Work and live with IT

Microsoft Defender for Endpoint Device Health

Microsoft just announced the public preview of the new Device Health Reporting for Microsoft Defender for Endpoint and I already love it. It not only gives you deeper insights into your environment but also adds much needed information like engine version, last scan time, and scan results. Sensor health & OS Sensor health & OS overview This overview gives you insights into deployed OS versions, the current state of the sensor health and for Windows 10 there is an extra section that shows the different releases deployed in your environment.

Update to the Hitchhiker's Guide to Microsoft Defender for Endpoint exclusions

The development of Microsoft Defender for Endpoint is an ongoing process and as such the features and capabilities change over time. Microsoft Defender Antivirus exclusions are no exception. On 22.06.2022 Microsoft released the platform version 4.18.2205.7 of MDAV and with it a new exclusion category “Contextual file and folder exclusions. This type of exclusion brings additional flexibility and allows fine grade scoping of file and folder exclusions. Of course this meant to update my post Hitchhiker’s Guide to Microsoft Defender for Endpoint exclusions” to include this new type of exclusion.

Gradual rollout process for Microsoft Defender

One of the features of Microsoft Defender Antivirus that, in my opinion, is overlooked by most, is the ability to control the rollout of all components of Microsoft Defender Antivirus by selecting different release channels. This allows for a more gradual rollout of security intelligence updates, the engine as well as the AV platform. Different update types But let’s take a step back and get a common understanding whats the difference between those different updates is and how they are deployed.

Use Unified Sign-In logs in Advanced Hunting

One thing that always makes analyzing Sign-In logs for Azure AD users a bit complicated is the different types of Sign-In logs available. For user accounts “Interactive user sign-ins” as well as “Non-interactive user sign-ins” are where to look. And don’t get me wrong, I love that we have the non-interactive logs available. They are super important and the separation is correct. But when working with those logs in the Azure portal is get’s complicated fast.

Windows Hello for Business Cloud Trust and KDC proxy

Windows Hello for Business cloud trust is the latest addition to deployment methods that can be used for Windows Hello for Business. Windows Hello for Business cloud trust Windows Hello for Business is Microsofts passwordless logon solution that uses an asymmetric key pair for authentication instead of using username and password. The private key is securely stored in the Trusted Platform Module (TPM), preventing the private key from getting leaked. All the technical complexity of the logon process is completely transparent to the user, she only has to unlock the credentials stored in the TPM using either a PIN or some kind biometrics.

The Hitchhiker's Guide to Microsoft Defender for Endpoint exclusions

Since Microsoft Defender for Endpoint is a suite of products, rather than just one single piece of software, there are various places where you can create exclusions for different features. Also, there are integrations in other products, that result in possible side effects when enabling certain settings. Most of these products have separate documentations, there is no single documentation page that contains all the information about exclusions available in Microsoft Defender for Endpoint.