TickYouOff
Back
🔒

Microsoft Defender for Endpoint STIG Checklist (Version 1, Release 2)

Medium 19 items · 4 hours
testuser's avatar
testuser Published 4 months ago

This checklist helps IT and security teams implement core Microsoft Defender for Endpoint (MDE) STIG controls to secure endpoints and meet DoD guidance. It is suitable for administrators onboarding devices, configuring protections, and validating compliance.

Source: https://ncp.nist.gov/checklist/1297

Progress
0 / 19
  1. Review MDE STIG documentation — Read Version 1, Release 2 and supporting resources before making changes.
  2. Inventory endpoints for MDE eligibility — List OS versions, device roles, and management status (managed/standalone).
  3. Confirm licensing and tenant enrollment — Verify required MDE licenses and tenant configuration before onboarding.
  4. Onboard devices to Microsoft Defender for Endpoint — Use the recommended deployment method for servers and endpoints (MDM, local installers, or scripts).
  5. Enable Endpoint Detection and Response (EDR) in block mode — Activate EDR to detect and block advanced threats per STIG guidance.
  6. Configure automated investigation and remediation — Turn on automated remediation to reduce manual triage time.
  7. Enable Microsoft Defender Antivirus real-time protection — Ensure real-time scanning is active and tamper protection prevents changes.
  8. Configure attack surface reduction (ASR) rules — Enable recommended ASR rules to block common exploit vectors.
  9. Enable cloud-delivered protection and sample submission — Allow cloud heuristics and safe sample submission to improve detections.
  10. Configure MDE policies in Intune or Group Policy — Apply centralized policies for antivirus, EDR, ASR, and exclusions.
  11. Configure antivirus exclusions per STIG guidelines — Limit exclusions to validated cases and document each justification.
  12. Add approved exclusions for apps and paths — Only add exclusions with evidence and minimal scope (process, path, or extension).
  13. Document exclusions and justification — Record who approved the exclusion, why, and when it will be reviewed.
  14. Enable tamper protection — Prevent unauthorized changes to MDE settings from local or remote agents.
  15. Verify telemetry and central logging to MDE console — Confirm events, alerts, and logs are forwarded to the Defender portal.
  16. Integrate with Microsoft Entra ID and Conditional Access — Ensure device identity and access controls align with security policies.
  17. Run STIG compliance scan and remediate findings — Execute compliance checks and address any non-compliant configurations.
  18. Document configurations and change history — Keep a record of setting changes, approvals, and version updates.
  19. Schedule regular reviews and update cadence — Set periodic reviews for policies, exclusions, and STIG changes.
Sign in to save
📝 My Notes