Föregående

Nästa

Onboard devices in Microsoft Defender for Endpoint

Completed

When an organization enables support for Microsoft Defender for Endpoint in Intune, it establishes a service-to-service connection between Microsoft Intune and Microsoft Defender for Endpoint. The organization can then onboard to Microsoft Defender for Endpoint the devices it manages with Intune. Onboarding, in turn, enables the collection of data about device risk levels.

The prior unit examined how to enable Microsoft Defender for Endpoint and configure it for integration with Intune. This unit continues with this integration process. It examines the following steps to onboard devices and configure compliance and conditional access policies:

• Onboard devices that run Android, iOS/iPadOS, and Windows 10/11.

• Use compliance policies to set device risk levels.

• Use Compliance Access policies to block devices that exceed your expected risk levels.

  Note

  Android and iOS/iPadOS devices use app protection policies that set device risk levels. App protection polices work with both enrolled and unenrolled devices.

The following sections outline these steps.

Onboard Windows devices

After an organization connects Intune and Microsoft Defender for Endpoint, Intune receives an onboarding configuration package from Microsoft Defender for Endpoint. The organization then uses a device configuration profile for Microsoft Defender for Endpoint to deploy the package to its Windows devices.

The configuration package configures devices to communicate with Microsoft Defender for Endpoint services to scan files and detect threats. The devices also report their risk levels to Microsoft Defender for Endpoint. The risk levels are based on the organization's compliance policies.

Note

After onboarding a device using the configuration package, you don't need to do it again.

Organizations can also onboard devices using:

• Endpoint detection and response (EDR) policy. Intune EDR policy is part of endpoint security in Intune. The Microsoft Defender for Endpoint page in the Intune admin center includes a link that directly opens the EDR policy creation workflow, which is part of endpoint security in Intune. Organizations can use EDR policies to configure device security without the overhead of the larger body of settings found in device configuration profiles. They can also use EDR policy with tenant-attached devices. Organizations use Configuration Manager to manage these devices.

  When an organization configures an EDR policy after connecting Intune and Microsoft Defender for Endpoint, the policy setting Microsoft Defender for Endpoint client configuration package type has a new configuration option: Auto from connector. With this option, Intune automatically gets the onboarding package (blob) from your Defender for Endpoint deployment, replacing the need to manually configure an Onboard package.

• Device configuration policy. When creating a device configuration policy to onboard Windows devices, select the Microsoft Defender for Endpoint template. When you connected Intune to Defender, Intune received an onboarding configuration package from Defender. This package is used by the template to configure devices to communicate with Microsoft Defender for Endpoint services and to scan files and detect threats. The onboarded devices also report their risk level to Microsoft Defender for Endpoint based on your compliance policies. After onboarding a device using the configuration package, you don't need to do it again.

• Group policy or Microsoft Endpoint Configuration Manager. For more details on the Microsoft Defender for Endpoint settings, see Onboard Windows machines using Microsoft Configuration Manager.

Tip

You can create policy conflicts for devices when you use multiple policies or policy types like device configuration policy and endpoint detection and response policy to manage the same device settings (such as onboarding to Defender for Endpoint). For more information, see Manage conflicts in the Manage security policies article.

Create the device configuration profile to onboard Windows devices

1. You must begin by navigating to the Microsoft Intune admin center. To do so, on the Microsoft 365 admin center, select Show all in the navigation pane. Under the Admin centers group, select Endpoint Manager.

2. In the Microsoft Intune admin center, select Endpoint security in the left-hand navigation pane.

3. In the Endpoint security | Overview page, under the Manage section in the middle pane, select Endpoint detection and response.

4. In the Endpoint security | Endpoint detection and response page, select +Create Policy on the menu bar.

5. In the Create a profile pane that appears, select Windows 10 and Later in the Platform field.

6. In the Profile field, select Endpoint detection and response.

7. Select Create. Doing so initiates the Create profile wizard.

8. In the Create profile wizard, on the Basics tab, enter a Name and Description (optional) for the profile, and then select Next.

