This article provides some configurations you can use with Microsoft Defender for Endpoint and Red Canary. This article is an adaptation of a presentation. You can view the slides, which contain additional details and images, by clicking the image below.

As part of Microsoft's suite of integrated threat protection products, Defender for Endpoint is a key component of many users' security plans. The following sections will help you configure Defender for Endpoint to protect against most threats.

1. Validate your EDR deployment.
2. Ensure Microsoft Defender Antivirus is running in active mode.
3. Configure Next Generation Protection (NGAV).
4. Enable tamper protection.

Red Canary configuration suggestions can be applied to Defender for Endpoint using several different management solutions, depending on your architecture. For example, Endpoint Manager (Intune), Group Policy, etc. You only need to apply these configurations in your primary configuration management solution.

For a guided walkthrough of these sections, review this video:

Validate your EDR deployment

In this section, you'll generate a test alert in order to ensure your Defender for Endpoint deployment is fully operational.

1. On an endpoint that has Defender installed, create the folder C:\test-MDATP-test.
2. Open PowerShell with elevated permissions, and then execute the following command:
   

   powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'MDATP-test\\invoice.exe'

3. Check the Defender for Endpoint dashboard for your test alert.

Ensure Microsoft Defender Antivirus is running in active mode

In order for Defender for Endpoint policies to function, Defender Antivirus must be the active antivirus solution on the system.

To check whether Defender Antivirus is running in active mode, open PowerShell and run Get-MPComputerStatus | Select AMRunningMode. The output should look like this:

> Get-MPComputerStatus | Select AMRunningMode
AMRunningMode
-------------
Normal

For more information about why Defender Antivirus might switch to passive mode, see Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions.

Configure Next Generation Protection (NGAV)

In this section, you'll configure the core NGAV features by using either the Local Group Policy Editor or Endpoint Manager. The core NGAV features are cloud-delivered protection, which uses Microsoft Advanced Protection Services (MAPS) to assess binary threats in real time, and real-time protection, which includes always on, real-time monitoring, and heuristics to identify threats.

Option 1: Configure NGAV using Group Policy

1. Open the Local Group Policy Editor.
2. Click Computer Configuration, Administrative Templates, Windows Components, then select Microsoft Defender Antivirus.
3. Enable Allow antimalware service to start up with normal priority.
4. Click Real-time Protection, and configure your settings to match the following:

   Setting	State
   Turn off real-time protection	Disabled
   Turn on behavior monitoring	Enabled
   Scan all downloaded files and attachments	Enabled
   Monitor file and program activity on your computer	Enabled
   Turn on raw volume write notifications	Enabled
   Turn on process scanning whenever real-time protection is enabled	Enabled
   Define the maximum size of downloaded files and attachments	Enabled
   Configure local setting override for turn on behavior monitoring	Disabled
   Configure local setting override for scanning all downloaded files and attachments	Disabled
   Configure local setting override for monitoring file and program activity on your computer	Disabled
   Configure local setting override to turn on real-time protection	Disabled
   Configure local setting override for monitoring for incoming and outgoing file activity	Disabled
   Configure monitoring for incoming and outgoing file and program activity	Disabled

5. Click MAPS.
6. Click Join Microsoft MAPS, select Enabled, select Basic MAPS, and then click Ok.
7. Click Send file samples when further analysis is required, select Enabled, select Send all samples, and then click Ok.

Option 2: Configure NGAV using Endpoint Manager

1. Log in to https://endpoint.microsoft.com/.
2. Click Endpoint Security, Antivirus, and then click Create Policy.
3. Under Platform, select Windows 10 and later.
4. Under Profile, select Windows Defender Antivirus.
5. Click Create, enter a name and description, and then click Next.
6. Under Cloud protection, configure the following settings:

   Setting	State
   Turn on cloud-delivered protection	Yes
   Cloud-delivered protection level	High plus

7. Under Real-time protection, configure the following settings:

   Setting	State
   Turn on real-time protection	Yes
   Enable on access protection	Yes
   Monitoring for incoming and outgoing files	Monitor all files
   Turn on behavior monitoring	Yes
   Turn on intrusion protection	Yes
   Enable network protection	Enable
   Scan all downloaded files and attachments	Yes
   Scan scripts that are used in Microsoft browsers	Yes, if using Microsoft browsers
   Scan network files	No
   Scan emails	Yes

8. Click Next three times, and then click Create.

Enable tamper protection

Tamper protection prevents malicious software from taking actions like disabling antivirus and removing security updates. In this section, you'll enable tamper protection using either the Microsoft 365 Defender portal or Endpoint Manager.

Tip: Red Canary recommends that you enable tamper protection using the 365 Defender portal. If you use Windows Server 2016 or Windows versions 1709, 1803, or 1809, you might need to use PowerShell to determine the tamper protection status.

Option 1: Enable tamper protection using 365 Defender

1. Log in to https://security.microsoft.com/.
2. Click Settings, Endpoints, then select Advanced features.
3. Turn on Tamper protection.
4. Click Save preferences.

Option 2: Enable tamper protection using Endpoint Manager

1. Log in to https://endpoint.microsoft.com/.
2. Click Devices, Configuration profiles, and then click Create profile.
3. Under Platform, select Windows 10 or later.
4. Under Profile type, select Endpoint protection.
5. Click Create, enter a name and description, and then click Next.
6. Select Microsoft Defender Security Center.
7. From the Tamper Protection dropdown, select Enabled.
8. Click Next three times, and then click Create.