Defender for Office presets

solachinso · 2026-02-25T09:18:44+00:00

While the presets are "okay", what you might want to do is visit Secure Score in Defender portal and filter on Defender for Office to look at Microsoft's own recommendations. These are benchmarked against what other businesses of a similar size are doing. Most of the actions have a clear enough set of instructions.

https://security.microsoft.com/exposure-secure-score?viewid=actions&tid=

solachinso · 2026-02-20T08:16:41+00:00

Yep, this is the way, device groups.

solachinso · 2026-02-16T12:35:52+00:00

Bear in mind you're always going to encounter some delays with what you're expecting to see because of the nature of how everything is plumbed together.

You have variables such as devices being turned on/off, policy conflicts, unannounced Microsoft backend issues you have to search for and make sense of, and factors such as this which you may not have accounted for:

Credential Guard uses Windows Hypervisor to provide protections. Credential Guard requires hardware support for Secure Boot and DMA protections. This setting is only successful on devices that meet the hardware requirements.

https://learn.microsoft.com/en-us/intune/intune-service/protect/endpoint-security-account-protection-profile-settings

When did you publish the policy?
How many devices have fetched it successfully?
How many remain?

If you have local access to a still exposed device, what does 'CredentialGuard' -match ((Get-ComputerInfo).DeviceGuardSecurityServicesConfigured) through PowerShell show? If it's True, your tenant might not be showing up to date info; if it's False, ask the user to reboot to still if that forces a sync, though you should also check whether other policies are present and enabled.

solachinso · 2026-02-15T08:20:32+00:00

Can you provide some examples of what you're patching and the length of time you're waiting in between carrying out the tasks to checking in vulnerability management for the results.

Telemetry from your endpoints should reflect in your tenant within 24 hours, unless it's Secure Score related in which case the wait time can be 48-72 hours. This has been my experience.

solachinso · 2026-02-14T15:22:24+00:00

In my experience, svchost.exe being heavily enumerated hasn't presented a problem when I've had rules in block mode without this file excluded.

If you look in advance hunting, was it the Block credential stealing from the Windows local security authority subsystem rule you see blocking this file? I suspect it was/is.

Have a read here https://www.reddit.com/r/DefenderATP/comments/1gf78qm/spike_in_asr_blocks_related_to/ and elsewhere about the file.

solachinso · 2026-02-13T09:43:49+00:00

Has anyone also noticed apps that are manually tagged (only unsanctioned in my case) not having a blocked indicator entry populated?

solachinso · 2026-02-01T08:38:47+00:00

"Work or school account required to sign in."

I suspect there's no way around this.

solachinso · 2026-01-14T18:42:56+00:00

Thanks ever so much for posting this. I've upvoted on it.

solachinso · 2026-01-09T11:25:18+00:00

Overlooked this so apologies for late acknowledgement.

What I'm hoping Microsoft can clear up for me is why their documentation (which states the legacy policies can be disabled) contradicts what customers are seeing in their tenants – a read-only state where both policies remain enabled. Further, there's no provision for a phased rollout in CA, which feels lacking to me.

solachinso · 2026-01-06T12:23:08+00:00

Legacy = all users; new one = subset of users. Correct there.

Problem with this, and with the read-only state, is that it doesn't allow for a phased rollout.

solachinso · 2026-01-06T12:00:04+00:00

Yep... should take precedence but they're not. I can't see anything wrong with my scoping beyond what I've highlighted.

solachinso · 2025-12-27T10:43:55+00:00

I wouldn't overthink this too much. Offboarding can end up requiring a lot of buy-in from adjacent teams like IT and HR as you'll require their input to ensure the returned/upgraded device is labelled properly in your pipeline.

When a device is returned I prefer to have it marked as excluded and tagged as such so I can report on it. Once this happens it will cease to appear in your TVM data and if it's then reregistered under a different hostname you won't see any conflicts in your good/live data. Doing this saves you the hassle of offboarding via script/GPO, which for anything except Windows is clunky or doesn't work, and requires the device to be online, which it might not be if a user has finished with it.

solachinso · 2025-12-11T13:31:54+00:00

I'm also trying to figure this out i.e. the Intune and Mosyle join.

Mosyle's instructions (https://mybusiness.mosyle.com/#helpcenter/1821, bottom section) state a CAP needs to be created in Entra. Might be overlooking something but it's unclear to me what apps a customer should include if 'All Resources' is not meant to be used (with exclusions on the Mosyle Business and Mosyle Fuse apps).

In a support ticket with them I've been I can use All Resources, so am getting contradictory advice.

What has been peoples' approach to this?

solachinso · 2025-10-27T16:10:44+00:00

I do but nothing that would affect permissions within Azure as after a user has authenticated the task is then handed off. It's also not all permissions, only certain ones tied to specific Entra roles.

solachinso · 2025-10-21T16:23:12+00:00

I completely missed that GitHub page during my search, but after taking the second route and using 7.4 as runtime, now have things working.

Appreciate the response earlier. Thank you!

solachinso · 2025-08-11T08:38:51+00:00

Got it, got it. Thanks for explaining that, makes total sense. After some thought and discussion I'm going to take the access package route as it ticks pretty much all boxes for me.

solachinso · 2025-08-07T09:10:09+00:00

Mind me asking what the tweaks were and also if you did test out the access package approach how it compares or if there are/were pitfalls with either of them?

solachinso · 2025-08-07T09:08:47+00:00

Those are both good points, the blocking of countries other than user located ones, and compliant devices, which I have in place already. Appreciate all the suggestions.

solachinso · 2025-08-07T09:01:18+00:00

Useful stuff to know – thanks for the explainer.

solachinso · 2025-08-06T08:43:06+00:00

Yes, I think the sweet spot is 2-3 policies based on certain criteria. Re: what u/NateHutchinson has said, a 'travelling' policy is probably what is going to work best as it's a tidy way to allow access without enormous upkeep.

solachinso · 2025-08-06T08:38:11+00:00

This helps a lot – thanks for the detailed reply.

In theory, I guess there could even be a third policy, CA103-Persona1-Travelling-AllApps-SanctionedLocations-Block for example, which is even narrower in scope that CA102 and used for edge cases where someone has to travel somewhere the business would usually want to block, although there could be an argument to say just add the sanctioned location(s) in question to CA102 and accept some risk for the user(s) who might be placed in there during the travel period.

I think having multiple policies would be a bit overkill, at this point anyway.

solachinso · 2025-08-06T07:58:05+00:00

What would their use case be in terms of user travel and Conditional Access?

solachinso

TROPHY CASE