7.2 Sensor and Client Configuration

75 minutes · Module 7

Sensor and Client Configuration

By the end of this subsection, you will know the critical sensor settings that affect detection quality, understand cloud protection levels, configure tamper protection, and troubleshoot common onboarding failures.

Onboarding installs the sensor. Configuration determines what it detects and how it responds. Default settings are reasonable for most environments, but several settings significantly affect detection quality and should be explicitly verified.

Critical settings to verify

Setting	Default	Recommended	Impact of incorrect setting
Cloud-delivered protection	Enabled	Enabled	Disabling removes 80%+ of malware detection. The cloud intelligence network identifies new threats within seconds — local signatures alone are days behind.
Cloud protection level	Default	High+ or Zero tolerance	Higher levels block more aggressively. “Default” allows some suspicious files that “High+” would quarantine. “Zero tolerance” blocks anything not in the known-safe list.
Sample submission	Send safe samples	Send all samples	“Safe samples only” means Microsoft never sees the truly suspicious files. “Send all” enables full cloud analysis of every unknown file.
Tamper protection	Varies (verify!)	Enabled	Without tamper protection, any local admin can disable Defender with one PowerShell command. The attacker’s first action after gaining admin access.
Block at first sight (BAFS)	Enabled	Enabled	Holds unrecognized files for up to 10 seconds while cloud analysis runs. Catches zero-day malware that signature-based scanning misses.
PUA protection	Audit	Enabled (block)	Potentially Unwanted Applications (adware, toolbars, cryptominers) are blocked instead of just logged.
Network protection	Disabled	Enabled (block)	Blocks connections to known malicious domains/IPs. Without it, C2 communication succeeds even though the domain is in Microsoft threat intel.

Tamper protection is the most commonly missed setting

In many environments, tamper protection was disabled because an admin needed to make a configuration change and never re-enabled it. Without it, an attacker with local admin access runs: Set-MpPreference -DisableRealtimeMonitoring $true — Defender stops protecting the device instantly. The attacker then executes their payload with zero endpoint detection. Verify tamper protection on every device, on every audit.

Verifying configuration at scale

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
DeviceTvmSecureConfigurationAssessment
| where TimeGenerated > ago(1d)
| where ConfigurationId in (
    "scid-2010",
    "scid-2011",
    "scid-2012",
    "scid-2013",
    "scid-2014"
)
| extend ConfigName = case(
    ConfigurationId == "scid-2010", "Cloud protection",
    ConfigurationId == "scid-2011", "PUA protection",
    ConfigurationId == "scid-2012", "Tamper protection",
    ConfigurationId == "scid-2013", "Network protection",
    ConfigurationId == "scid-2014", "Real-time protection",
    "Unknown")
| summarize
    Compliant = countif(IsCompliant == true),
    NonCompliant = countif(IsCompliant == false)
    by ConfigName
| extend CompliancePercent = round(Compliant * 100.0 / (Compliant + NonCompliant), 1)
| sort by CompliancePercent asc

Expected Output

ConfigName	Compliant	NonCompliant	CompliancePercent
Network protection	312	177	63.8%
Tamper protection	471	18	96.3%
Cloud protection	487	2	99.6%
Real-time protection	489	0	100%
PUA protection	445	44	91.0%

What to look for: Network protection at 63.8% is the biggest gap — 177 devices can connect to known-malicious domains without blocking. Tamper protection at 96.3% means 18 devices are vulnerable to sensor disabling. Fix both: deploy Intune configuration profiles that enforce these settings. This query is your security configuration audit.

Troubleshooting onboarding failures

Symptom	Diagnosis	Fix
Device does not appear in DeviceInfo after 24 hours	Onboarding failed or device has not synced	Check Event Viewer → Applications and Services Logs → Microsoft → Windows → SENSE. Look for error events. Re-run onboarding with /troubleshoot flag.
“Onboarded” but SensorHealthState = “Inactive”	Sensor cannot reach Defender cloud services	Verify network connectivity: device must reach `.securitycenter.windows.com`, `.security.microsoft.com` on port 443. Check proxy configuration. Run `mdatp health` on the device.
Sensor running but zero alerts generated	Cloud protection or real-time protection disabled	Run the configuration compliance query above. Deploy Intune policy to enforce settings.
macOS shows onboarded but no process events	System Extension not approved	Deploy PPPC profile via Intune/Jamf that pre-approves Microsoft Defender System Extension.
Linux shows onboarded but limited telemetry	SELinux or AppArmor blocking	Check `mdatp health --field real_time_protection_enabled`. Adjust SELinux/AppArmor policies for the Defender process.

Try it yourself

Run the configuration compliance query above in your environment. Which setting has the lowest compliance percentage? What Intune configuration profile would you create to fix it?

The most commonly non-compliant setting is network protection — it is disabled by default and many organizations have not enabled it. To fix: create an Intune Endpoint Security profile (Attack Surface Reduction → Network protection → Enabled in block mode) targeting all Windows devices. This blocks connections to known-malicious domains using Microsoft threat intelligence.

For tamper protection: this is enabled via the Microsoft Defender for Endpoint portal (Settings → Advanced features → Tamper protection → On), not via Intune. It applies tenant-wide once enabled.

Check your understanding

1. An attacker gains local admin on a workstation. Tamper protection is disabled. What is their first action?

Disable Defender real-time protection (Set-MpPreference -DisableRealtimeMonitoring $true). With tamper protection off, this command succeeds instantly. The attacker can now execute payloads, dump credentials, and move laterally without endpoint detection. This is why tamper protection is the #1 setting to verify.

Uninstall Defender entirely

Nothing — Defender still detects them

Tamper protection is the defender of the defender. Without it, the sensor is as vulnerable as any other service. One command disables it. Enable tamper protection tenant-wide — no exceptions.

2. Network protection is disabled on 177 devices. What is the security impact?

These 177 devices can connect to known-malicious domains and C2 servers without any blocking. Even though Microsoft threat intelligence identifies the domain as malicious, the device happily connects. Malware on these devices can phone home, download payloads, and exfiltrate data unimpeded.

No impact — the firewall handles network blocking

Only web browsing is affected

Network protection is host-level DNS/IP blocking. It works even when the device is off the corporate network (VPN disconnected, working from home, on public Wi-Fi). Firewall rules only apply at the network perimeter. Network protection fills the gap for roaming devices.

← 7.1 Onboarding Devices 7.3 Attack Surface Reduction (ASR) Rules →