9. On the Configuration settings tab, configure the following options for Endpoint Detection and Response and then select Next:

   • Microsoft Defender for Endpoint client configuration package type. Select Auto from connector to use the onboarding package (blob) from your Defender for Endpoint deployment. If you are onboarding to a different or disconnected Defender for Endpoint deployment, select Onboard and paste the text from the WindowsDefenderATP.onboarding blob file into the Onboarding (Device) field.
   • Sample Sharing. Returns or sets the Microsoft Defender for Endpoint Sample Sharing configuration parameter.
   • [Deprecated] Telemetry Reporting Frequency. For devices that are at high risk, Enable this setting so it reports telemetry to the Microsoft Defender for Endpoint service more frequently.

   For more information on Microsoft Defender for Endpoint settings, see Onboard Windows machines using Microsoft Endpoint Configuration Manager.

   

10. Select Next to open the Scope tags page. Scope tags are optional. Select Next to continue.

11. On the Assignments page, select the groups that will receive this profile. When you deploy to user groups, a user must sign in on a device before the policy applies and the device can onboard to Defender for Endpoint. For more information on assigning profiles, see Assign user and device profiles.

    Select Next.

12. On the Review + create page, when you're done, choose Create. The new profile is displayed in the list when you select the policy type for the profile you created. Select OK, and then select Create to save your changes, which creates the profile.

Onboard macOS devices

After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard macOS devices to Microsoft Defender for Endpoint. Onboarding configures devices to communicate with Microsoft Defender Endpoint, which then collects data about devices risk level.

Additional reading. For more information on configuration guidance for Intune, see Microsoft Defender for Endpoint for macOS. For more information about onboarding macOS devices, see Microsoft Defender for Endpoint for Mac.

Onboard Android devices

After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard Android devices to Microsoft Defender for Endpoint. Onboarding configures devices to communicate with Defender for Endpoint, which then collects data about the devices risk level.

There isn't a configuration package for devices that run Android. Instead, see Overview of Microsoft Defender for Endpoint for Android for the prerequisites and onboarding instructions for Android. For devices that run Android, you can also use Intune policy to modify Microsoft Defender for Endpoint on Android.

Additional reading. For more information, see Microsoft Defender for Endpoint web protection.

Onboard iOS/iPadOS devices

After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard iOS/iPadOS devices to Microsoft Defender for Endpoint. Onboarding configures devices to communicate with Defender for Endpoint. It then collects data about the devices risk level.

There isn't a configuration package for devices that run iOS/iPadOS. Instead, see Overview of Microsoft Defender for Endpoint for iOS for prerequisites and onboarding instructions for iOS/iPadOS.

For devices that run iOS/iPadOS (in Supervised Mode), there's specialized ability given the increased management capabilities provided by the platform on these types of devices. To take advantage of these capabilities, the Defender app must know whether a device is in Supervised Mode. Intune allows you to configure the Defender for iOS app through an App Configuration policy (for managed devices). As a best practice, this policy should target all iOS Devices. For more information, see Complete deployment for supervised devices.

1. Navigate to the Microsoft Intune admin center as previously instructed.
2. In the Microsoft Intune admin center, select Apps in the left-hand navigation pane.
3. On the Apps | Overview page, under the Policy section in the middle pane, select App configuration policies.
4. On the Apps | App configuration policies page, select +Add on the menu bar. In the drop-down menu that appears, select Managed devices. Doing so initiates the Create app configuration policy wizard.
5. In the App configuration policy wizard, on the Basics tab, enter a policy Name and Description (optional).
6. In the Platform field, select iOS/iPadOS.
7. To the right of Targeted app, select the Select app link.
8. In the Associated app pane that appears, select Word and then select Next.
9. Select Next.
10. On the Settings tab, set the Configuration settings format to Use configuration designer.
11. In the Configuration key field that appears, enter issupervised.
12. In the Value type field, select String.
13. In the Configuration value field, enter {{issupervised}}.
14. Select Next on the Settings tab.
15. On the Assignments tab, select the groups to receive this profile. For this scenario, select +Add all devices on the menu bar under Included groups. It's a best practice to target all devices. When an administrator deploys a user to user groups, a user must sign-in on a device before the policy applies.
16. Select Next on the Assignments tab.
17. On the Review + create page, select Create once you finish reviewing and verifying the details. The new policy should appear in the list of app configuration policies. If it doesn't immediately appear, select the Refresh option on the menu bar.

