Breadcrumbs

Microsoft Defender for Endpoint Deployment

Overview

EnforceDNS’s MDE integration enables agentless DNS protection by leveraging your existing Microsoft Defender for Endpoint deployment. This self-service method allows organizations to rapidly enable Protective DNS without additional endpoint installations. DNS traffic is automatically routed through EnforceDNS’s Anycast resolvers, providing visibility and enforcement both on- and off-network.

EnforceDNS ↔ Microsoft Defender for Endpoint: High-Level Integration Architecture


Screenshot 2025-10-14 at 2.25.53 PM.png


Prerequisites

  • Licensing

  • Active Microsoft Defender for Endpoint installed on all target Windows devices

  • Admin access to your EnforceDNS account and MDE console

  • No conflicting DNS routing—EnforceDNS Agent or manual DNS configurations should be disabled for MDE-targeted devices

Key Features, Benefits & Considerations

Features, Benefits

Considerations

Seamless rollout with active MDE deployment

Requires Windows devices with active MDE coverage

Self-Serve deployment

Less granular per-user policy control (no user groups)

Works regardless of network location

Not available for macOS or non-Windows devices

No EnforceDNS Agent installation needed

Split-horizon, Safe Search and Local DNS Resolution features unavailable

Works regardless of network location


Integration Architecture

  1. Data Collection by MDE:

    1. Once the integration is installed, MDE begins collecting data from various sources on your machines. This includes critical information from Device Network Events and Device Events within the Microsoft Security Center.

  2. Data Streaming to EnforceDNS:

    1. The collected data is streamed via an API to an Event Hub. EnforceDNS then retrieves this data for analysis. Specifically, it examines DNS queries to provide security verdicts.

  3. Verdict Enforcement:

    1. The exciting aspect of this integration is that EnforceDNS’s verdicts—whether based on Categories, rules, Lists, or the Decision Engine—are passed along to MDE for enforcement (assuming blocking is enabled). This ensures that all unsafe domains identified by EnforceDNS are blocked effectively.

  4. Enabling Blocking (Optional):

    1. The final step involves enabling the Blocking feature. While optional, this feature empowers MDE to act as the enforcement mechanism, blocking traffic to all domains deemed unsafe by EnforceDNS.

MDE Deployment

Step 1 - Provision an Azure Event-Hub

  1. First, select the Region you’d like the Event-Hub to be hosted in.

    1. We provide options in both the US and Europe.

  2. Now, select a Partition Count. The default setting is 4 as this will be sufficient for most organizations. If you anticipate a large volume of DNS requests, you may increase this number to provide better performance.

  3. Finally, enter the MDE Admin’s email and select ‘Provision’.

    Screenshot 2025-06-09 at 8.55.09 AM.png

  4. Once clicking on ‘Provision’, you receive one of two notifications letting you know if deployment was successful or not.

    1. Screenshot 2024-08-13 at 10.12.52 AM.png
      Screenshot 2024-08-13 at 10.13.20 AM.png

    2. If you provisioning failed and errors persist, please contact HYAS Customer Support

Step 2 - Update Microsoft Security Center

Now that you’ve created an Event-Hub, you must update your Microsoft Security Center to push data to that hub. This will be accomplished through the following steps:

  1. Log into Security Center and navigate to ‘Settings’, ‘Microsoft Defender XDR’ and then ‘Streaming API’

  2. Click ‘Add’

  3. Name your Streaming API

  4. Enable ‘Forward events to Event Hub’

  5. Enter the ‘Event-Hub Resource ID’ and ‘Event-Hub name’

    1. Event-Hub Resource ID’ and ‘Event-Hub name’ can be found under ‘STEP 2’ of the MDE self-service page in EnforceDNS as ‘Resource ID’ and ‘Event-Hub Name' respectively.

Screenshot 2024-06-03 at 3.01.51 PM.png

  1. Under ‘Event Types’, expand the 'Devices' section and select: ‘DeviceNetworkEvents’ and ‘DeviceEvents’

Screenshot 2024-06-03 at 3.10.11 PM.png

  1. Click ‘Submit’, Defender for Endpoint will now save these incoming events in the Event-Hub.

Step 3 - Blocking Mode (OPTIONAL)

By default, the initial configuration of the MDE integration is set to Inspection Mode. This means that MDE will NOT enforce the blocks recommended by EnforceDNS. It is important that you confirm with your HYAS SE or CX team member before enabling Blocking aka Protection Mode. We HIGHLY recommend remaining in Inspection/Non-blocking mode until after you’d had a chance to review the blocks that would have been made via the UI. This will greatly reduce the possibility of false positives (although rare), negatively effecting your organization.

