Microsoft Defender for Endpoint Default Settings

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Microsoft Defender for Endpoint Default Settings

    This document outlines essential configuration settings for Microsoft Defender for Endpoint following installation. The Default Settings module is accessible within the Microsoft Defender for Endpoint application and is crucial for managing various functionalities effectively.

    Show full answer Show less

    Key Features

    • Approval Process: Required for actions such as Isolate Host and Remove Host Isolation. It is applicable only without existing profiles. Approval configuration in profiles takes precedence if present.
    • Require Approval: Activating this option makes the Approvers field available, requiring approval from specified groups to proceed with requests.
    • Alternate CI: This allows specifying an alternate Configuration Item (CI) for the Run Additional Actions on Endpoint capability, defaulting to the Security Incident CI field.
    • Input for Agent ID Resolution: By default, Agent ID is resolved using IP and Host Name. You can set it to use either option exclusively.
    • Timeout Settings: Define execution time limits for various capabilities, including Isolate Host, Remove Isolation, Restrict App Execution, and Run Antivirus Scan.

    Key Outcomes

    By configuring these settings, customers can ensure precise control over security actions, streamline approval processes, and enhance endpoint management capabilities in Microsoft Defender for Endpoint. Properly setting timeouts and alternate inputs leads to improved operational efficiency and effective incident response.

    There are additional configuration settings you must perform after you complete the installation.

    After you complete the installation, you can find the Default Settings module under the Microsoft Defender for Endpoint application on the left-navigation pane. It contains the default settings for different Microsoft Defender for Endpoint functionalities.

    Roles required: sn_si.admin, sn_si.analyst (read-only).

    Additional Configurations

    The following are additional configuration settings:
    • Approval: This approval is specifically for the Isolate Host action, Remove Host Isolation action, and additional actions such as Restrict App Execution, Remove App Restriction and Run Antivirus Scan. You can use this approval only when actions are triggered directly from the Related list, and if there are no any existing profiles. If there are any existing profiles for these capabilities, then the approval configuration in the profile takes precedence.
      • Require Approval: When you enable Require Approval, the Approvers field is available on the form.
      • Approvers: List of approver groups. After you submit a request, approval is required from the group to complete the request.
    • Alternate CI: Enabling this check box provides the list of fields available to pass an alternate CI to the capability. By default, the integration uses the Configuration Item (CI) field on the Security incident. This configuration is applicable only for the Run Additional Actions on Endpoint capability. Use this configuration to define an alternate CI input field for the only Run Additional Actions on Endpoint capability. For the other capabilities, use the configuration in the profile section. If the profiles do not define an alternate CI, then the capabilities would take the CI field from the Security Incident form.
    • Input for Agent ID resolution: By default, IP and Host Name is used to get the Agent ID. If you're going to use only one of them, then set the input field to either IP or Host Name.
    • Timeout:
      • Isolate Host Timeout (in minutes): Indicates the execution threshold for the Isolate Host capabilities.
      • Remove Isolation Timeout (in minutes): Indicates the execution threshold for the Remove Isolation Timeout capability.
      • Restrict App Execution Timeout (in minutes): Indicates the execution threshold for the Restrict App Execution capability.
      • Remove App Restriction Timeout (in minutes): Indicates the execution threshold for the Remove App Restriction capability.
      • Run Antivirus Scan Timeout (in minutes): Indicates the execution threshold for the Run Antivirus Scan capability.
      • Stop and Quarantine File Timeout (in minutes): Indicates the execution threshold for the Stop and Quarantine File capability.
    Figure 1. Default Settings
    Additional configuration settings after you complete the installation