Configuring Windows Defender Advanced Settings

Configures Microsoft Defender for Endpoint (MDE) advanced protection settings including attack surface reduction

Category: development Source: mukul975/Anthropic-Cybersecurity-Skills

What Is This Skill?

The "Configuring Windows Defender Advanced Settings" skill enables IT professionals and security engineers to strengthen Windows endpoints by fine-tuning Microsoft Defender for Endpoint (MDE) protection features. This skill covers the configuration of advanced security controls, including Attack Surface Reduction (ASR) rules, controlled folder access, network protection, and exploit protection. These settings go beyond the default Defender configuration, providing robust defenses against modern malware, ransomware, and fileless attacks. The skill is particularly relevant for organizations seeking to meet compliance requirements or to deploy enterprise-grade endpoint protection across managed Windows environments.

Why Use This Skill?

Default Windows Defender settings offer baseline security, but advanced threats and evolving attack vectors necessitate a more hardened posture. By configuring Defender’s advanced settings, organizations can:

Block sophisticated attack techniques using ASR rules
Prevent unauthorized changes to critical data with controlled folder access
Reduce exposure to internet-borne threats via network protection
Apply exploit mitigation to reduce vulnerabilities in legacy or unpatched applications
Meet regulatory compliance frameworks that require enhanced malware defenses

Utilizing these advanced controls is essential for organizations operating in regulated industries, those with high-value assets, or any environment where minimizing endpoint risk is a priority. Enhanced Defender configuration is also recommended before considering third-party EDR solutions, as it leverages built-in Windows capabilities with minimal overhead.

How to Use This Skill

1. Attack Surface Reduction (ASR) Rules

ASR rules restrict the actions that malware and threat actors can perform on endpoints. Common ASR rules include blocking executable content from email/web downloads, preventing credential theft, and stopping process creation from Office macros.

PowerShell Example:

## Enable ASR rule to block Office from creating child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

A full list of ASR rule GUIDs is available in Microsoft’s documentation.

2. Controlled Folder Access

Controlled folder access protects sensitive directories from unauthorized changes by ransomware or untrusted applications.

PowerShell Example:

## Enable controlled folder access
Set-MpPreference -EnableControlledFolderAccess Enabled

## Add a custom protected folder
Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\SensitiveData"

You can specify which apps are allowed to access protected folders as needed.

3. Network Protection

Network protection blocks outbound connections to known malicious domains using Microsoft’s threat intelligence.

PowerShell Example:

## Enable network protection in block mode
Set-MpPreference -EnableNetworkProtection Enabled

This feature helps prevent command-and-control communications and drive-by downloads.

4. Exploit Protection

Exploit protection applies system-wide or per-application mitigations against common exploit techniques.

PowerShell Example:

## Import exploit protection settings from an XML policy
Set-ProcessMitigation -PolicyFilePath "C:\Policies\ExploitProtection.xml"

To generate an XML policy, use the Windows Security app (App & Browser Control > Exploit protection settings).

5. Enterprise Deployment

For large-scale environments, advanced Defender settings should be deployed using centralized tools such as Microsoft Intune, System Center Configuration Manager (SCCM), or Group Policy.

Intune Example (Configuration Profile):

Create a new Endpoint Security policy for Microsoft Defender Antivirus.
Configure ASR rules, controlled folder access, network protection, and exploit protection as required.
Assign the policy to targeted device groups.

Group Policy Example:

Import the latest ADMX templates for Windows Defender.
Navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus.
Configure the advanced settings accordingly.

When to Use It

Apply this skill in scenarios such as:

Hardening Windows 10/11 Enterprise endpoints beyond the default Defender configuration
Responding to increased ransomware or fileless malware activity
Preparing for compliance audits that require granular endpoint controls (NIST, CIS, ISO/IEC 27001)
Deploying a unified security baseline across a distributed Windows fleet
Tuning Microsoft Defender for Endpoint in conjunction with endpoint detection and response (EDR) capabilities

Do not use this skill for third-party EDR solutions (such as CrowdStrike or SentinelOne) or for configuring Microsoft Defender for Cloud, which is focused on Azure workloads.

Important Notes

Ensure that endpoints are running Windows 10 or 11 Enterprise editions for full feature support.
Test all advanced settings in a pilot group before broad production rollout, as some ASR or exploit protection rules may impact legacy or line-of-business applications.
Regularly review and update Defender policies in line with emerging threats and Microsoft recommendations.
Use audit mode for ASR and exploit rules during initial deployment to assess potential operational impact without blocking activity.
Centralized management via Intune, SCCM, or Group Policy is recommended for consistency and scalability.
Review event logs and Microsoft Defender Security Center for alerts or blocks triggered by advanced settings.

By leveraging this skill, organizations can maximize the built-in capabilities of Microsoft Defender for robust, scalable, and compliant endpoint protection. For further details and scripts, consult the source repository.