The Defendo agent runs 16 automated security checks on every managed device, reporting results back to your dashboard in real time.
Short passwords are easy to guess. This check makes sure your business requires employees to create passwords long enough to be hard to crack — protecting every account from attackers trying common password combinations.
Old passwords are a silent risk — they may have been leaked without anyone knowing. This check ensures employees change their passwords regularly, limiting the damage if a password is ever stolen or exposed in a data breach.
Weak password rules leave the front door wide open. This check verifies that your business requires truly strong passwords — mixing letters, numbers and symbols — and prevents employees from reusing old ones or never changing them.
Most people reuse the same password across multiple sites — which means one breach compromises everything. A password manager lets employees use a unique, strong password for every account without having to remember them all.
Not everyone needs the keys to the whole building. This check identifies how many people have full admin access to each device — the fewer, the better. Too many admin accounts makes it much easier for attackers to cause serious damage if one account is compromised.
When someone clicks a malicious link, the damage is far worse if they're logged in as an administrator. This check flags employees doing their everyday work with admin-level access — a simple habit change that dramatically limits what an attacker can do.
Most ransomware attacks exploit known security holes that Microsoft has already fixed. This check ensures every device automatically downloads and installs those fixes — closing the gaps before attackers can use them against you.
If a laptop is lost or stolen, encryption is the only thing standing between your data and a stranger. This check verifies every drive is fully encrypted — so a missing device never becomes a data breach.
Ransomware works by destroying your files and demanding payment to get them back. Backups are your escape route. This check confirms that recent snapshots of your data exist so you can recover quickly — without paying a ransom.
A computer left unlocked is an open invitation — anyone walking past can access emails, files, and systems. This check makes sure every device locks itself after a few minutes of inactivity and requires a password to get back in.
Antivirus is your last line of defence against malware, ransomware, and viruses. This check confirms that protection is switched on and up to date on every device — because an antivirus that's out of date is almost as bad as having none at all.
Your guest Wi-Fi is meant for visitors — not a back door into your business network. This check ensures the guest network is properly separated so that a visitor (or an attacker on your guest Wi-Fi) cannot access your internal systems, files, or printers.
Hard drives fail. Ransomware strikes. Laptops get stolen. A cloud backup means your files are safe even when disaster hits. This check confirms that your important data — documents, desktop files, pictures — is being automatically backed up offsite.
Passwords and secret keys saved in plain text files — like a Word document or a notes file — are a ticking time bomb. This check scans the device for any credentials stored this way, so they can be moved somewhere safe before an attacker finds them first.
Your browser is the window to the internet — and an outdated one can be hijacked just by visiting a website. This check makes sure Chrome, Firefox, Edge, and Brave are always running the latest version, which patches known security vulnerabilities automatically.
Every week, millions of email addresses and passwords are stolen from websites and sold online. This check looks up the employee's email against a database of known breaches — if their credentials have been leaked, they need to know immediately and change their passwords before attackers use them.
Secure Boot ensures that only trusted, manufacturer-approved software can start when your device powers on. If someone tampers with your device or installs a bootkit — malware that hides below the operating system — Secure Boot stops it from loading. This check confirms that critical protection is in place.
A Trusted Platform Module (TPM) is a dedicated security chip built into modern devices. It securely stores encryption keys and makes it nearly impossible to steal data from a powered-off laptop. A working TPM is required for BitLocker full-disk encryption and Windows Hello passwordless login. This check confirms yours is active.
Remote Desktop lets someone control your computer over the internet — useful for IT support, but dangerous when left on unnecessarily. RDP on port 3389 is the number-one way ransomware groups break into businesses. This check flags when RDP is switched on so you can ensure it's protected by MFA or disabled when not in use.
Windows stores all login credentials — including network passwords — in a protected area called LSA memory. Without extra protection, an attacker who gains admin access can extract every single password stored on the device in seconds. This check verifies LSA is running in a hardened mode that blocks these credential-theft attacks.
Attackers increasingly deliver malware through scripts — PowerShell commands, macros, and web-based code — rather than traditional files, precisely because they are harder to detect. Windows Script Scanning (AMSI) lets your antivirus inspect those scripts the moment they run. This check detects if that capability has been deliberately disabled on any account.
SMBv1 is a 30-year-old file-sharing protocol that Microsoft has long recommended disabling. It was the vulnerability exploited by EternalBlue — the tool behind WannaCry ransomware, which caused over $4 billion in global damages in 2017. It is still found enabled on countless business computers. This check confirms it is switched off on every device.
WinRM is the built-in Windows tool for remote scripting and IT management. If misconfigured, it can send passwords over the network in plain text or accept weak login methods — making it easy for an attacker on your network to silently take control of devices. This check ensures it's configured safely or not exposing insecure options.
PowerShell is the most powerful tool on a Windows computer — and one of the most abused by attackers. Enabling comprehensive PowerShell logging records every command run on the device, creating a forensic trail that makes it possible to detect attacks in progress and reconstruct exactly what happened during a security incident. This check ensures all three logging layers are active.
When a new program launches on your device, Windows logs it — but without this setting, the log only shows what program ran, not what instructions it was given. That's like having CCTV that shows someone entering a vault but not what they took. This check ensures the full command is always recorded, so investigations can determine exactly what malicious programs were told to do.
Every Windows computer on a network has its own machine password that automatically rotates every 30 days. Attackers can disable this rotation to extend the shelf-life of stolen credentials — letting them re-enter your network weeks or months after the initial breach without needing to re-compromise anything. This check confirms rotation is still enabled.
Sophisticated attackers plant hidden mechanisms in the Windows registry to ensure their malware survives reboots, reinstalls, and even security scans. This check hunts for three known techniques: a hidden startup loader (RunOnceEx) invisible to most tools, a DNS server backdoor used for privilege escalation, and a cryptographic library hijacking trick that silently loads malicious code whenever encryption is used.
When Windows crashes or a program fails, it captures a snapshot of what was happening — invaluable evidence during a security investigation. WannaCry and other sophisticated malware deliberately disable this capability before executing, so there's nothing left to analyse. If these settings have been silently turned off, it is a strong indicator of a past or active infection.
Windows maintains a small registry entry (AeDebug) that tells the system to create a detailed crash log whenever an application fails — an essential tool for security investigators. Some malware, including WannaCry, deletes this entry specifically to prevent those logs from being created. A missing entry can indicate a past or active compromise on the device.
Every legitimate program on your computer has an executable file on disk. Some advanced malware deletes its own file the moment it launches — so it runs entirely in memory, leaving no file trace for antivirus to find. This technique is used by sophisticated attackers to stay hidden. This check detects any running process whose executable has vanished from disk, a powerful indicator of fileless malware.
All 30 checks run automatically on every managed device, every time the Defendo agent reports in.
Get Started Free