Exercise 03: Endpoint hardening and rapid response with MDE

Exercise learning objectives

• Enable and validate Tamper Protection, EDR in block mode, PUA protection, and core ASR rules via pilot groups.
• Include Windows device security settings.
• Practice device isolation, file quarantine, and Live Response actions.
• Use security recommendations to reduce exposure and track improvement deltas.

Estimated time: 60 minutes

---

ECISO Overview - Scenario and goals

Zava Oil & Resources recently experienced several endpoint-based security incidents caused by incomplete deployment of Microsoft Defender for Endpoint (MDE) and inconsistent Attack Surface Reduction (ASR) settings across devices.

The CISO wants to validate that Tamper Protection, EDR in block mode, and ASR rules are enforced through a pilot group before global rollout. The goal is to harden endpoints, reduce exposure, and measure improvement in Secure Score and Mean Time to Respond (MTTR).

Establish a defensible endpoint-protection baseline across managed Windows devices, ensure rapid containment through isolation and Live Response, and demonstrate measurable improvement using Defender XDR’s unified exposure dashboard.

---

Table of contents

• 01: Turn on tamper protection, EDR in block mode, and PUA (pilot scope)
• 02: Pilot core ASR rules
• 03: Isolate a test device, run Live Response commands, collect artifacts, then de-isolate
• 04: Check recommendations and Secure Score, run quick KQL validation, and log outcomes