Microsoft Security MVP | Senior Security Consultant | Cyber Security | Microsoft Defender XDR/EDR/SIEM/Sentinel
NEW BLOG:🚨2025 is almost over - is your Microsoft Defender fully optimized? I just refreshed my 2025 “Get your Microsoft Defender optimized and configured” cheat sheet with only two months left in 2025. Microsoft has massively enhanced Defender in recent years, but with its rapid evolution, “set and forget” is no longer an option. Stay up to date to leverage the latest protections and defend against advanced cyberthreats. Here are the most overlooked Defender settings I still see in 2025 - fix these before 2026, or at least early 2026 👇 👉 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 • Enable M365 Unified Audit Log with 12+ months retention • Configure MDI sensors on all types (not just DC) • Ensure Attack Disruption is fully configured and tested • Define and tag critical assets in Exposure Management • Explore Attack Paths and Choke Points • Check total event retention (default 30 days isn’t enough) • Implement and document RBAC across all Defender workloads 👉 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 𝐟𝐨𝐫 𝐄𝐧𝐝𝐩𝐨𝐢𝐧𝐭 • Enable ASR rules on all Windows devices and include new rules. • Enable Enterprise IoT discovery • Migrate Windows Server 2012R2/2016 from MMA agent → Unified Agent • Manage all endpoints via Intune/ MDE-Management or other solutions • Ensure Linux onboarding isn’t in passive mode (this is the default) Defender/Intune lets you configure various policies, but not all settings are in the default templates. Make sure at least the following are enabled: • EnableFileHashComputation is enabled • Network Protection is enabled (server requires additional configuration, which is not in the policy list) • Firewall is enabled, and Firewall object access auditing is enabled With the above three settings, there is way more data available in Advanced Hunting, and better visibility in the network logs and data around the endpoint And also important: • Configure the hide exclusions for both users and local administrators All of the above settings except Firewall auditing are not available in the Endpoint Security policies, and can be configured via the settings catalog/ security baseline or when not using Intune; with the use of GPO. 👉 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 𝐟𝐨𝐫 𝐂𝐥𝐨𝐮𝐝 𝐀𝐩𝐩𝐬 • Enable App Governance (included in license, often ignored!) • Enable all pre-set policies in App Governance and review the alerts • Connect App Connectors for Microsoft Azure & Microsoft 365 • Defender for Endpoint is correctly configured (Monitoring of traffic) 👉 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐒𝐞𝐧𝐭𝐢𝐧𝐞𝐥 Sentinel is moving to the Defender portal on July 1, 2026- start preparing now, it’s more than just a UI change and requires planning and changes.” Read the full cheat sheet here: https://lnkd.in/e-9VjbPJ #MicrosoftSecurity #MicrosoftDefender
Great! Thank you for share! I really appreciate It!
Great write up - will get our security group to look at your list to compare it to the work we have been doing for our clients. Its helpful to check ourselves against your research.
IT Solution Architect
5dAlwin Frankenstein