How to accelerate your Microsoft Defender ATP Evaluation

Posted onLeave a comment

As with almost any solution, one of the time consuming activities is to get the prerequisites in place until you get things up and running, this is no different with Microsoft Defender Advanced Threat Protection. Although the solution itself is entirely hosted in the cloud, there are a few prerequisites on the client side that must be put in place before you can get your hands on MDATP. Getting these prerequisites in place is no Read More …

ConfigMgr CMPivot , the PowerShell Script, the Events…

Posted onLeave a comment

While working with CMPivot this week, I wanted to find out how locally on the client the data is collected, I already knew that when you execute a CMPivot query from the ConfigMgr console, it will run the query on the target device and returns the result back to ConfigMgr. While investigating I also came across this blog post CM Pivot Internals that describes how things work, nevertheless I wanted to dig a bit deeper. Read More …

Monitoring Windows Defender Cloud Protection Service connectivity with ConfigMgr

Posted onLeave a comment

Hello everyone, earlier this week I wrote a blog post how to test Microsoft Defender Cloud Protection Service (MAPS) with PowerShell. Today I would like to share a possible approach how to actively monitor MAPS Connectivity across all your devices using ConfigMgr configuration baselines. As mentioned in my earlier blogpost in order to take full advantage of Microsoft Defender protection capabilities, it’s important that clients can communicate with MAPS, if the client cannot communicate with Read More …

Testing Windows Defender MAPS Connectivity with PowerShell

Posted onLeave a comment

Whenever I work with customers on Windows Defender or Microsoft Defender Advanced Threat Protection, one of the first things I usually review are the current Windows Defender settings. Having Windows Defender properly configured is key, because otherwise you might not be able to make use of all the capabilities Defender and Defender ATP provides. One of them is MAPS (Microsoft Active Protection Service) or also known as Windows Defender Antivirus cloud-delivered protection service. Quite often Read More …

Microsoft Defender ATP – Live Response

Posted onLeave a comment

Back in May the Microsoft Defender Advanced Threat Protection team announced the availability of the Live response feature in MDATP. Today I took a closer look at this and thought I’d share my experiences and findings. What’s that live response thing again? “Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions Read More …

The case of Running the Device and Credential Guard Hardware Readiness Tool and unknown architecture

Posted on2 Comments

To close this week, let me share my findings with you about running the Windows Device and Credential Guard Hardware Readiness Tool and the unknown architecture error. Believe it or not, there are still people, probably more than I assume, that run Windows in their native language instead of English. I can understand when end users do so, but honestly when administrating an infrastructure? Anyway, I recently worked for a client where the UI is Read More …

Managing Role Based Access (RBAC) for Microsoft Defender Advanced Threat Protection

Posted onLeave a comment

I spend quite some time during the week travelling to and from customers, to make the best use of travel time, I usually read blogs and tweets or take online trainings to keep myself up to date about whatever interests me. Yesterday I noticed a tweet from someone regarding MDATP Portal access “Security Administrator can’t be assigned to staff in my org. It’s too powerful.” Maybe not everyone is aware of the RBAC capabilities in Read More …

Exploring Microsoft Cloud App Security with PowerShell – Part1

Posted onLeave a comment

Last Friday I was given the opportunity to present at the Configuration Manager Community Event (CMCE1905) in Bern, Switzerland. Although Microsoft Cloud App Security is not really related to ConfigMgr, many of the attendees are dealing with managing classic and modern workplaces and security is almost on everyone’s list of interest. During my session “Unleash the power of Microsoft Cloud App Security” I also demonstrated how one can explore information within Microsoft Cloud App Security Read More …

Retrieving Windows Defender Exploit Guard Windows Event logs with PowerShell

Posted on2 Comments

Most of the features included in Windows Defender Exploit Guard can be enabled in audit or block mode. The impact can then be analyzed either by looking at the corresponding Windows Event log entries or through advanced hunting queries in Windows Defender ATP. Today, I’ll share a script I recently wrote to quickly pull Windows Defender Exploit Guard related events from the Windows Event log. Anytime soon I will share some Kusto queries for the Read More …

How to Configure Splunk to pull Windows Defender ATP alerts

Posted onLeave a comment

Windows Defender ATP provides SIEM integration, allowing you to pull alerts from Windows Defender ATP Security Center into Splunk. The SIEM integration uses the Windows Defender ATP Alerts Rest API. Since I have an actual customer demand for such an integration, I thought it’s about time to get a feel for how this works. Prerequisites An active Windows Defender ATP subscription with portal admin access Windows Defender ATP SIEM integration enabled within the portal. A Read More …