Microsoft-Defender on Ru Campbell MVP

Microsoft 365: The Essential 10 Security Considerations

Fri, 28 Nov 2025 13:42:07 +0000

When we talk about Microsoft 365 security, we are talking about two things:

Securing Microsoft 365 the platform, such as Exchange Online, SharePoint Online, Microsoft 365 Copilot; ensuring they are hardened and monitored in proportion to risk appetite.
Using Microsoft 365 security tooling, such as Defender, Purview, Entra, and Intune; ensuring they are deployed, well configured, and you’re not paying for capabilities gathering dust.

The latter can be used to achieve the former, as well as other (non-Microsoft 365) platforms. For example, using Defender for Endpoint on a Linux server in AWS, or using Entra for single sign on to Salesforce.

[Updated Feb 2024] Ultimate Comparison of Defender for Endpoint Features by OS

Fri, 16 Feb 2024 17:13:38 +0000

Finally, it’s time for a refresh. It’s been a while! Due to personal circumstances, I haven’t been able to keep the Ultimate Comparison of MDE by OS updated. I’ve had time to dive into the changes since v5 and it’s really been amazing to see MDE grow in scope.

What is MDE and why do we need an ‘ultimate comparison’?

Microsoft Defender for Endpoint (MDE) is a massive stack of endpoint protection and endpoint detection and response (EDR) capabilities. It integrates with the broader Microsoft Defender XDR and is available for almost any OS you’ll find in an enterprise. This cross-platform nature of MDE makes it difficult to understand and track what features and capabilities are available on each OS. It’s not always intuitive, and you may be in for some surprises. Hence by I began the Ultimate Comparison of Defender for Endpoint Features by OS up to date to keep you aware of what you’re getting and what you need to go start implementing if you haven’t already.

Exchange Online Protection & Defender for Office 365 - Common Microsoft 365 Security Mistakes Series

Tue, 19 Dec 2023 08:26:45 +0000

Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO) are the email and collaboration security services native to Microsoft 365. EOP is included at all levels of licensing for Exchange Online, with MDO bringing additional security capabilities to license levels such as Business Premium, Microsoft 365 E3, and Microsoft 365 E5.

In this blog, I’ll review five of the most common security mistakes I see in tenants regarding EOP and MDO. Realistically, this list could go to fifty mistakes, but I’ll focus on ones I think you can quickly convert into quick wins or just may have never crossed your mind.

Microsoft Improves and Simplifies Defender for Endpoint Management Capabilities

Mon, 10 Jul 2023 20:47:03 +0000

In one of the biggest changes to Microsoft Defender for Endpoint (MDE) in its product history, you no longer need a separate management engine to configure endpoint settings.

In this blog, we’ll look at what that change is, why it was necessary, initial impressions, and what you might want to do next.

Historic management architecture needed simplifying

MDE (and it’s Windows client, Microsoft Defender Antivirus (MDAV)) always stood out from the crowd of endpoint protection platforms as being, well, a bit weird in terms of management architecture. With most platforms, you get a central admin console which pushes out endpoint settings. Think scan schedules, quarantine rules, exclusions, CPU throttling, etc. MDE/MDAV, on the other hand, instead relied on an external management tool such as Intune (MDM), Configuration Manager, or Group Policy.

[Feb 2023] Ultimate Comparison of Defender for Endpoint Features by OS

Sun, 19 Feb 2023 15:46:12 +0000

Microsoft Defender for Endpoint (MDE) is a massive stack of endpoint protection and endpoint detection and response (EDR) capabilities. It integrates with Microsoft 365 Defender (the broader XDR platform) and is available for almost any OS you’ll find in an enterprise. This cross-platform nature of MDE makes it difficult to understand and track what features and capabilities are available on each OS. It’s not always intuitive, and you may be in for some surprises. I try to keep this Ultimate Comparison of Defender for Endpoint Features by OS up to date to keep you aware of what you’re getting and what you need to go start implementing if you haven’t already.

Ultimate Comparison of Defender for Endpoint Features by OS [Updated August 2022]

Fri, 26 Aug 2022 07:32:32 +0000

This is the updated “matrix” of OS supported for the almost 80 features, services, and important components that make up Microsoft Defender for Endpoint. This follows up on my March 2022 release of the comparison.

What’s new?

Now available in Excel format, which was the biggest request :)
Added the new Microsoft Defender Vulnerability Management capabilities (add-on license required)
Added macOS tamper protection support
Added macOS network and web protection
Added iOS and Android’s mobile network protection
Added Linux cloud-delivered protection support
Added Windows troubleshooting mode
Added macOS, iOS, and Android support for network indicators of compromise
Updated host firewall reporting supported OSs
Updated attack surface reduction (ASR) rule supported Windows and Windows Server versions
Updated block at first sight (BAFS) supported OSs (thanks Polle Vanhoof + Thomas Verheyden)
Updated Windows Server support for indicators of compromise (thanks Polle Vanhoof + Thomas Verheyden)
Removed preview references for the unified agent for Windows Server 2012 R2 and 2016

Obligatory disclaimers:

Exploring Microsoft 365's NOBELIUM Defence Capabilities

Fri, 24 Dec 2021 19:37:50 +0000

I recently read through an excellent article by Mandiant, which recently split with FireEye, on their findings and analysis of the continued actions of suspected nation-state actor NOBELIUM. This group appeared on most IT pro’s radar because of their SolarWinds’ software supply chain. You are probably familiar with it by now, but if not, the tl;dr is that SolarWinds’ Orion IT software was “trojanised” via an attack on their software supply chain. Orion is (probably now “was”) used by enterprise customers to monitor their servers, network, etc, so not only was SolarWinds compromised, so too potentially were its customers.

