Properly Configure MDE for Windows

Now that you know what this blog is all about, let’s get right into it! In this first Threat Discussion blog, we’re going to look at what a well configured device looks like to combat todays threats. We’ll walk through the settings this lab device will have configured to give us a strong security posture.

We’ll focus on two areas of configuration, below is exactly that as well as a little information about the device itself:

  • Windows 11 Enterprise (21H2)
    • Domain joined
    • Intune managed (primarily for Disabling Local Admin Merge)
    • Patched current
  • Group Policy (see below for settings)
    • Microsoft Defender Antivirus settings
    • Attack Surface Reduction
    • Credential guard
  • Intune
    • Tamper protection
    • Disable Local Admin Merge
  • M365 Defender Advanced Features (see below for settings)

Let’s expand on the above list now, I’ll list each of the items set from a portal standpoint as well as with group policy.

  • Group Policy configurations (sub-section > setting)
    • Device Guard
      • Turn on Virtualization Base Security (Credential guard)
    • MAPS
      • Cloud Delivered Protection (CDP > Still referred to as MAPS)
      • Block at First Sight (BaFS)
      • Send file samples
    • Exploit Guard
      • ASR rules
        • All rules in Block
      • Controlled Folder Access
      • Network Protection (Block mode)
    • MpEngine
      • Cloud Protection\Cloud Blocking (High)
      • Extended cloud check (50 seconds)
    • Real-Time Protection (RTP)
      • Behavior Monitoring
      • Process Scanning
      • Script Scanning
    • Scan
      • Heuristics
    • Security Intelligence Updates
      • Scan after intelligence update
      • Update on startup
      • Real-time intelligence updates based on reports to MAPS
  • M365D configurations, from Security.Microsoft.com > Advanced features. (scoping this list to the defensive measures)
    • EDR in block mode
    • Automatically resolve alerts
    • Allow or block file
    • Custom network indicators
    • Tamper protection
    • Microsoft Defender for Cloud Apps
    • Web content filtering
    • Device discovery

This lab device will be one we all get to know intimately over time. This is because we are going to subject it to all sorts of badness, then dig into what that looks like, what can we see, what data is present and what is not. We’ll also discuss at times additional things we can configure to increase the level of detail.

We will also configure different devices from different management platforms, such as GPO, SCCM and Intune. I chose to configure this device via GPO as that is still the majority of what I see through my IR lens. I may ultimately just configure 3 separate devices, one where the MDE stack is controlled by each GPO, SCCM and Intune. This would solely be for everyone to see how each new change in configuration is done. Let me know if you feel that would be useful.

Thanks!