Defender for Endpoint and disconnected environments. Cloud-centric networking decisions

BrianBaldock · ‎Apr 04 2023

About this article

This article is part of a group of articles regarding Defender for Endpoint and disconnected environments. The first two articles can be found here and here.

The objective of this article, along with the two previous articles, is to provide you with a better understanding of Defender for Endpoint and how it works in a disconnected environment. This requires a mental shift in our understanding of what “risk” means with a cloud-first product.

Looking at how Defender for Endpoint is designed we can make a few observations:

Defender for Endpoint is a cloud-based EDR and AV solution that ties into the larger Defender XDR solution.
Defender for Endpoint requires internet access to function properly but will cache information on a device and upload when connectivity is restored.
Defender for Endpoint requires a well-architected and understood networking environment to function properly.

Build the deployment story

As you’re planning your Defender for Endpoint deployment, consider the following points as a lose guideline to help you avoid common pitfalls.

Review the documentation specifically the plan deployment section.
Reach out to Microsoft FastTrack for Microsoft 365 for deployment assistance.
Involve the right stakeholders. Prepare Microsoft Defender for Endpoint deployment.
Understand how your organization currently handles cloud-centric products.
Understand the networking requirements of both the product and your organization.

The aim here is not to intimidate you, but rather to ensure that you grasp the "mental shift" and comprehend how various Microsoft 365 products work together to secure your disconnected devices. Let's begin by focusing on the essential aspect: the "mental shift."

The Mental Shift

Historically, specific server workloads are likely to have been protected behind a firewall within a physical datacenter location. These were generally not allowed to have any external connectivity unless there was a specific application or business case that required this (The traditional model).

Fast forward a few years. Now most companies take a security first approach and need to introduce modern security services to mitigate both internal and external threats (Today’s model). These modern security services are likely to be cloud services that will require some level of connectivity to ensure that protection is implemented.

Organizations are often concerned about configuring external connectivity for these servers as there may be regulations or existing security controls in place that need to be reviewed as part of this change. Although organizations are aware of the necessity to assess their current controls, the intricacies of modern networks demand stronger and more comprehensive security solutions.

The Network Infrastructure

It is essential for an organization to have a comprehensive understanding of its network configuration, including how devices access internet services and the overall flow of traffic in and out of the environment. Here are some questions to consider when deploying Defender for Endpoint in any environment, with a particular focus on semi-disconnected or fully disconnected environments:

How are you handling or going to handle Windows Update in the disconnected environment?
How are you going to manage device policies? Intune or Microsoft Endpoint Configuration Manager?
A static proxy for Defender for Endpoint will ensure only Defender for Endpoint traffic crosses the proxy.
Certificate Revocation Lists will require their own configuration in a disconnected environment.
If you’re using alternate routing to Azure or Microsoft 365 services make sure you optimize for Defender for Endpoint, we suggest bypassing this routing to ensure traffic flows smoothly.
A system wide WinHTTP proxy can be safely set on an endpoint if access to Microsoft and third-party endpoints are tightly controlled via proxy or gateway.
Defender for Endpoint, Azure AD Hybrid require system level proxy configurations that are unauthenticated.
For some tasks (like downloading software updates for the classic pc agent), Intune requires unauthenticated proxy access.
Windows Update requires special treatment and configurations to ensure your proxy servers are not being overloaded.

Below is an example of a complex networking schema featuring Defender for Endpoint. Although this deployment resembles a typical customer setup, it was conducted in a lab environment and served as a basis for simulating traffic in the two previous articles.

Proxy considerations as they relate to Defender for Endpoint:

The diagrams below illustrate various proxy configurations that can be used with Defender for Endpoint, along with their implications for other products necessary for the proper operation of a Windows endpoint. The diagrams are intended to highlight the differences between system-level (WinHTTP), user-level (WinINET), and static-level (Registry/Group policy-based static) proxy configurations. More information on these configurations can be found in the following articles:

The above diagram assumes that all traffic through the proxy is approved for various endpoint requirements, such as Windows Update, Intune, Azure AD, and Defender for Endpoint traffic. However, this may not be the case for all organizations.

The diagram above highlights that the user-level (WinINET) proxy configuration only permits certain Defender for Endpoint traffic, while blocking all other services on the endpoint. This approach may suffice if you do not intend to use Live Response on your endpoints, or if the endpoints handle Windows Update differently and do not require Intune or Hybrid Azure AD. However, keep in mind that this configuration will require the endpoint to cache Defender for Endpoint signals until a user connects. It is recommended to review the plan deployment section of the Defender for Endpoint documentation to gain a deeper understanding of the implications of this decision.

The diagram above illustrates the impact of a static proxy configuration using either group policy or a registry edit. As shown, only Defender for Endpoint traffic is allowed to cross the proxy. This option is beneficial in cases where you have an existing infrastructure configuration that already handles Windows Updates, endpoint configuration policies, and compliance policies, and you are not planning to move to a hybrid Azure AD joined state. However, please note that this configuration assumes that the other services required for the proper functioning of the endpoint are managed through an alternate mechanism, such as Microsoft Endpoint Configuration Manager.

Other product considerations

In the subsequent sections, we have highlighted key considerations when deploying Defender for Endpoint. These sections specifically address related products and how they may be adversely affected in a disconnected environment. Keep in mind that Defender for Endpoint is a cloud-first product, and it is part of a larger suite of products within Microsoft 365. Therefore, it is important to consider these products, as well as standard services like Windows Update and certificate updates, when planning your deployment.

Microsoft Intune

Allow the following hostnames through your firewall to support Security Management for Defender for Endpoint. For communication between clients and the cloud service:

*.dm.microsoft.com - The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.
*.manage.microsoft.com, manage.microsoft.com – Intune Service endpoints.
Additional endpoints:
- login.microsoftonline.com
- *.officeconfig.msocdn.com
- config.office.com
- graph.windows.net
- enterpriseregistration.windows.net

Azure Active Directory

If you’re planning on using Microsoft Intune to manage policies on these disconnected devices, then there are other considerations that need to be made. As a Hybrid Azure AD Joined Device there are some networking requirements living behind a proxy. The following URLs must be accessible for the devices inside your organization.

https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)
Your organization's Security Token Service (STS) (For federated domains)

The above URLs require access via SYSTEM account using the machine context. Make sure your proxy server supports machine context authentication, otherwise allow unauthenticated traffic just as you would with Defender for Endpoint. WinHTTP proxy will also be required for this scenario. If, however, you are managing your endpoints with Microsoft Endpoint Configuration Manager (SCCM) then policies will be handled on-premises, and this won’t be necessary, and you’ll be able to onboard the devices to Defender for Endpoint. Ultimately it depends entirely on your end management objective and how cloud-centric your organization will be.

Use the Test Device Registration Connectivity script to validate if your devices can access the required Microsoft resources under the system account.

Windows Updates

Microsoft Defender for Endpoint, being a cloud-centric security product, necessitates that your devices remain up to date. Many customers typically have a robust maintenance solution in place for their isolated environments. Implementing Defender for Endpoint presents an opportune moment to review and assess the efficiency of your update process, ensuring its smooth operation or identifying the need for adjustments or supplementary configurations. Key considerations for Windows Update when operating behind a proxy include:

Proxy servers must accommodate Partial Range Requests since Windows Update employs WinHTTP with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers.
If a proxy is configured at the user level (WinINET), connections to Windows Update will be unsuccessful. It is crucial to ensure proper proxy configuration to maintain seamless update processes.
Allowing Partial Range requests is essential for the efficient functioning of delta patching. Without this support, updates will require downloading a larger amount of content than necessary, resulting in increased bandwidth usage and longer update times.
You might choose to apply a rule to permit HTTP RANGE requests for the following URLs:
- *.download.windowsupdate.com
- *.dl.delivery.mp.microsoft.com
- *.delivery.mp.microsoft.com

The above is referenced in the following documentation: Windows Update issues troubleshooting - Windows Client | Microsoft Learn

Summary

This article provides guidance on understanding the functionality of Defender for Endpoint, a cloud-first product, and the need for a mental shift towards modern security services. The article outlines planning and deployment recommendations, such as involving stakeholders, understanding networking requirements, and reviewing the documentation. Additionally, the article covers considerations for other Microsoft products like Intune, Azure Active Directory, and Windows Updates in relation to Defender for Endpoint. Overall, this article offers an approach to deploying Defender for Endpoint and discusses the requirements of other Microsoft products in a disconnected environment.