoft Defender for Endpoint (Compliance): Connects Android devices to Defender for compliance.

  • Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint (Compliance): Connects Windows devices to Defender for compliance.

  • EDR: Expedite Telemetry Reporting Frequency: Increases the frequency of telemetry reporting for Endpoint Detection and Response.

  • Enable App Sync (sending application inventory) for iOS/iPadOS devices: Sends application inventory for iOS devices.

  • Block unsupported OS versions: Blocks devices with unsupported OS versions from connecting.

  • Connect Android devices to Microsoft Defender for Endpoint: Connects Android devices to Defender.

  • Connect iOS/iPadOS devices to Microsoft Defender for Endpoint: Connects iOS devices to Defender.

  • EDR: Connect Defender Configuration Package automatically from Connector: Automatically connects the Defender configuration package.

  • EDR: Enable Sample Sharing: Enables sharing of samples for analysis.

• Defender Defaults Policy Options: Set default policies for scanning, monitoring, and protection.

  • Allow Archive Scanning: Enables scanning of archive files.

  • Allow behavior monitoring: Enables monitoring of application behaviors.

  • Allow Cloud Protection: Enables cloud-based protection.

  • Allow e-mail scanning: Enables scanning of email content.

  • Allow Full Scan on Network Drives: Enables full scans on network drives.

  • Allow Full Scan on Removable Drives: Enables full scans on removable drives.

  • Allow Script Scanning: Enables scanning of scripts.

  • Allow Intrusion Prevention System: Enables the Intrusion Prevention System.

  • Enable Low CPU priority: Reduces CPU priority for scans.

  • Allow scanning of downloaded files: Enables scanning of files downloaded from the internet.

  • Allow Realtime monitoring: Enables real-time monitoring of files and processes.

  • Allow scanning of mapped drives: Enables scanning of mapped network drives.

  • Allow users to access UI: Allows users to access the Defender user interface.

  • Enable Network Protection in Block Mode: Enables network protection in block mode.

  • Enable Network Protection in Audit Mode: Enables network protection in audit mode.

  • Check Signatures before scan: Verifies file signatures before scanning.

  • Disable Catchup Full Scan: Disables catchup full scans.

  • Disable Catchup Quick Scan: Disables catchup quick scans.

  • Assign to Group: Options to assign policies to specific groups (e.g., all users, all devices).

• ASR Rules: Define Attack Surface Reduction rules to enhance security.

  • Block Adobe Reader from creating child processes: Prevents Adobe Reader from creating child processes.

  • Block Win32 API calls from Office macros: Prevents Office macros from making Win32 API calls.

  • Block credential stealing from the Windows local security authority subsystem: Prevents credential theft from the local security authority subsystem.

  • Block process creations originating from PSExec and WMI commands: Prevents process creation from PSExec and WMI commands.

  • Block persistence through WMI event subscription: Prevents persistence through WMI event subscriptions.

  • Block Office applications from creating executable content: Prevents Office applications from creating executable files.

  • Block Office applications from injecting code into other processes: Prevents Office applications from injecting code.

  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion: Blocks executable files based on criteria.

  • Block JavaScript or VBScript from launching downloaded executable content: Prevents scripts from launching executables.

  • Block Office communication application from creating child processes: Prevents Office communication apps from creating child processes.

  • Block all Office applications from creating child processes: Prevents all Office apps from creating child processes.

  • Block untrusted and unsigned processes that run from USB: Blocks untrusted processes from USB devices.

  • Use advanced protection against ransomware: Enables advanced ransomware protection.

  • Block executable content from email client and webmail: Blocks executable content from email clients.

  • Block abuse of exploited vulnerable signed drivers (Device): Prevents abuse of vulnerable signed drivers.

  • Assign to Group: Options to assign ASR rules to specific groups (e.g., all users, all devices).

For more details on each setting, refer to the Microsoft Defender for Endpoint documentation.

Feature Requests / Ideas

We value your feedback and ideas. Please raise any feature requests on GitHub.