Uredi

Deli z drugimi prek


Onboarding using Microsoft Intune

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

This article acts as an example onboarding method.

In the Planning article, there were several methods provided to onboard devices to the service. This article covers the cloud-native architecture.

The cloud-native architecture Diagram of environment architectures

While Defender for Endpoint supports onboarding of various endpoints and tools, this article doesn't cover them. For information on general onboarding using other supported deployment tools and methods, see Onboarding overview.

The Microsoft Intune family of products is a solution platform that unifies several services. It includes Microsoft Intune and Microsoft Configuration Manager.

This article guides users in:

  • Step 1: Onboarding devices to the service by creating a group in Microsoft Intune to assign configurations on
  • Step 2: Configuring Defender for Endpoint capabilities using Microsoft Intune

This onboarding guidance walks you through the following basic steps that you need to take when using Microsoft Intune:

Resources

Here are the links you need for the rest of the process:

For more information about Microsoft Intune, go to Microsoft Intune securely manages identities, manages apps, and manages devices.

Step 1: Onboard devices by creating a group in Intune to assign configurations on

Identify target devices or users

In this section, we create a test group to assign your configurations on.

Note

Intune uses Microsoft Entra groups to manage devices and users. As an Intune admin, you can set up groups to suit your organizational needs.

For more information, see Add groups to organize users and devices.

Create a group

  1. Open the Microsoft Intune admin center.

  2. Open Groups > New Group.

  3. Enter details and create a new group.

  4. Add your test user or device.

  5. From the Groups > All groups pane, open your new group.

  6. Select Members > Add members.

  7. Find your test user or device and select it.

  8. Your testing group now has a member to test.

Step 2: Create configuration policies to configure Microsoft Defender for Endpoint capabilities

In the following section, you create several configuration policies.

First is a configuration policy to select which groups of users or devices are onboarded to Defender for Endpoint:

Then, you continue by creating several different types of endpoint security policies:

Endpoint detection and response

  1. Open the Intune admin center.

  2. Navigate to Endpoint security > Endpoint detection and response. Select on Create Policy.

  3. Under Platform, select Windows 10, Windows 11, and Windows Server, Profile - Endpoint detection and response > Create.

  4. Enter a name and description, then select Next.

  5. Select settings as required, then select Next.

    Note

    In this instance, this has been auto populated as Defender for Endpoint has already been integrated with Intune. For more information on the integration, see Enable Microsoft Defender for Endpoint in Intune.

    The following image is an example of what you'll see when Microsoft Defender for Endpoint is NOT integrated with Intune:

    The Microsoft Intune admin center7

  6. Add scope tags if necessary, then select Next.

  7. Add test group by clicking on Select groups to include and choose your group, then select Next.

  8. Review and accept, then select Create.

  9. You can view your completed policy.

Next-generation protection

  1. Open the Intune admin center.

  2. Navigate to Endpoint security > Antivirus > Create Policy.

  3. Select Platform - Windows 10 and Later - Windows and Profile - Microsoft Defender Antivirus > Create.

  4. Enter name and description, then select Next.

  5. In the Configuration settings page: Set the configurations you require for Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time Protection, and Remediation).

  6. Add scope tags if necessary, then select Next.

  7. Select groups to include, assign to your test group, then select Next.

  8. Review and create, then select Create.

  9. You see the configuration policy you created.

Attack Surface Reduction - Attack surface reduction rules

  1. Open the Intune admin center.

  2. Navigate to Endpoint security > Attack surface reduction.

  3. Select Create Policy.

  4. Select Platform - Windows 10 and Later - Profile - Attack surface reduction rules > Create.

  5. Enter a name and description, then select Next.

  6. In the Configuration settings page: Set the configurations you require for Attack surface reduction rules, then select Next.

    Note

    We will be configuring all of the Attack surface reduction rules to Audit.

    For more information, see Attack surface reduction rules.

  7. Add Scope Tags as required, then select Next.

  8. Select groups to include and assign to test group, then select Next.

  9. Review the details, then select Create.

  10. View the policy.

Attack Surface Reduction - Web Protection

  1. Open the Intune admin center.

  2. Navigate to Endpoint security > Attack surface reduction.

  3. Select Create Policy.

  4. Select Windows 10 and Later - Web protection > Create.

  5. Enter a name and description, then select Next.

  6. In the Configuration settings page: Set the configurations you require for Web Protection, then select Next.

    Note

    We are configuring Web Protection to Block.

    For more information, see Web Protection.

  7. Add Scope Tags as required > Next.

  8. Select Assign to test group > Next.

  9. Select Review and Create > Create.

  10. View the policy.

Validate configuration settings

Confirm policies have been applied

Once the Configuration policy has been assigned, it takes some time to apply.

For information on timing, see Intune configuration information.

To confirm that the configuration policy is applied to your test device, follow the following process for each configuration policy.

  1. Open the Intune admin center and navigate to the relevant policy as shown in the preceding section. The following example shows the next generation protection settings.

    Image of Microsoft Intune admin center33.

  2. Select the Configuration Policy to view the policy status.

    Image of Microsoft Intune admin center34.

  3. Select Device Status to see the status.

    Image of Microsoft Intune admin center35.

  4. Select User Status to see the status.

    Image of Microsoft Intune admin center36.

  5. Select Per-setting status to see the status.

    Tip

    This view is very useful to identify any settings that conflict with another policy.

    Image of Microsoft Intune admin center37.

Confirm endpoint detection and response

  1. Before applying the configuration, the Defender for Endpoint Protection service shouldn't be started.

    Image of Services panel1.

  2. After the configuration is applied, the Defender for Endpoint Protection service should be started.

    Image of Services panel2.

  3. After the services are running on the device, the device appears in Microsoft Defender portal.

    Image of Microsoft Defender portal.

Confirm next-generation protection

  1. Before applying the policy on a test device, you should be able to manually manage the settings as shown in the following image:

  2. After the policy is applied, you shouldn't be able to manually manage the settings.

    Note

    In the following image Turn on cloud-delivered protection and Turn on real-time protection are being shown as managed.

Confirm Attack Surface Reduction - Attack surface reduction rules

  1. Before applying the policy on a test device, open a PowerShell Window and type Get-MpPreference.

  2. You should see the following lines with no content:

    AttackSurfaceReductionOnlyExclusions:

    AttackSurfaceReductionRules_Actions:

    AttackSurfaceReductionRules_Ids:

    The command line-1

  3. After applying the policy on a test device, open a PowerShell Windows and type Get-MpPreference.

  4. You should see the following lines with content, as shown in the following image:

    The command line-2

Confirm Attack Surface Reduction - Web Protection

  1. On the test device, open a PowerShell Windows and type (Get-MpPreference).EnableNetworkProtection.

  2. This should respond with a 0 as shown in the following image:

    The command line-3

  3. After applying the policy, open a PowerShell Windows and type (Get-MpPreference).EnableNetworkProtection.

  4. You should see a response with a 1 as shown in the following image:

    The command line-4

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.