| title | description | keywords | search.product | search.appverid | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Configure the security controls in Secure score |
Configure the security controls in Secure score |
secure score, dashboard, security recommendations, security control state, security score, score improvement, microsoft secure score, security controls, security control, improvement opportunities, edr, antivirus, av, os security updates |
eADQiWindows 10XVcnh |
met150 |
w10 |
deploy |
library |
security |
dolmont |
DulceMontemayor |
medium |
dansimp |
ITPro |
M365-security-compliance |
conceptual |
Applies to:
Note
Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be available for a few weeks. View the Secure score page.
Each security control lists recommendations that you can take to increase the security posture of your organization.
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool.
Important
This feature is available for machines on Windows 10, version 1607 or later.
- Microsoft Defender ATP sensor is on
- Data collection is working correctly
- Communication to Microsoft Defender ATP service is not impaired
You can take the following actions to increase the overall security score of your organization:
- Turn on sensor
- Fix sensor data collection
- Fix impaired communications
For more information, see Fix unhealthy sensors.
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AV.
Important
This feature is available for machines on Windows 10, version 1607 or later.
A well-configured machine for Windows Defender AV meets the following requirements:
- Windows Defender AV is reporting correctly
- Windows Defender AV is turned on
- Security intelligence is up-to-date
- Real-time protection is on
- Potentially Unwanted Application (PUA) protection is enabled
You can take the following actions to increase the overall security score of your organization:
Note
For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the machine.
- Fix antivirus reporting
- This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see Configure and validate network connections.
- Turn on antivirus
- Update antivirus Security intelligence
- Turn on real-time protection
- Turn on PUA protection
For more information, see Configure Windows Defender Antivirus.
This tile shows you the number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds.
Important
This feature is available for machines on Windows 10, version 1607 or later.
You can take the following actions to increase the overall security score of your organization:
- Install the latest security updates
- Fix sensor data collection
- The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see Fix unhealthy sensors.
For more information, see Windows Update Troubleshooter.
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Microsoft Defender EG. When endpoints are configured according to the baseline the Microsoft Defender EG events shows on the Microsoft Defender ATP Machine timeline.
Important
This security control is only applicable for machines with Windows 10, version 1709 or later.
Machines are considered "well configured" for Microsoft Defender EG if the following requirements are met:
- System level protection settings are configured correctly
- Attack Surface Reduction rules are configured correctly
- Controlled Folder Access setting is configured correctly
The following system level configuration settings must be set to On or Force On:
- Control Flow Guard
- Data Execution Prevention (DEP)
- Randomize memory allocations (Bottom-up ASLR)
- Validate exception chains (SEHOP)
- Validate heap integrity
Note
The setting Force randomization for images (Mandatory ASLR) is currently excluded from the baseline. Consider configuring Force randomization for images (Mandatory ASLR) to On or Force On for better protection.
The following ASR rules must be configured to Block mode:
| Rule description | GUIDs |
|---|---|
| Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 |
| Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A |
| Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 |
| Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D |
| Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC |
| Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B |
Note
The setting Block Office applications from injecting into other processes with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline. Consider enabling this rule in Audit or Block mode for better protection.
The Controlled Folder Access setting must be configured to Audit mode or Enabled.
Note
Audit mode, allows you to see audit events in the Microsoft Defender ATP Machine timeline however it does not block suspicious applications. Consider enabling Controlled Folder Access for better protection.
You can take the following actions to increase the overall security score of your organization:
- Turn on all system-level Exploit Protection settings
- Set all ASR rules to enabled or audit mode
- Turn on Controlled Folder Access
- Turn on Windows Defender Antivirus on compatible machines
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AG. When endpoints are configured according to the baseline, Windows Defender AG events shows on the Microsoft Defender ATP Machine timeline.
A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AG. When endpoints are configured according to the baseline, Microsoft Defender AG events shows on the Microsoft Defender ATP Machine timeline.
Important
This security control is only applicable for machines with Windows 10, version 1709 or later.
A well-configured machine for Windows Defender AG meets the following requirements:
- Hardware and software prerequisites are met
- Windows Defender AG is turned on compatible machines
- Managed mode is turned on
You can take the following actions to increase the overall security score of your organization:
-
Ensure hardware and software prerequisites are met
[!NOTE] This improvement item does not contribute to the security score in itself because it's not a prerequisite for Microsoft Defender AG. It gives an indication of a potential reason why Microsoft Defender AG is not turned on.
-
Turn on Microsoft Defender AG on compatible machines
-
Turn on managed mode
For more information, see Microsoft Defender Application Guard overview.
A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender SmartScreen.
Warning
Data collected by Microsoft Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data.
Important
This security control is only applicable for machines with Windows 10, version 1709 or later.
The following settings must be configured with the following settings:
- Check apps and files: Warn or Block
- Microsoft Defender SmartScreen for Microsoft Edge: Warn or Block
- Microsoft Defender SmartScreen for Microsoft store apps: Warn or Off
You can take the following actions to increase the overall security score of your organization:
- Set Check app and files to Warn or Block
- Set Windows Defender SmartScreen for Microsoft Edge to Warn or Block
- Set Windows Defender SmartScreen for Microsoft store apps to Warn or Off
For more information, see Windows Defender SmartScreen.
- Set Check app and files to Warn or Block
- Set Windows Defender SmartScreen for Microsoft Edge to Warn or Block
- Set Windows Defender SmartScreen for Microsoft store apps to Warn or Off
For more information, see Windows Defender SmartScreen.
A well-configured machine must have Microsoft Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Firewall.
Important
This security control is only applicable for machines with Windows 10, version 1709 or later.
- Microsoft Defender Firewall is turned on for all network connections
- Secure domain profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
- Secure private profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
- Secure public profile is configured by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
For more information on Windows Defender Firewall settings, see Planning settings for a basic firewall policy.
Note
If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely.
You can take the following actions to increase the overall security score of your organization:
- Turn on firewall
- Secure domain profile
- Secure private profile
- Secure public profile
- Verify secure configuration of third-party firewall
- Fix sensor data collection
- The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see Fix unhealthy sensors.
For more information, see Windows Defender Firewall with Advanced Security.
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker.
Important
This security control is only applicable for machines with Windows 10, version 1803 or later.
- Ensure all supported drives are encrypted
- Ensure that all suspended protection on drives resume protection
- Ensure that drives are compatible
You can take the following actions to increase the overall security score of your organization:
- Encrypt all supported drives
- Resume protection on all drives
- Ensure drive compatibility
- Fix sensor data collection
- The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see Fix unhealthy sensors.
For more information, see Bitlocker.
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Credential Guard.
Important
This security control is only applicable for machines with Windows 10, version 1709 or later.
Well-configured machines for Windows Defender Credential Guard meets the following requirements:
- Hardware and software prerequisites are met
- Windows Defender Credential Guard is turned on compatible machines
You can take the following actions to increase the overall security score of your organization:
- Ensure hardware and software prerequisites are met
- Turn on Credential Guard
- Fix sensor data collection
- The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see Fix unhealthy sensors.
For more information, see Manage Windows Defender Credential Guard.
Want to experience Microsoft Defender ATP? Sign up for a free trial.