Microsoft Defender for Endpoint now protects unmanaged BYO devices

Microsoft's new security feature uses managed devices to discover unmanaged devices and secure them.

Microsoft's latest preview for its advanced security product Microsoft Defender for Endpoint now supports unmanaged devices running Windows, Linux, macOS, iOS and Android as well as network devices.

The public preview of Microsoft Defender for Endpoint aims to address the rise in post-pandemic hybrid work environments, where people may be using their own computers and devices from home and then bringing them to work and plugging them into the corporate network.

"The riskiest threat is the one you don't know about. Unmanaged devices are literally one of your weakest links," says David Weston, Microsoft's director of enterprise and OS security.   

"Smart attackers go there first. With work-from-home, the threat has grown exponentially, making discovering and applying security controls to these devices mission critical."   

SEE: Network security policy (TechRepublic Premium)

Microsoft Defender for Endpoint is different to Microsoft Defender antivirus, which is built into all Windows 10 devices. Instead, it offers enterprise security teams incident response and investigation tools and lives as an instance in the Azure cloud. It was formerly known as Microsoft Defender Advanced Threat Protection.

The new capabilities should make it easier to discover and secure unmanaged PCs, mobile devices, servers, and network devices on a business network.

It's meant to help IT teams more easily configure devices for patching when there are operating system or software bugs, as well as address BYO apps and devices, including routers, firewalls, WLAN controllers. 

"Once network devices are discovered, security administrators will receive the latest security recommendations and vulnerabilities on them," Microsoft says

"Discovered endpoints (such as workstations, servers, and mobile devices) can be onboarded to Microsoft Defender for Endpoints, allowing all its deep protection capabilities."

IT security teams can test out the public preview for unmanaged devices by turning on preview features for Microsoft Defender for Endpoint

The product is available with Standard and Basic discovery, however for the public preview all customers will have Basic. It uses "unicast or broadcast network events captured by the onboarded devices to discover unmanaged endpoints," Microsoft explains in a blogpost.

"Basic discovery uses the SenseNDR.exe binary for passive network data collection and no network traffic will be initiated."

SEE: Ransomware: Why we're now facing a perfect storm

On May 10, Microsoft plans to automatically switch all tenants from Basic to its recommended Standard discovery, which is an active discovery method that relies on managed devices to probe the network for unmanaged devices. It then relies on interfaces on discovered devices to collect threat, vulnerability and metadata used for device fingerprinting.

Microsoft says it has built in privacy controls for preventing the feature from discovering private devices used at home, such as smart devices, TVs, and gaming consoles.

"There is built-in logic to prevent this, and a level of control to define what networks this discovery process runs against. The logic was designed to differentiate between corporate networks and non-corporate networks, to avoid discovery of private or public devices not controlled by the organization. Strict conditions are in place to ensure such devices won't be discovered and presented in the portal," Microsoft explains.