Defender

Local admin report with Defender for EndPoint

Alex Mags
Securing Windows PCs starts with managing local administator access. Microsoft Defender for Endpoint logs every login and records if it was a local admin. Use the following KQL query in the Advanced Hunting portal to create a report. Use Active Directory Group Policy to manage the local admins that need to be there for support or management tools. Take care with this policy, one setting removes all admins EXCEPT the ones in the GPO.

Bitlocker status report with Defender for EndPoint

Alex Mags
Are all your machines encrypted? If a laptop was lost is the data protected or you’ll need to declare. Microsoft Defender for EndPoint (aka ATP) stores Bitlocker status information. Use the following KQL query in the Advanced Hunting portal. The following KQL was inspired by SecGuru_OTX’s twitter post (below) M365 Advanced Hunting: Detect Bitlocker non-compliant Windows 10 devices with "Encrypt all Bitlocker supported drives" setting. pic.twitter.com/YpcNf6NKxe — CISOwithHoodie (@SecGuru_OTX) June 9, 2021 Find more IT Infrastructure tips at blog.