Device actions during an incident

Much of the protection with Microsoft Defender for Endpoint is taken care of for you automatically, but let’s say you want to conduct an investigation/remediation process manually. How would you achieve this?

Step 1

Login to the Microsoft 365 Security admin portal with the appropriate permissions. Select Devices from the Assets menu on the left.

You should see a list of the devices that Defender for Endpoint knows about. Select the machine in question to display it’s detailed information as shown above.

In the top right of this dialog on the right you will see an ellipse (three dots). Select these three dots to reveal an actions menu.

Step 2

Now you need to decide how aggressive you want to be during this investigation as that will have a direct impact on the end users experience on the device.

Level 1

The most aggressive option, that will have the greatest impact on the user is select the Isolate Device from the menu as shown above.

On the dialog that appears, enter a comment and select the Confirm button. Don’t select the option to Allow Outlook, Teams and Skype for Business while device is isolated.

More information – Microsoft Defender for Endpoint device isolation

More information – Defender for Endpoint device execution restrictions

Level 2

This is less impactful to the end user and similar to the previous step.

Select the Isolate Device from the menu as shown above.

Here, select the option to Allow Outlook, Teams and Skype for Business while device is isolated.

Enter a comment and select the Confirm button.

This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device. This allow you to initiate a live response session, while preventing an attacker gaining remote access. It will also allow the end user to continue using Outlook, Teams and Skype for Business while you conduct the investigation. However, it does not permit connection to anywhere else, including the Internet.

More information – Microsoft Defender for Endpoint device isolation

More information – Defender for Endpoint device execution restrictions

Level 3

From the menu select Restrict App Execution as shown above.

This applies a code integrity policy remotely that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised devices and performing further malicious activities. Thus, Office applications (Word, Excel, Outlook, etc), Edge browser, etc can now run without restriction. However, non Microsoft signed applications can’t.

Typically, a malicious program on the device can now not execute however the user can still continue to work inside certified Microsoft applications.

Enter a comment and select the Confirm button to complete the restriction process.

More information – Microsoft defender for Endpoint Restrict app execution

More information – Defender for Endpoint device execution restrictions

Step 3

The device will display a notification like that shown above.

Step 4

You can now take whatever actions you need to complete the investigation ready for return to service

Step 5

Remove any restrictions. To do, all you need to do to achieve this is return to the ellipse menu and select option to remove the restriction.

Here that would be Remove app restriction as shown above.

You’ll again simply need to add comment and select the Confirm button to remove the restriction.

So, that’s how you can intervene manually with security incidents if you need to at different impact levels for end users.

Incident overview with Defender for Business

https://www.youtube.com/watch?v=vTPXei_0l6k

When incidents occur on device endpoints you can view and manage these using the Defender for Endpoint tools in the Microsoft 365 Security Center. This video provided an overview of what happens when incidents are created and how to view their details and manage them from the administration console.

You will find the PowerShell scripts used to generate the device incidents here – https://github.com/directorcia/office365

Offboarding Windows 10 devices methods with Defender for Business

I’ve done this summary video of the different methods for offboarding Windows 10 devices from Defender for Endpoint.

https://www.youtube.com/watch?v=eqnqcVzTqns

The summary of all these processes plus the resources can be found here:

Troubleshooting Defender for Business

I wanted to create a single point, that I will aim to maintain over time, that provides a repository of troubleshooting tips, links and information on Microsoft Defender for Business.

[Updated 1 February 2022]

Information

– Microsoft Defender for Business documentation

Microsoft Defender is subset of the capabilities of Microsoft Defender for Endpoint.

– Microsoft Defender for Endpoint

– Microsoft Defender for Endpoint documentation

– What’s new in Microsoft Defender for Endpoint

– Minimum requirements for Microsoft Defender for Endpoint

Onboarding

Onboarding to the Microsoft Defender for Endpoint service

Onboarding using a local script

Onboarding using Intune device configuration policy

Onboarding using an Endpoint Security policy

– Most of the required files are in a directory:

C:\Program Files\Windows Defender Advanced Threat Protection

which is already present on Windows Pro and Enterprise devices.

– Look for events from WDATPonboarding in the Application logs in the Event viewer.

These event IDs are specific to the onboarding script only.