Additional reading. For more information on assigning profiles, see Assign user and device profiles.

For devices that run iOS/iPadOS (in Supervised Mode), Microsoft's Defender for iOS team made available a custom.mobileconfig profile to deploy to iPad/iOS devices. This profile analyzes network traffic to ensure a safe browsing experience, which is a feature of Microsoft Defender for iOS.

1. Select this link to download the ".mobileconfig" profile: https://aka.ms/mdatpiossupervisedprofile.
2. Navigate to the Microsoft Intune admin center as previously instructed.
3. In the Microsoft Intune admin center, select Devices in the left-hand navigation pane.
4. On the Devices | Overview page, under the Policy section in the middle pane, select Configuration profiles.
5. On the Devices | Configuration profiles page, select +Create profile on the menu bar.
6. In the Create a profile pane that appears, select iOS/iPadOS in the Platform field. Doing so initiates the Create app configuration policy wizard.
7. In the App configuration policy wizard, on the Basics tab, enter a policy Name and Description (optional).
8. In the Platform field, select iOS/iPadOS.
9. In the Profile type field, select Templates. In the template list that appears, select Custom, and then select Create. Doing so initiates the Custom wizard.
10. In the Custom wizard, on the Basics tab, enter a profile Name and Description (optional), and then select Next.
11. On the Configuration settings tab, enter a Custom configuration profile name.
12. In the Select a configuration profile file field, select the file icon next to the field. In the File Explorer window that appears, locate and select the ".mobileconfig" file that you downloaded in the first step in this exercise. The system should display the code from this file in the text box that appears under the file name.
13. Select Next on the Configuration settings tab.
14. On the Assignments tab, select the groups to receive this profile. For this scenario, select +Add all devices on the menu bar under Included groups. It's a best practice to target all devices. When an administrator deploys a user to user groups, a user must sign-in on a device before the policy applies.
15. Select Next on the Assignments tab.
16. On the Review + create page, select Create once you finish reviewing and verifying the details. The new policy should appear in the list of app configuration policies. If it doesn't immediately appear, select the Refresh option on the menu bar.

Create and assign compliance policy to set device risk level

For Android, iOS/iPadOS, and Windows devices, the compliance policy determines the level of risk that an organization considers as acceptable for its devices. Microsoft Defender for Endpoint performs the actual risk level assessment for each device, using the compliance policy as one of its assessment factors.

When an administrator creates a compliance policy in Microsoft Intune to set the device risk level, they define the criteria the device must meet to comply with their organization's security standards. The compliance policy evaluates the current state of the device against these criteria. It then generates a compliance report, which it sends to Microsoft Defender for Endpoint.

Microsoft Defender for Endpoint then analyzes the compliance report, along with other security data and threat intelligence, to determine the overall risk level of the device. The risk level is based on a wide range of factors, including:

• The compliance status of the device
• The software and hardware configuration of the device
• Network activity
• Other indicators of potential security threats

In summary:

• The compliance policy defines the criteria for device compliance.
• Microsoft Defender for Endpoint performs the actual assessment of the device's risk level.
• Microsoft Intune deploys and enforces the policy on the device.

