Defender for Endpoint on Anything About IT

Modern Security for Legacy Systems

Sun, 30 Nov 2025 12:43:15 +0000

Despite rapid OS refresh cycles, many organizations continue to run older systems such as Windows 7 or Windows Server 2008 R2. In many cases, critical line-of-business applications only run on older frameworks, specialized production machines rely on vendor-locked drivers, or long hardware replacement cycles make immediate upgrades unrealistic. Some companies also operate regulated or validated environments where any OS change requires extensive re-certification.

Until now, these legacy endpoints posed a persistent security risk because unsupported or limited protection allowed attackers to exploit vulnerabilities with little resistance.

Microsoft Defender for Endpoint - Security Settings Management Internals 0x1

Sun, 28 Apr 2024 12:25:01 +0000

In this post, we take a closer look at how Microsoft Defender for Endpoint Security Settings Management works behind the scenes, especially for Windows Server scenarios.

Entra ID Device Registration

Because Intune policy assignment is group-based, devices need an object in Entra ID. If a server already has an existing registration (for example Hybrid Join), that object is reused. If not, a synthetic device identity is created in Entra ID so the device can retrieve policy.

Defender for Endpoint – unified solution for Windows Server 2012 R2 and 2016 (Part2)

Mon, 06 Dec 2021 20:28:53 +0000

Hello everyone,

In my previous post (Part1) I provided an overview of the new Microsoft Defender for endpoint unified solution for Windows Server 2012-R2 and 2016 and how to deploy the solution manually to a new provisioned server. In this blog post I would like to walk you through the process of migrating a Windows 2016 server to the new unified solution using Microsoft Endpoint Configuration Manager.

For this we will be using the upgrade script that Microsoft provides. But let’s go through this step by step.

Defender for Endpoint - unified solution for Windows Server 2012 R2 and 2016 (Part1)

Sun, 24 Oct 2021 16:20:59 +0000

Hello everyone,

Just in case you missed this, earlier in October, Microsoft announced the public preview for the Microsoft Defender for endpoint, unified solution for Windows Server 2012 R2 and 2016 that enables additional protection features and brings a high level of parity with Microsoft Defender for endpoint on Windows Server 2019. The unified solution also provides a much simpler onboarding experience.

Before taking a closer look at the new unified solution, let’s briefly look at how things worked until now. Onboarding Windows 10 and Windows Server 2019 is simple, all you need to do is run an onboarding script that basically enables the Microsoft Defender for Endpoint component that is already built-in the operating system, i.e. there’s no need to deploy and install any additional software. Things are different with Windows Server 2012-R2 and Windows Server 2016 though.

How to remediate Defender for Endpoint onboarding with ConfigMgr

Thu, 25 Feb 2021 18:57:49 +0000

During the past 5 years I have onboarded a couple of thousand devices into Microsoft Defender for Endpoint and can say that, provided that you done your homework with regards to network connectivity, onboarding devices into Defender for Endpoint usually just works. But as always in IT, there are exceptions.

Should you ever run into an issue with onboarding devices, I recommend checking the guidance provided here: Troubleshoot Microsoft Defender for Endpoint onboarding issues. Now if you have just a couple of devices to manage you will most likely spot any missing device within the Defender for Endpoint management portal, but what if you have several hundred or even thousands of devices? How would you find out that that particular device Computer0073 in Building D1 on the 6th floor is not correctly onboarded?

Microsoft Defender Advanced Threat Protection – Respond Actions Events

Tue, 10 Dec 2019 22:10:23 +0000

Hey there, to be honest I had some difficulties to find the right title for todays blog post, so if you are still wondering here’s what this is all about. I had a customer asking me “how can we see what MDATP Respond actions were taken on a particular machine both from a Console and client perspective?”. At the time of writing this blog post we have the following machine response actions that trigger a remote action available for MDATP managed devices.

How to generate a monthly Defender ATP Threat and Vulnerability Report

Sun, 10 Nov 2019 23:00:53 +0000

Update 11 January 2020 - Microsoft has updated the Advanced Hunting Schema, so ComputerName is now DeviceName in the queries.

Just recently Microsoft announced that the Defender ATP advanced hunting schema was extended with the following tables:

DeviceTvmSoftwareInventoryVulnerabilities
DeviceTvmSoftwareVulnerabilitiesKB
DeviceTvmSecureConfigurationAssessment
DeviceTvmSecureConfigurationAssessmentKB

This allows us to run advanced hunting queries to find and extract Defender ATP TVM data.

https://gist.github.com/alexverboon/d22727c0c8f0d8ca32953b5e2c79ba7f

Now the people in your organization who are responsible for threat and vulnerability management might not necessarily have the knowledge of using the advanced hunting query language or are provided access to the Defender ATP console. So why not just send them a monthly report? Following is how to create a monthly Defender ATP TVM report using advanced hunting and Microsoft Flow.

Windows Defender, More than just Antivirus – Part 2

Fri, 01 Nov 2019 15:22:03 +0000

In the previous post I provided an overview of the history of Windows Defender and an overview of the various features that have the name Windows Defender in them. When then looked at Windows Defender SmartScreen and Windows Defender Cloud based protection. Today I’d like to continue with my notes from the field and personal experiences and take a look at Windows Defender Exploit guard. Again, the objective of this blog post is to inspire you getting the most out of the Defender feature set to improve your security posture.

Microsoft Defender ATP Advanced Hunting – Who's logging on with local admin rights?

Tue, 29 Oct 2019 16:00:07 +0000

Note: I have updated the kql queries below, but the screenshots itself still refer to the previous (old) schema names

If you’re among those administrators that use Microsoft Defender Advanced Threat Protection, here’s a handy tip how to find out who’s logging on with local administrators’ rights. But first when would you want to run this? Well here are some scenarios I can think of:

You want to find users that have local administrator rights on their devices.

Managing Role Based Access (RBAC) for Microsoft Defender Advanced Threat Protection

Fri, 24 May 2019 13:00:49 +0000

I spend quite some time during the week travelling to and from customers, to make the best use of travel time, I usually read blogs and tweets or take online trainings to keep myself up to date about whatever interests me. Yesterday I noticed a tweet from someone regarding MDATP Portal access “Security Administrator can’t be assigned to staff in my org. It’s too powerful.” Maybe not everyone is aware of the RBAC capabilities in MDATP so I through it might be worth a blog post. Here we go.

How to Configure Splunk to pull Windows Defender ATP alerts

Thu, 28 Mar 2019 15:17:22 +0000

Windows Defender ATP provides SIEM integration, allowing you to pull alerts from Windows Defender ATP Security Center into Splunk. The SIEM integration uses the Windows Defender ATP Alerts Rest API. Since I have an actual customer demand for such an integration, I thought it’s about time to get a feel for how this works.

Prerequisites

An active Windows Defender ATP subscription with portal admin access
Windows Defender ATP SIEM integration enabled within the portal.