– Troubleshooting onboarding issues using Microsoft Intune

View the MDM event logs to troubleshoot issues that might arise during onboarding:

Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider

– View agent onboarding errors in the device event log

Applications and Services Logs > Microsoft > Windows > SENSE

– Make sure that the diagnostic data service is enabled on all devices in your organization

– The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.

– Services that should be running for Windows 10/11 device:

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\MsMpEng.exe”

Service name = Microsoft Defender Antivirus Service

Service = WinDefend

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\NisSrv.exe

Service name = Microsoft Defender Antivirus Network Inspection Service

Service = WdNisSvc

C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe”

Service name = Windows Defender Advanced Threat Protection Service

Service = Sense

Note – SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint.

When the SENSE service starts for the first time, it writes onboarding status to the registry location HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status

C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetworkFirewall –p

Service name = Windows Defender Firewall

Service = mpssvc

– It may take up to one (1) hour for the onboarded device to appear in Device Inventory

– The status of the device will be switched to inactive after 7 days of failed contact

– Troubleshoot Microsoft Defender for Endpoint onboarding issues

Offboarding

Offboarding from the Defender for Endpoint service

Offboarding using a local script

Offboarding using Intune device configuration profile

Offboarding using an API and PowerShell

Offboarding using Power Automate

– If the device was offboarded, it will still appear in devices list. After seven (7) days, the device health state should change to inactive.

– Offboarded devices’ data (such as Timeline, Alerts, Vulnerabilities, etc.) will remain in the portal until the configured retention period expires.

– The device’s profile (without data) will remain in the Devices List for no longer than 180 days.

– Any device that is not in use for more than seven (7) days will retain ‘Inactive’ status in the portal.

– A new device entity is generated in Microsoft 365 Defender for reinstalled or renamed devices. The previous device entity remains, with an ‘Inactive’ status in the portal. If you reinstalled a device and deployed the Defender for Endpoint package, search for the new device name to verify that the device is reporting normally.

– Offboarding a device causes the devices to stop sending data to Defender for Business (preview). However, data received prior to offboarding is retained for up to six (6) months.

– Threat Vulnerability Management (TVM) will only collect and process information from active devices.

Connectivity

– Verify client connectivity to Microsoft Defender for Endpoint service URLs

– Defender for Endpoint Connectivity analyzer – https://aka.ms/mdeanalyzer

– The Connectivity Analyzer tool cloud connectivity checks are not compatible with Attack Surface Reduction rule Block process creations originating from PSExec and WMI commands. You will need to temporarily disable this rule to run the connectivity tool. Alternatively, you can temporarily add ASR exclusions when running the analyzer.

– When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it can’t access the defined proxy.

Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus – Microsoft Defender Antivirus event IDs and error codes | Microsoft Docs

To generate the support information, type

MpCmdRun.exe -getfiles

After a while, several logs will be packaged into an archive (MpSupportFiles.cab) and made available in

C:\ProgramData\Microsoft\Windows Defender\Support

Extract that archive and you will have many files available for troubleshooting purposes.

The most relevant files are:

MPOperationalEvents.txt – This file contains same level of information found in Event Viewer for Windows Defender’s Operational log.

MPRegistry.txt – In this file you will be able to analyze all the current Windows Defender configurations, from the moment the support logs were captured.

MPLog-***.txt – This log contains more verbose information about all the actions/operations of the Windows Defender.

Onboarding Windows 10 devices to Microsoft Defender for Business using Endpoint Security

You can onboard Windows 10 devices to Microsoft Defender for Endpoint in a few ways:

1. Local script

2. Using Intune device configuration profiles

and what will be covered here:

3. Using Endpoint Manager Endpoint security policies

Navigate to:

https://endpoint.microsoft.com

and select Endpoint security from the menu on the left. Then select Endpoint detection and response. Finally, select the option + Create policy as shown above on the right.

Select the Platform as Windows 10 and later and for Profile, Endpoint detection and response as shown above.

In the next dialog, give the policy a suitable Name and Description.

As with the article on the onboarding process using Intune, I’d recommend setting the Expedite telemetry reporting frequency to Yes as shown above before proceeding.