Microsoft Defender Antivirus – Schedule & Install Updates via Network Shares

Sat, 13 Mar 2021 21:28:12 +0000

Although not common, there are scenarios out where you will have LAN-only devices onboarded in Microsoft Defender for Endpoint (MDE), or at least using Microsoft Defender Antivirus (MDAV). With no line of sight to the internet, you can use options such as WSUS, but in this blog, I’ll explore using a network share, as WSUS isn’t always an option.

Create a directory on your file server with subdirectories for the different CPU architectures you’ll be supporting.

2. On the server, we’ll be installing a script provided by Microsoft. In PowerShell with elevated rights:

Microsoft Defender for Endpoint - Offline Onboarding for Windows 10 via a Proxy

Thu, 18 Feb 2021 07:30:40 +0000

Getting your devices into Defender for Endpoint is referred to as onboarding and can be done in lots of different ways, depending on the scenario. The tools you use for Windows Server 2008 R2, for example, are different from the tools you use for Windows Server 2019, which are different from the tools you use for Windows 10, and so on.

The common denominator behind most onboarding methods is internet connectivity. Your device connects directly to the cloud service and provides all that telemetry goodness via a direct line of sight.

Block LSASS.exe using Attack Surface Reduction

Sat, 13 Feb 2021 21:10:23 +0000

Understanding Application Guard for Office, Now Generally Available

Sat, 30 Jan 2021 22:13:50 +0000

Application Guard first appeared in Windows 10 1709 (“Fall Creators Update”) to isolate Edge browser activity within a Hyper V container. Microsoft now extends that same idea to Word, Excel, and PowerPoint in Office 365 ProPlus Microsoft 365 Apps for Enterprise on Windows 10…

… if you have Microsoft 365 E5 or E5 Security. You knew that was coming!

With Application Guard for Office, your files can open in a sandbox without access local or network storage. This provides an additional layer of protection against threats such as ransomware, for which Office apps are infamous as an attack surface. There’s a significant catch: a standard configuration of Application Guard will allow users to bypass it if they say they trust the file, therefore executing it in the normal way; resource access included. You can change this default behaviour though, so keep reading.

The Difference Between Cloud App Security Discovery (CAD), Office 365 Cloud App Security (OCAS), and Microsoft Cloud App Security (MCAS)

Mon, 07 Sep 2020 19:15:17 +0000

Microsoft Cloud App Security (MCAS), Redmond’s cloud app security broker (CASB) offering, is a powerful tool for investigating and pro-actively controlling your SaaS estate. It includes tools such as reverse proxying to control sessions and sits inside the Microsoft Threat Protection stack alongside Defender ATP, Office 365 ATP, and Azure ATP. MCAS started life as Adallom prior to Microsoft’s acquisition of that company in 2015. It’s included in Microsoft 365 E5 and numerous other licensing subsets, including EMS E5, E5 Security (an add-on for Microsoft 365 E3), Information Protection & Governance, or standalone. In all cases, you’d need to make sure it includes or you also get a license for Azure AD Premium for the reverse proxy benefits, delivered via Conditional Access App Control.

Microsoft Defender for Endpoint Web Content Filtering - Migrate Rules from Existing Security Software

Sat, 04 Jul 2020 14:15:32 +0000

In my last blog, I wrote about web content filtering in MDATP and how it now allows you to block website categories on the client across all apps. Category blockers are great because, with one easy checkbox, you ban hundreds of thousands of dangerous on inappropriate websites. Nothing is perfect, though, and anyone who’s ever worked a helpdesk or SOC will attest that false positives and false negatives are common.

The engine for MDATP web content filtering is Cyren, and you can check if a website is caught by its category rules using their online category check tool. This takes a bit of time, as each check is subject to a Google reCAPTCHA test. If you’re migrating anything of scale to MDATP, you don’t have the time to do this, and also do not want to risk important websites later being swept up by category rules even if they are fine for now. When you allowed or blocked websites on your existing solution, it’s assumed you’ve done the due diligence, and you want to take the remediation you’ve applied against those (potential) false positives and false negatives with you.

Microsoft Defender for Endpoint Web Content Filtering - Administration, Limitations, and User Experience

Sun, 28 Jun 2020 16:37:29 +0000

Historically, one of the big features missing “out of the box” with MDATP was web content filtering. Customers typically look at MDATP as an option when their existing endpoint security is due for license renewal, and compare their existing solution against it. They would be moving from one of the big security vendors such as Sophos, Norton, and McAfee, which all supported web content filtering. Higher lever stakeholders often listed the ability to block websites as essential, and as Microsoft did not maintain such a categorisation database, if you wanted it with Defender ATP, you’d be looking at other solutions too. This took away from Defender ATP’s “single pane of glass” selling point.