Current Windows Defender configuration using PowerShell

image

I’ve uploaded a new script:

win10-def-get.ps1

to my Github repository.

What this script will do is report back on Windows Defender versions and settings on a Windows 10 device as shown above.

The interesting thing is that to find the latest version of the released signatures from Microsoft I need to scrape the details from the page:

https://www.microsoft.com/en-us/wdsi/defenderupdates

which turns out to be somewhat imperfect because many times my local signature is more current than what is reported on the Microsoft page. Even more interesting is that it doesn’t appear that Microsoft has an API that will report these details! I find that really strange, as one would think it something simple to provide and a common request. Seems not, as I can’t find one anywhere and have to resort to this unreliable scraping method. If you know of a better way to get the latest version and signature information via PowerShell, I’d love to hear.

The idea with the script is that you can run it on your Windows 10 devices to check that everything is update to date and configured correctly. I’ll keep improving it over time, so feel free to let me know any suggestion you may have on how to improve it.

Integrate Office 365 with Microsoft Defender for Endpoint

One of the benefits of using security solutions in the Microsoft Cloud is that they integrate together, quickly and easily. If you are using Microsoft Defender for Endpoint then signals from this can be shared with the Microsoft 365 Threat environment.

SNAGHTML15c406c8

To enable this integration navigate to the Office 365 Security & Compliance portal. Expand the Threat Management option from the menu on the left. Then select Explorer from the options that appear. Finally, in the right hand pane scroll to the right until you locate the WDATP Settings hyperlink as shown above, and select it.

image

Ensure the Connect to Windows ATP is set to On, typically it is off by default.

image

In the Microsoft Defender Security center navigate to Settings. Select the Advanced features option from the menu on the left. Ensure the Office 365 Threat Intelligence connection is set to On.

Once done, your systems are integrated and will now share information between them. This will make identifying threats much easier because now:

  • You will be able to view device details and Microsoft Defender for Endpoint alerts from the Threat Explorer.

  • Microsoft Defender for Endpoint will be able to query Microsoft 365 for email data in your organization and show links back to filtered views in the Threat Explorer.

August poll

ask-blackboard-chalk-board-chalkboard-356079

For August I’m asking people:

Are you considering or using Microsoft Defender ATP in place of other third party anti virus and end point security solutions?

which I greatly appreciate you thoughts here:

https://bit.ly/ciasurvey202008

You can view the results during the month here:

https://bit.ly/ciaresults202008

and I’ll post a summary at the end of the month here on the blog.

Please feel free to share this survey with as many people as you can so we can get better idea of what people are thinking when it comes to Microsoft Defender ATP.

Need to Know podcast–Episode 246

Due to circumstances outside my control I have no interview for you in this episode. So it it is just me and the latest news from the Microsoft Cloud. Don’t forget that Microsoft Inspire is not far away either, so there’ll be plenty more news soon.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-246-just-the-news/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Microsoft unveils sweeping job training initiative to teach digital skills to 25M impacted by pandemic

An update on Web Content Filtering

Reimagining virtual collaboration for the future of work and learning

Together mode

The future of work—the good, the challenging & the unknown

On-demand training sessions for SharePoint, OneDrive, Teams, Yammer, and Stream

Migration to SharePoint, OneDrive, and Microsoft Teams in Microsoft 365, free and easy

The Standards at Work Behind the Microsoft Enterprise SSO plug-in for Apple devices

All the Defenders

knight

Microsoft unfortunately has quite a few products under the ‘Defender’ banner that I see causing confusion out there. Most believe that ‘Defender’ is only an anti-virus solution, but that could not be further from the case. Hopefully, I can show you here how broad the ‘Defender’ brand is here and hopefully give you a basic idea of what each ‘Defender’ product is.

To start off with there are products that are considered ‘Window Defender’ products, although I see the Windows and Microsoft brand intermingled regularly. Here is a list of specific ‘Windows Defender’ products:

Windows Defender Application Control – WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients.

Windows Defender Firewall – By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device.

Windows Defender Exploit Guard – Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps.

Windows Defender Credential Guard –  Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.

In contrast, here are the ‘Microsoft Defender’ products :

Microsoft Defender Smart screen – Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.

Microsoft Defender Antivirus – Brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your organization.

Microsoft Defender Application Guard – helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet.

Microsoft Defender Security Center – is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.

Microsoft Defender Advanced Threat Protection – is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

Microsoft Defender Browser Protection –  a non Microsoft browser extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.

So, as you can see, there are quite a lot of ‘Defender’ products out there from Microsoft. How and when you get each of these varies greatly as well as their capabilities, since most will integrate together. That however, is beyond the scope of this article but maybe something I explore in upcoming articles.

For now, just be careful to investigate what is actually meant when it says ‘Defender’ in the Microsoft space!

Need to Know podcast–Episode 231

FAQ podcasts are shorter and more focused on a particular topic. In this episode I’ll talk about the different Advanced Threat protection (ATP) offerings that Microsoft has.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-231-all-the-atps/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Office 365 ATP

Defender ATP

Azure ATP