As with any Endpoint policy, select the devices and/or users this policy will apply to. Generally, it is recommended that you apply these types of policies to device groups.

Proceed through the remaining screens until you end up on the Review + create as shown above. As with the Intune device configuration profile policy, if you look closely you will an option displayed which wasn’t shown during the policy creation process, Auto populate Microsoft Defender for Endpoint onboarding blob set to Yes. This is what will actually configure the targeted devices to connect to the Defender for Endpoint cloud service.

Press the Create button to complete the policy creation process.

If you now view the newly created policy, and unlike the Intune device configuration profile policy, you don’t see any mention of the Auto populate setting mentioned above. Makes it somewhat hard to troubleshoot for the uninitiated.

We can now monitor the deployment of the policy to devices via the Device status option in the policy options, as shown above. After a short wait, we see the policy has successfully been deployed to the machine in question.

Looking the Device inventory in the Microsoft 365 security center we now see the devices in question has been onboarded to Defender for Endpoint.

Both the Intune and Endpoint security approach are easy to implement with an almost identical policy, so which is better? There doesn’t appear to be any guidance from Microsoft on which policy to use, however Microsoft’s own wizards for Defender for Business implement onboarding via the Endpoint security approach shown here. In my brief experience, the Endpoint security approach also seems to be deployed faster to devices. I would also point out that Endpoint security is the more modern approach to device management and what Microsoft seems to be investing in currently. The only major draw back I can see is that Endpoint security policies currently only apply to the Windows platform.

Intune and Endpoint security approach are an indication of one of things Microsoft needs to fix I believe, because having two ways of doing the same thing in the same portal, without any warning of a potential clash makes things hard for those who have to maintain these environments. Given that the Endpoint security approach is the more modern, I expect it to be the winner in the long and suggest you only implement that policy for onboarding your Windows 10 devices for Microsoft Defender for Endpoint.

Offboarding devices from Microsoft Defender for Business using Power Automate

Recently, I wrote an article to make offboard from Microsoft Defender for Business easier:

Offboarding devices from Microsoft Defender for Business using an API with PowerShell

Because this offboarding process utilises an API we can use that with other services such as Power Automate.

Before devices can be offboarded, a list needs to be created that can be accessed by Power Automate. Refer to this article:

Get a list of devices from Defender for Business into a SharePoint list

for details about creating an inventory of devices saved to a SharePoint Online list.

The summary of the Flow to do this device offboarding process is shown above.

Once the Flow has been triggered I grab the Azure AD application credentials from the Azure Key Vault. I’ve covered off how to create an Azure AD application here:

https://blog.ciaops.com/2019/04/17/using-interactive-powershell-to-access-the-microsoft-graph/

and using a PowerShell script I wrote here:

https://blog.ciaops.com/2020/04/18/using-the-microsoft-graph-with-multiple-tenants/

Getting the Azure AD application credentials into an Azure Key Vault can be done manually or by using this scripted process I’ve covered previously:

Uploading Graph credentials to Azure Key Vault

Once they are in the Azure Key Vault they are easy to access securely using the Flow action Get secret as shown above.

Next comes the Get items action as shown above. This filters the list of devices using a column called Offboard and returns items that have this as Yes (or = 1 for Power Automate).

A new variable is then created and the initial API offboarding URL is saved into it. This will later be appended with the actual device number that is being offboarded which is required by the API.

For each item that was returned from the filtered list of devices (i.e. those that been selected to offboard),

the offboarding API URL needed to be extended to include the unique Device ID from the returned results and the string /offboard.

Thus URL now needs to be ingested by the HTTP action as shown above. It is important that the body contain the following JSON:

{
“Comment”: “Offboard machine by automation”
}

This was taken from the documentation:

Offboard machine API

The other access parameters come from Azure AD application that were extracted from Azure Key Vault earlier on in the Flow.

Because the return from the HTTP action can vary, we now need to have a Switch action as shown above.

In the top right hand corner of the Switch action, select the ellipse (three dots) and then Configure run after from the menu that appears.

Because the result from the HTTP action could be 400 (i.e. failure or BadRequest) we still want the Flow to proceed. If the Switch action is not used the Flow will fail like so:

Using the Switch action and selecting both the is successful and has failed options shown above, will allow the Flow to continue on.

