Skip to content

Advanced features

Configure advanced features for MDE here, advanced features can include integrations with other Microsoft products and features to enhance protections available in MDE.

Restrict correlation to within scoped device groups

This setting is for larger organizations that may have different groups of people managing security on specific groups of devices. Enabling this setting makes it so an incident containing devices from different device groups becomes two incidents.

Enable EDR in block mode

Generally you want this setting enabled. EDR in block mode allows MDE/Defender AV to step in and block malicious activities if the device's primary EDR tool happens to miss something that should have been blocked.

When a device has another EDR tool installed, MDE and Defender Antivirus will be in a passive mode, not actively blocking but still monitoring and gathering telemetry from your devices. Even if you intend MDE to be your primary EDR it's common to see a handful of devices that have a previously installed AV that missed being uninstalled, or some shadow IT using unapproved software on a handful of machines.

If MDE is not your primary EDR on because you are using a third-party vendor, you may not want to enable this if you trust your product. Potentially you would have to "allow" a file in your third-party product as well as MDE which can be a pain to manage.

Automatically resolve alerts

This is generally enabled by default, when a device incident comes in Defender will run an analysis on it, if the results of that analysis are no threat or remediated automatically Defender will close the alert for you. It will not overwrite the status of the alert if you have moved it to in-progress.

Allow or block file

This allows you to add "indicators" for files in MDE. Must meet the below requirements to use.

  • Requires Defender Antivirus to be in Active mode not passive mode
  • Cloud-based protection enabled in your AV policy

Hide potential duplicate device records

Having this enabled is great as duplication does happen from time to time, you will still be able to see the duplicates in your device assets, but they won't "count against you" in certain reports and tools throughout Defender so you have a more accurate picture of vulnerabilities.

Custom network indicators

Like Allow or block file, this allows you to allow or block IP addresses, domains, and URLs using "indicators". While not required to get some protection, you should have Network protection enabled in your Antivirus policy. Without Network protection indicators will only work in Microsoft Edge, Network protection essentially extends that protection to other browser and non-browser processes, like apps and PowerShell.

Tamper protection

When a device is compromised it is common for an attacker or malicious software to attempt to disable protections on the device. Enabling this setting will protect certain settings from being disabled and raise an alert on the device is an attempt is made to modify those settings. Settings protected include:

  • Virus and threat protection
  • Real-time protection
  • Behavior monitoring
  • Antivirus protection
  • Cloud protection
  • Security intelligence
  • Automatic actions
  • Notification settings
  • Archived file scanning
  • File exclusion modification

Show user details

Provides additional information about the user entity impacted by an alert, including the department, title, name, and picture. The department and title in particular can be useful during an investigation, both in determining severity based on the impacted asset and possible expected activity for the job role.

Skype for Business integration

I wish Microsoft would add a better description change the name of this feature because it provides more than just "Skype" integration which many organizations have subbed out for Teams for quite some time now.

When a device is compromised you might isolate it from your network, when this setting is enabled you can maintain communications with the end user via email, Teams, or Skype for Business, this is an option you will see when attempting to isolate a device.

Microsoft Defender for Cloud Apps

Enabling this integration sends network telemetry about cloud apps (websites) to MDCA. From MDCA you will be able to enable a setting to block specific cloud apps from being used.

Note

May take 2 hours for data to start showing in MDCA Discovery dashboard.

Web content filtering

Enabling the policy does nothing unless you also have a web content policy created and assigned to devices. This allows you to block website based off of categories, and you can override individual website using indicators.

An example of an override would be blocking the gambling category but adding allow entries for specific websites. Or adding block entries for a few gambling websites but leaving the gambling category unblocked.

You may want to use this if you do not have network filtering when users take their devices off of your network as this policy follows the device on every network.

Unified audit log

Allows security logs to be shared with Purview's audit tool.

Construction

Setting is unclear honestly

Device discovery

Device discovery allows your onboarded devices to find other devices on the network, this can be helpful in identifying devices that haven't been onboarded or perhaps devices with a vulnerability.

Device discovery only works on "corporate" networks, Microsoft automatically determines a corporate network based on how many of your organizations devices are on the network. After working with dozens of customers I have rarely seen them tag the wrong networks as corporate and these automatic tags can be manually overwritten if needed.

This provides no benefit for a fully or mostly remote organization.

Download quarantined files

Allows the responder of an incident to download the quarantined file should further investigation be necessary. Download with caution of course.

Default to streamlined connectivity when onboarding devices in the Defender portal

Simplifies the network connections Defender uses, there is no rush to move all the Defender agents over to streamlined but at some point we will likely be required to change so turning this on and allowing devices to migrate over wouldn't be a bad idea.

Live response

Allows you to initiate a remote terminal session to a device. You can use this even when a device is in isolation and it contains commands to help run a remote investigation on a device. A full list of availble commands can be found in Microsoft's documentation here.

Live response for servers

Same as live response but for servers, I would leave this turned off until you have onboarded servers (separate license/service) or regularly use it on non-servers.

Live response unsigned script execution

Applies to PowerShell scripts, leave this setting off unless you explicitly need it, unsigned scripts are common, most people don't sign every script they create, but being unsigned makes them riskier.

Deception

Enabling this requires further configuration, but once configured added decoys and lures to a device that if someone attempts to exploit or attack will generate an alert in your environment, similar to a honeytoken.

Share endpoint alerts with Microsoft Compliance Center

Shared MDE alerts with Purview which can be helpful for identifying insider risk.

Microsoft Intune connection

Enabling this also requires enabling it on the Intune side. This allows device information collected by MDE to be shared with Intune.

Authenticated telemetry

Prevents spoofing of telemetry being gathered on devices.

Preview features

I always recommend leaving this turned off unless you are aware of a preview feature you are looking to try, these features can change a fair bit before going GA which can make managing them difficult.

Endpoint Attack Notifications

Microsoft is apparently no longer accepting organizations to this program. It provided handcrafted alerts for your environment from Defender experts.