Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Microsoft Defender
Environment: Windows
Summary: Managed Antivirus offers two modes in which to manage Microsoft Defender Antivirus on your endpoints. The mode determines whether you are using Managed Antivirus for visibility only or active configuration of Microsoft Defender Antivirus. The mode only determines if you want Huntress to be the tool enforcing Microsoft Defender policies. Regardless of the mode, the Huntress 24/7 SOC will be reviewing any suspicious Microsoft Defender activity that occurs.
Audit Mode:
Audit Mode is the read-only default mode for all endpoints. This mode provides visibility into the current state of Microsoft Defender Antivirus on your managed endpoints.
In this mode, Huntress does not make changes to any settings that are on the endpoint. Any configuration that is set in the Policy Configuration modal is not applied.
Enforce Mode:
Enforce mode is what allows Huntress to begin actively changing and enforcing Microsoft Defender settings. In this mode, Huntress compares what currently exists on the endpoint and what is set in the Huntress Managed AV Policy Configuration modal for the endpoint.
In this mode, if there are settings that do not match, Huntress will actively set the setting on the endpoint to match what is configured in the Policy Configuration.
Policy Mode Inheritance
Partners now have the ability to set the Enforce and Audit mode at an Account or Organization level. When set at this level, endpoints that are configured to Inherit will receive the mode that is set at the Account or Organization levels.
More information on Inheritance for Managed Antivirus can be found here.
What mode does a new endpoint receive when it is added to Huntress?
Inheritance for the Enforce / Audit mode allows new endpoints to immediately receive the setting that is set at the Account or Organization levels. New endpoints by default will be added with "Inherit" as its mode setting in order to easily ensure the mode is properly set for all new endpoints.
How do I set multiple endpoints to inherit their policy mode?
A bulk action is available on the Managed AV dashboard at either an Account or Organization level. By bulk selecting multiple endpoints, you can use the MAV Actions on the top right of the table and select "Inherit Policy Mode"; this will ensure that all endpoints will inherit their Policy Mode setting from their Organization or Account.
What if I do not want to inherit the mode for some of my endpoints?
All endpoints also have an option for a endpoint-level override where you can explicitly set the mode for each individual endpoint. This can be done by going into the Endpoint Antivirus page under Policy Status
For partners who had Managed AV prior to inheritance, the mode for all endpoints is preserved with a endpoint-level override.