If the HTTP action does return a BadRequest, the left hand side Case condition is met. For any other return, the right hand side Case condition will be executed.

In the case of a return status code = 400, the body of the returned JSON will be parsed and the field Result will updated in the device list for that item with the Message information taken from the JSON results.

In the case of any other return code the following will be executed:

Once again, there could a variety of different returned status codes from the HTTP action, however here I’ll just have a single condition to see if it is successful (status code = 201) and for anything else the results will be updated to the Result field for the device in question.

The last action required, after the Switch, is to reset the URL variable back to the original string in case there are other devices that have been selected to offboard. Failing to do this will result in an incorrect API URL for every device after the first match.

What this offboarding process looks like in practice would therefore be to select which devices to offboard from the SharePoint list, by setting the Offboard column to be Yes, as shown above.

Once the offboard Flow has been run, the results for those selected devices are found in the Result column and Offboard column has been reset to be No for each of these, as shown above.

If you set the Offboard column to Yes again for this device and re-rerun the offboarding Flow,

the Flow runs successfully, even though a base request resulted during the HTTP action and the information from that is captured and stored in the Result field as shown above.

There are edge case conditions this Flows doesn’t accommodate. This is normally due to the correct information not being fully populated in the portal. This typically happens in the short period you create or add add a device to Defender for Endpoint. It is simple enough to add these checks in the Flow, but for the sake of simplicity that are not included here.

This whole process again demonstrates the flexibility and capability combining APIs with Power Automate can provide. Remember, you can set this whole process up to work across multiple tenants, it doesn’t have to be restricted to just the tenant you are on. Using Power Automate allows you to easily extend a solution to maybe include email notifications, updates into a Microsoft Team and more.

So these are some ways you can offboard devices from Microsoft Defender for Business:

Via a local script

Using Endpoint Manager and Intune

Using PowerShell

and using Power Automate as detailed here.

Get a list of devices from Defender for Business into a SharePoint list

One of great things about an API is that it can be used in many places. I showed how to:

Offboard devices from Microsoft Defender for Business using an API with PowerShell

and I can do something similar with the Power Platform.

First step in that process is to get a list of Microsoft Defender for Endpoint devices and put them into a pre-existing list in SharePoint. For that I use the above Flow.

Once the Flow has been triggered I grab the Azure AD application credentials from the Azure Key Vault. I’ve covered off how to create an Azure AD application here:

https://blog.ciaops.com/2019/04/17/using-interactive-powershell-to-access-the-microsoft-graph/

and using a PowerShell script I wrote here:

https://blog.ciaops.com/2020/04/18/using-the-microsoft-graph-with-multiple-tenants/

Getting the Azure AD application credentials into an Azure Key Vault can be done manually or by using this scripted process I’ve covered previously:

Uploading Graph credentials to Azure Key Vault

Once they are in the Azure Key Vault they are easy to access securely using the Flow action Get secret as shown above.

The next step is to delete devices I already have in the list in SharePoint because I want only current devices to be brought in. To achieve this, I get all the items from my destination SharePoint list using the Get items action. Then, using the Apply to each action and the Delete item action inside that loop, existing entries will be removed so I have a clean list.

I’ll now use the HTTP action to execute an API call to the Defender environment as shown above. The API endpoint URI to get a list of devices in Defender for Endpoint is:

https://api.securitycenter.microsoft.com/api/machines

Access is granted via Active Directory Auth and the Authority is https://login.microsoftonline.com. You also need to use the credentials of the Azure AD application obtained previously from the Azure Key Vault, as shown above. Ensure that the Audience is https://api.securitycenter.microsoft.com/.

The output of this API request will be a JSON file so we now use the Parse JSON action to obtain the fields needed. To understand what the JSON looks like and insert a copy into this action look at the Microsoft documentation here:

List machines API

which provides a response sample that you can use.

The last action in the Flow is to take the parsed JSON output and enter those details into the pre-existing SharePoint list that you need to create to house this information.

I’ve kept the destination list simple, as you can see above. Basically, the final Apply to each action places each device and its information as a row into the destination SharePoint list.

If I now run this Flow, I see it runs successfully.

Looking at my SharePoint list I see I have a new list of items as expected.

