Protecting disconnected devices with Microsoft Defender ATP
Published Apr 29 2019 09:42 AM 29.4K Views

Microsoft Defender Advanced Threat Protection is a coordinated suite of security products that work together to help you understand, review, and resolve what we sometimes call ‘your security posture’. Essentially, this means how well your organization’s people and assets are protected against cybersecurity threats – whether they’re targeted, online, physical, or based on social engineering.


The Microsoft Defender Security Center, along with the Microsoft 365 Security Center, provide you with a wealth of information that ties together signals from Microsoft security products that you’ve deployed in your org – for example you can review removable device usage to help you understand suspicious activity, you can review attacks targeting your network with advanced hunting and analysis, and you can understand your all-up security state with Microsoft Secure Score.


In an ideal world, all of your critical devices would be seen by, reported on, and protected by Microsoft Defender ATP, however we’re aware that there are legitimate scenarios where devices simply can’t be connected to the Internet or a management service.


The good news for those disconnected devices is that we have released a whitepaper with all the info you need to understand how security is impacted by the unique challenges of being disconnected. It talks about the types of disconnected devices, and -- most importantly -- provides guidance on the various features and protection technologies you can use from Microsoft to protect these disconnected devices.


You can go ahead and download a copy of the whitepaper [PDF] right now. In this blog I’m going to pull out some of the high-level considerations and tactics you can use when defining a disconnected device security policy that are featured in the whitepaper.


Disconnected, isolated, air-gapped == on their own


With Microsoft Defender ATP we talk a lot about our cloud-delivered protection - we’re extremely proud of it – honestly it kinda rocks (follow these instructions to turn it on and read more on our blog about how machine learning across Microsoft Threat Protection works with the cloud to deliver protection) – but we’re aware that not all devices can be connected to an external endpoint.


So how do you make sure your extremely valuable disconnected devices are protected if they can’t connect to our cloud?


Well, luckily, we have a broad and robust series of offline protection capabilities. These all fit into what I’ve talked about in previous blogs – defense in depth.


We believe that defense in depth is the best way to protect your devices, no matter where they are or what they do. It relies on using security features that make the most sense, in the easiest possible way, to give you tailored and strong protection.


Defense in depth for a disconnected device security policy


The first thing you should be considering is what type of disconnected scenario you have. The following are the most common types of disconnected scenarios (we talk more about these in the whitepaper):





Next, you need to consider how updates are delivered and how configuration is managed:


  • Inventory. Any auxiliary device that is connected to the disconnected device at any level of relationship (primary, secondary, tertiary) needs to be protected.
    • Update management (device). Determine where your updates get onto the disconnected device. Is it with a USB thumb drive? A management repository that can only connect to the disconnected device
    • Update management (relationships). Go the next level up – how do updates get onto that auxiliary device? Are they downloaded onto a PC, and then copied to the USB thumb drive? Are they distributed via Config Manager onto your management repo? What gates are involved and what other devices are connected to the auxiliary updating device?
  • User permissions. Who uses the disconnected device? What admin privileges do they have? Can they install apps or change settings?
  • Removable device control. Do users ever need to plug in removable devices? What’s the core purpose of the device?


Understanding the scope of your scenario helps you to determine how your security policy should be created.  For example, we strongly recommend a gatekeeping management methodology. This allows you to validate the integrity of connections that crosses the trust boundary to your disconnected devices, if at all possible.


It can be as complex as the figure below (which is based on the Azure Gatekeeping scenario), or simply the use of an intermediary machine or service (as in the case of an Azure Application Gateway – which is described in more detail in the whitepaper).




You can then layer on top of that a number of other technologies, both at the gatekeeper and the device level, to create a solid protection strategy. The following tactics are described in greater detail in the whitepaper, with links to further configuration and documentation:


  • Device lockdown and restriction, including Bitlocker and other data loss prevention technology to control what information can be copied to or from the device, along with removable device control policies to lock down the types of devices that can connect to the disconnected device – you can customize this to certain devices as well. Read more in our device control blog.
  • Offline updates and shared configuration file locations. This includes the VDI shared file feature to allow your disconnected device to install threat intelligence updates without having to download, unpack, and extract them, along with WSUS, certificate trust lists, and others.
  • Application control and access, such as Windows Defender Application Control, to restrict the apps that are allowed to run on the device (it makes it significantly harder for malware executables to run if you block all unknown apps), and proper inventory and patching policies for all the software and user permissions on the devices.
  • Antimalware and advanced attack surface reduction features which work directly on the device to prevent suspicious and unauthorized behaviors.


What about machine learning?


We often receive requests from customers for ‘offline’ machine learning products to help with these disconnected scenarios.


When Microsoft Defender ATP is connected to the cloud, intel can also be shared with other cloud-enabled machines. However, if a machine isn’t connected, it still has client-based machine learning, behavioral analysis, heuristics, fileless detection, and process monitoring. This forms part of a defense-in-depth strategy that sees protection provided at the client level, even if there is no connection to a network or the Internet.


Send us feedback


If you use these features, or are interested in more articles like this, be sure to leave feedback for me on Twitter @IaanMSFT or in the comments below


Don’t forget to download the disconnected devices whitepaper [PDF] right now!


Iaan D’Souza-Wiltshire (@IaanMSFT)
Microsoft Defender Advanced Threat Protection

Version history
Last update:
‎May 15 2019 02:18 PM
Updated by: