Defender Deployment

The Defender Deployment page allows you to set up default defender policies for your tenants or create specific policies. The form includes several sections:

  • Tenant Selection: Select one or more tenants to apply the policies. This is a required field, and at least one tenant must be selected.

  • Defender Setup Options: Configure various defender settings such as compliance, telemetry, and device connections.

    • Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations (Compliance): Enables Defender to enforce compliance configurations.

    • Connect iOS/iPadOS devices version 13.0 and above to Microsoft Defender for Endpoint (Compliance): Connects iOS devices to Defender for compliance.

    • Connect Android devices version 6.0.0 and above to Microsoft Defender for Endpoint (Compliance): Connects Android devices to Defender for compliance.

    • Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint (Compliance): Connects Windows devices to Defender for compliance.

    • EDR: Expedite Telemetry Reporting Frequency: Increases the frequency of telemetry reporting for Endpoint Detection and Response.

    • Enable App Sync (sending application inventory) for iOS/iPadOS devices: Sends application inventory for iOS devices.

    • Block unsupported OS versions: Blocks devices with unsupported OS versions from connecting.

    • Connect Android devices to Microsoft Defender for Endpoint: Connects Android devices to Defender.

    • Connect iOS/iPadOS devices to Microsoft Defender for Endpoint: Connects iOS devices to Defender.

    • EDR: Connect Defender Configuration Package automatically from Connector: Automatically connects the Defender configuration package.

    • EDR: Enable Sample Sharing: Enables sharing of samples for analysis.

  • Defender Defaults Policy Options: Set default policies for scanning, monitoring, and protection.

    • Allow Archive Scanning: Enables scanning of archive files.

    • Allow behavior monitoring: Enables monitoring of application behaviors.

    • Allow Cloud Protection: Enables cloud-based protection.

    • Allow e-mail scanning: Enables scanning of email content.

    • Allow Full Scan on Network Drives: Enables full scans on network drives.

    • Allow Full Scan on Removable Drives: Enables full scans on removable drives.

    • Allow Script Scanning: Enables scanning of scripts.

    • Allow Intrusion Prevention System: Enables the Intrusion Prevention System.

    • Enable Low CPU priority: Reduces CPU priority for scans.

    • Allow scanning of downloaded files: Enables scanning of files downloaded from the internet.

    • Allow Realtime monitoring: Enables real-time monitoring of files and processes.

    • Allow scanning of mapped drives: Enables scanning of mapped network drives.

    • Allow users to access UI: Allows users to access the Defender user interface.

    • Enable Network Protection in Block Mode: Enables network protection in block mode.

    • Enable Network Protection in Audit Mode: Enables network protection in audit mode.

    • Check Signatures before scan: Verifies file signatures before scanning.

    • Disable Catchup Full Scan: Disables catchup full scans.

    • Disable Catchup Quick Scan: Disables catchup quick scans.

    • Assign to Group: Options to assign policies to specific groups (e.g., all users, all devices).

  • ASR Rules: Define Attack Surface Reduction rules to enhance security.

    • Block Adobe Reader from creating child processes: Prevents Adobe Reader from creating child processes.

    • Block Win32 API calls from Office macros: Prevents Office macros from making Win32 API calls.

    • Block credential stealing from the Windows local security authority subsystem: Prevents credential theft from the local security authority subsystem.

    • Block process creations originating from PSExec and WMI commands: Prevents process creation from PSExec and WMI commands.

    • Block persistence through WMI event subscription: Prevents persistence through WMI event subscriptions.

    • Block Office applications from creating executable content: Prevents Office applications from creating executable files.

    • Block Office applications from injecting code into other processes: Prevents Office applications from injecting code.

    • Block executable files from running unless they meet a prevalence, age, or trusted list criterion: Blocks executable files based on criteria.

    • Block JavaScript or VBScript from launching downloaded executable content: Prevents scripts from launching executables.

    • Block Office communication application from creating child processes: Prevents Office communication apps from creating child processes.

    • Block all Office applications from creating child processes: Prevents all Office apps from creating child processes.

    • Block untrusted and unsigned processes that run from USB: Blocks untrusted processes from USB devices.

    • Use advanced protection against ransomware: Enables advanced ransomware protection.

    • Block executable content from email client and webmail: Blocks executable content from email clients.

    • Block abuse of exploited vulnerable signed drivers (Device): Prevents abuse of vulnerable signed drivers.

    • Assign to Group: Options to assign ASR rules to specific groups (e.g., all users, all devices).

For more details on each setting, refer to the Microsoft Defender for Endpoint documentation.


Feature Requests / Ideas

We value your feedback and ideas. Please raise any feature requests on GitHub.

Last updated

Was this helpful?