If you weren’t aware, the ‘eyelashes’ on an entry in SharePoint indicate it is new.

Now I have copy of all the machines in my Defender for Endpoint in a SharePoint list. You will also see that my SharePoint device list contains an additional ‘Offboard” column that I am going to use when I implement another Flow to offboard devices from Defender for Endpoint, much like I did with PowerShell previously.

You can also easily extend the operation across multiple tenants if I want using Azure AD applications in each.

The great thing about using the Power Platform and APIs is that for many, it is much easier to get the result they want rather than having to write code like PowerShell. Also, the Power Platform environment has many capabilities, such as sending emails, adding extra metadata, etc. that are much easier to do than using PowerShell. Once the Defender for Endpoint device list is in SharePoint there is really no end to what could be done.

With that in mind, stay tuned for an upcoming post on how to use what’s been done here and another Flow to actually offboard devices from Defender for Endpoint.

Onboarding Windows 10 devices to Microsoft Defender for Business

One of the big benefits of Windows 10 devices when it comes to onboarding them to Microsoft Defender for Business is that they already have the ‘client’ software installed. That being Windows Defender. All the onboarding process needs to do is connect up the ‘backend plumbing’ so that Windows 10 also sends security information to the Microsoft 365 Security portal.

The first step in this onboarding process is to ensure that your Windows 10 devices are already Azure AD joined. You’ll also need to have a license for Intune/Endpoint Manager to enable this process from a centralised location.

Next, visit the Microsoft Endpoint Manager portal at:

https://endpoint.microsoft.com

As shown above, here, navigate to Endpoint Security, then Microsoft Defender for Endpoint. Ensure that the option Connection status is enabled. If it isn’t then open a new browser tab and navigate to:

https://security.microsoft.com

You should see the screen above. Scroll down this page.

Select Settings as shown above and then Endpoints from the options that appear on the right.

Scroll through the options presented and select Advanced features as shown. Location the Microsoft Intune connection option and set it to On. You may also want to have a look through the list of all the other available settings and also turn these on if desired.

You may need to wait a little while until connection status back in Endpoint Manager reports as being enabled.

You can always use the Refresh button at the top of the page, but be prepared for a short wait while the connection is made.

While you are on this Endpoint Manager page you will also probably want to turn all the settings available here.

Still in Endpoint Manager, you’ll now need to select Devices, then Configuration Policies, then Create profile as shown above.

Select Windows 10 and later for the Platform and Templates from the Profile type.

Scroll through the list of templates and select Microsoft Defender for Endpoint (desktop devices running Windows 10 or later).

Give this new policy a meaningful name and select the Next button at the bottom of the page to continue.

You don’t have to make any changes on the Configuration settings page but I like to Enable the option for Expedite telemetry reporting frequency. Select the Next button at bottom of the page to continue.

On the Assignments page you need to configure which groups this policy will include and exclude. Generally, you want to select All devices as shown above, but you can select whatever suits your configuration needs.

Continue through the remaining policy configuration pages and Create the new policy.

If you go back and look at the properties of the policy as shown above, you note an additional Configuration setting that wasn’t displayed when the policy was created – Microsoft Defender for configuration package type is set to Onboard. This is what effectively will onboard the Windows 10 devices for you automatically.

You can now use the Device Status option to monitor when this policy is applied to each device. Note that this status may take a while to change and the policy to be applied as it is dependent on when the devices ‘check in’ for policy updates.

Once the devices ‘check in’ and receive the policy, their status should be displayed as shown above with the Deployment status field now reporting as Succeeded.

You can see which devices have been successfully onboarded to Defender for Endpoint by selecting the Device inventory option in the Microsoft 365 Security Center as shown above. Until machines have their ‘plumbing’ connected back to this console via the onboarding process they will not appear.

Once that onboarding process is complete on the device, it should appear in the Device inventory as shown above.

If you return to Endpoint Manager and scroll to the bottom of the Microsoft Defender for Endpoint screen, as shown above, you’ll see a summary of the devices onboarded.

The great thing is that you only need to do all this once, because once the Intune connection and Device configuration policy is in place, all Windows 10 machines will automatically be onboarded to Defender for Endpoint and all the options the Microsoft Security Center.