Tag: Windows Defender

Last updated by at .

Windows Server 2019 ATP

Windows Server 2019 Windows Defender Advanced Threat Protection

Windows Server 2019 comes with a lot of new feature. One of the large investment Microsoft is making in this Windows Server release, is in security. And one of my favorite new security features in Windows Server 2019 is the support for Windows Defender Advanced Thread Protection. Windows Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. It was available for Windows 10 devices for awhile, and now it is available for Windows Server 2019 and other version of Windows Server.

What is Windows Defender Advanced Threat Protection

Windows Defender ATP

Windows Defender Advanced Threat Protection brings some great security features to your platform.

  • Agentless, cloud-powered – No additional deployment or infrastructure. No delays or update compatibility issues. Always up to date.
  • Unparalleled optics – Built into Windows and Windows Server for deeper insights. Exchanges signals with the Microsoft Intelligent Security Graph.
  • Automated security – Take your security to a new level, by going from alert to remediation in minutes – at scale.

Onboard Windows Server 2019 to Windows Defender Advanced Thread Protection

Windows Defender Advanced Thread Protection Onboarding

If you’re already using Windows Defender Advanced Threat Protection (ATP), preview these features by simply installing the latest preview build of Windows Server, and onboard it to Windows Defender ATP.

Otherwise, sign up for the Windows Defender ATP trial on Windows Defender Advanced Threat Protection.

Quick Look at Windows Defender ATP for Windows Server 2019

Windows Server 2019 ATP

Using Windows Defender ATP is pretty simple. It is also very simple with Windows Server 2019. After you have onboarded your Windows Server you can already see alerts and recommendations in your dashboard.

Windows Server ATP

To have some active alerts, you can create a test alert. This is also recommended to do after you have onboarded your machine. With that you can see if the connection is working.

Windows Server 2019 ATP Machine Page

You can find alters, events and actions in the machine page in the Windows Defender Security Center.

I hope this just gives you a short overview about Windows Defender ATP for Windows Server 2019. If you have any questions just leave a comment.



Microsoft Edge Windows Defender Application Guard

Enable Windows Defender Application Guard on Windows 10 using PowerShell

A couple of days back I saw a tweet form Stefan Stranger (Consultant at Microsoft) which reminded me of a feature called Windows Defender Application Guard, which is included in Windows 10 Enterprise since the Fall Creators Update (1709). If you have never heard of Application Guard, you might want to check out this blog post: Introducing Windows Defender Application Guard for Microsoft Edge

Basically Windows Defender Application Guard starts Microsoft Edge in a Hyper-V Container and uses Hyper-V isolation. So if a user browses on a malicious site, the site is separate from the host operating system.

Application Guard Hardware Isolation

What is Windows Defender Application Guard and how does it work?
Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.

If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can’t get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can’t get to your employee’s enterprise credentials.

Source: Windows Defender Application Guard overview

Usually Windows Defender Application Guard is configured using a Enterprise devices management tool like System Center Configuration Manager, Microsoft Intune or another third-party tool. But if you want to use this on your standalone Windows 10 PC you can also do this using PowerShell.

The only thing you need to run this is:

  • Windows 10 Enterprise 1709 (Fall Creators Update) or higher
  • A computer which supports Hyper-V
    • A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS)
    • Extended page tables, also called Second Level Address Translation (SLAT)
    • One of the following virtualization extensions for VBS:
      • Intel VT-x
      • AMD-V
    • Microsoft recommends 8GB RAM for optimal performance
    • 5 GB free space, solid state disk (SSD) recommended
    • Input/Output Memory Management Unit (IOMMU) support is strongly recommended
  •  Microsoft Edge and Internet Explorer

Enable Windows Defender Application Guard using PowerShell

You can simply install Application Guard using the following command:

New Application Guard Windows in Microsoft Edge

This will reboot your computer and after this you will be able to open a new Microsoft Edge windows in Application Guard.

Microsoft Edge Windows Defender Application Guard

This does added some extra security, however it does not really protect against like the Meltdown and Spectre attacks.

Application Guard Virtual Machine Worker Process

If you have a look at the processes running on your computer you can now see that there is a new Virtual Machine Worker Process which is used by the Application Guard.

This is a great example how the Hyper-V isolation can not only be used for Hyper-V Virtual Machines but also other features like Hyper-V Containers or for example on the Xbox One.



Windows Defender PowerShell

How to disable and configure Windows Defender on Windows Server 2016 using PowerShell

Windows Server 2016 comes standard with built-in Anti-Malware called Windows Defender like Windows 10 Client. And per default, Windows Defender is active and has also turned on Real-Time Protection by default. In Windows Server 2016 Desktop Experience you can disable and configure Windows Defender using the UI or PowerShell, in the Windows Server 2016 Core version or on Nano Server you only have PowerShell available. Here are some quick command how you can configure or disable Windows Defender on Windows Server using PowerShell.

Check the Windows Defender Configuration and Settings:

Turn off Windows Defender Real-Time Protection using PowerShell

Turn onWindows Defender Real-Time Protection using PowerShell

Add a File path exclusion:

Add process exclusion

 

I hope this helps you to easily configure Windows Defender on Windows Server 2016. Btw. This also works on Windows Defender on Windows 10.