Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 XDR SOC Operations

Task 01: Turn on tamper protection, EDR in block mode, and PUA (pilot scope)

Security Architecture Team

  1. In the leftmost pane, go to System > Settings.

  2. Select Endpoints.

    On the Endpoints page, this will default to the General > Advanced features menu item.

  3. Enable the following settings:

    • Enable EDR in block mode
    • Allow or block file
    • Tamper protection
    • Microsoft Intune connection

    qduxvyyb.jpg 7ubdw3ka.jpg dgiugwac.jpg

  4. At the bottom of the pane, select Save preferences.

  5. Under the Endpoints page menu, under Configuration management, select Enforcement scope.

    b3onfmo2.jpg

  6. Turn on Use MDE to enforce security configuration settings from Intune.

    eac01fkv.jpg

  7. Under Enable configuration management, select Windows Client devices and On all devices.

  8. Under the same section, select Windows Server devices and On all devices.

    2ycqaixf.jpg

  9. Move to the bottom of the page and select Save.

    b3mpp0bl.jpg

  10. Select Go to Intune, or open a new tab and go to intune.microsoft.com.

  11. In the leftmost pane, select Tenant administration.

  12. In the Tenant admin page menu, select Connectors and tokens.

    quw1mfln.jpg

  13. In the Connectors and tokens page menu, under Cross platform, select Microsoft Defender for Endpoint.

  14. Turn on Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations.

    jp1nxlii.jpg

  15. On the top bar, select Save.

    Please wait 5-10 minutes for the connection to be established between MDE and Intune.

Security Engineering and Administration

  1. In the leftmost pane, go to Assets > Devices to see devices in the tenant.

  2. In a new tab, go back to portal.azure.com.

  3. In Azure’s search box, enter and select your rg-xdr-lab resource group.

    kntyiaav.jpg

  4. Select the winvm-mde VM.

  5. On the top bar, select Connect > Connect via Bastion.

    zh9luryn.jpg

  6. On the Bastion page, enter the following credentials:

    Item Value
    Username azureadmin
    Password P@ssword123!

  7. Select Connect.

    This will open the winwm-mde VM in a new browser tab.

  8. In the See text and images copied… dialog, select Allow.

    ontse6o9.jpg

  9. In winvm-mde, open the Start menu, then select Windows PowerShell ISE.

    mceni9hl.jpg

  10. Select File > New.

  11. On your lab VM (not winvm-mde), go to C:\LabFiles\E3.

  12. Right-click ValidateMDEPilot > Edit in Notepad.

  13. Use Ctrl+A to select all, then use Ctrl+C to copy.

  14. Go back to winvm-mde’s PowerShell ISE window.

  15. In the top pane, use Ctrl+V to paste the code.

  16. On the top bar, select Run Script.

    prz9vppc.jpg zmnvcoqg.jpg

    This performs a local health check for Microsoft Defender for Endpoint (MDE). It gathers and displays the device’s onboarding state, organization info, and security configuration (Tamper Protection, PUA protection, Real-time protection, running mode, and MDE services like Sense and WinDefend).

  17. In the save prompt, select No. This will close the PowerShell window.

  18. Close the winwm-mde Bastion browser tab.

SOC Analyst

  1. In the Defender XDR portal’s leftmost pane, select Assets > Devices.

  2. Select winvm-mde.

  3. At the top of the page, review the Timeline and Security recommendations tabs to confirm features are active on the device.

    uephlbkm.jpg