If you wish to continue enabling Blocking Mode, you must first configure such in your Azure Portal

  1. Navigate to the Azure Portal and search for ‘Microsoft Entra ID’ in the search bar at the top of the page.

Screenshot 2024-06-03 at 3.17.54 PM.png

  1. Once in the ‘Microsoft Entra ID’ section, expand the ‘Manage' menu and select 'App registrations

Screenshot 2024-06-03 at 3.22.04 PM.png

  1. Click the ‘New registration’ button at the top of the page.

Screenshot 2024-06-03 at 3.22.51 PM.png

  1. Name the application.

  2. Select ‘Accounts in this organizational directory only (Your Tenant)’.

  3. Click ‘Register’.

Screenshot 2024-06-03 at 3.25.11 PM.png

  1. Now that you’re in the Application you just created, expand the ‘Manage’ menu and select ‘Certificates & secrets’.

Screenshot 2024-06-03 at 3.30.17 PM.png

  1. Click the ‘New client secret’ button.

Screenshot 2024-06-03 at 3.33.29 PM.png

  1. Specify the description and expiration (Recommendation set to 1 year).

Screenshot 2024-06-03 at 3.34.30 PM.png

  1. Click ‘Add’.

  2. Copy the ‘Secret value’ to the side, this value will be entered into the EnforceDNS UI in a moment.

  3. Select ‘API permissions’ from the left navigation pane.

Screenshot 2024-06-03 at 3.38.06 PM.png

  1. Click ‘Add a permission’

  2. Select ‘APIs my organization uses

  3. Filter for ‘WindowsDefenderAPT’:​

  4. Select ‘Application Permissions

    1. Then select expand ‘Ti

  5. Select Required Permissions:​

    1. Ti.Read.All

    2. Ti.ReadWrite.All

    3. Ti.ReadWrite

  6. Click 'Add permissions' to apply these permissions to your application.

  7. Head back to the Overview page to copy the ‘Application (client) ID’ and ‘Directory (tenant) ID’.

Screenshot 2024-06-03 at 3.53.31 PM.png

  1. Navigate to the EnforceDNS UI, toggle ON “Blocking Enabled” from the MDE self-service page.

    Screenshot 2025-06-09 at 8.55.53 AM.png

  2. Next enter in the ‘Secret Value’, ‘Application (client) ID’ and ‘Directory (tenant) ID’ and click on ‘Verify Access’.

  3. Once the verification is completed, you’ll receive a notification at the top of your screen indicating whether the verification was successful or encountered an error.

  4. If successful, click on ‘Save’.

    1. Give the system 5-10 minutes and blocking based on EnforceDNS’s recommendation will be enabled.

Enable the Integration

  1. Finally, to enable the integration once everything has been configured properly, toggle the MDE integration to ‘Enabled’

    Screenshot 2025-06-09 at 8.56.14 AM.png

  2. Make sure that ‘Allow HYAS to host the Azure Event-Hub (RECOMMENDED Default)’ box is checked.

    1. This will initiate the provisioning of a HYAS-managed Event-Hub, enabling troubleshooting and other support activities in case any issues arise.

    2. In the event you wish to host your own Event-Hub, uncheck this box and enter the information as listed above.

Agent Deployment Checklist & Verification

  • Microsoft Defender for Endpoint is installed and healthy on all target Windows devices
  • MDE is configured to forward logs to Azure Event Hub
  • "Device Network Events" (and optionally "Device Events") are selected for export
  • EnforceDNS MDE integration is enabled in the HYAS portal
  • DNS traffic from MDE-covered devices is visible in HYAS Log View
  • Malicious or test domains are successfully blocked by HYAS policy
  • Devices are not simultaneously using another DNS method (e.g., EnforceDNS Agent or Resolver) for the same coverage
  • Event Hub is successfully forwarding logs to EnforceDNS (if applicable for your deployment)


Configuring Policies

Now that you’ve successfully deployed EnforceDNS, your environment is already safeguarded against malicious domains—including phishing sites, malware delivery networks, and command-and-control (C2) infrastructure (among others). These threats are blocked by default using HYAS’s infrastructure intelligence and real-time decision engine.

If you'd like to customize your protection further, you can configure additional policies—such as blocking unwanted content categories, managing allow/block lists, or tailoring behavior by source network or user group. [Learn how to configure policies →]