If you're not familiar with creating a compliance policy, reference the Create a policy procedure from the Create a compliance policy in Microsoft Intune article. The following information is specific to configuring Microsoft Defender for Endpoint as part of a compliance policy:

1. Navigate to the Microsoft Intune admin center as previously instructed.
2. In the Microsoft Intune admin center, select Devices in the left-hand navigation pane.
3. On the Devices | Overview page, under the Policy section in the middle pane, select Compliance policies.
4. On the Compliance policies | Policies page, select +Create profile on the menu bar.
5. In the Create a policy pane that appears, select in the Platform field and then select one of the platforms from the drop-down menu that appears. Select Create. Doing so initiates the [selected platform] compliance policy wizard.
6. In the [selected platform] compliance policy wizard, on the Basics tab, enter a policy Name and Description (optional). Select Next.
7. On the Compliance settings tab, expand the Microsoft Defender for Endpoint group. Select the Require the device to be at or under the machine risk score field. In the drop-down menu that appears, select your preferred level. For more information, see Microsoft Defender for Endpoint determines threat level classifications.
   • Clear. This level is the most secure. The device can't have any existing threats and still access company resources. Microsoft Defender for Endpoint assesses devices with any threats as noncompliant. (Microsoft Defender for Endpoint uses the value Secure.)
   • Low. The device is compliant if only low-level threats exist. Microsoft Defender for Endpoint assesses devices with medium or high threat levels as noncompliant.
   • Medium. The device is compliant if the threats found on the device are low or medium. Microsoft Defender for Endpoint assesses devices with high threat levels as noncompliant.
   • High. This level is the least secure and allows all threat levels. The policy classifies devices with high, medium, or low threat levels as compliant.
8. Select Next on the Compliance settings tab.
9. On the Actions for noncompliance tab, add the sequence of actions on noncompliance devices. Note the default action titled Mark device noncompliant, which Microsoft Defender for Endpoint performs immediately after assessing a device as noncompliant. You can optionally change the Schedule for this action if you don't want the action taken immediately. Add any other noncompliant actions as required by your organization, and then select Next.
10. On the Assignments tab, select the groups to receive this profile. For this scenario, select +Add all devices on the menu bar under Included groups. It's a best practice to target all devices. When an administrator deploys a user to user groups, a user must sign-in on a device before the policy applies.
11. Select Next on the Assignments tab.
12. On the Review + create page, select Create once you finish reviewing and verifying the details. Once the system creates the policy, a window appears for the newly created policy.

Create and assign app protection policy to set device threat level

When you create an app protection policy for a protected app, Microsoft Intune deploys the policy to the device. The Microsoft Intune App Protection service then enforces the policy. However, Microsoft Defender for Endpoint performs the assessment of the device's threat level. To do so, it continuously monitors the device for potential security threats and vulnerabilities.

The app protection policy helps to protect the app and its data on the device, but it doesn't directly impact the device's threat level assessment. Rather, Microsoft Defender for Endpoint determines the device's threat level based on a wide range of factors, including:

• Threat intelligence
• Behavioral analysis
• Other security data collected and analyzed by the Microsoft Defender for Endpoint service.

In summary:

• Microsoft Intune deploys and enforces the app protection policy.
• Microsoft Defender for Endpoint assesses the device's threat level.

Review the procedure on how to create an application protection policy for either iOS/iPadOS or Android. Then use the following information on the Apps, Conditional launch, and Assignments pages:

• Apps. Select the apps that you want the app protection policies to target. An administrator can then either block or selectively wipe these apps based on the device risk assessment from your chosen Mobile Threat Defense vendor.
• Conditional launch. Under Device conditions, use the drop-down box to select Max allowed device threat level. Select one of the following options for the threat level Value:
  • Secured. This level is the most secure. The device can't have any threats present and still access company resources. Microsoft Defender for Endpoint assesses devices with any threats as noncompliant.
  • Low. The device is compliant if only low-level threats are present. Microsoft Defender for Endpoint assesses devices with medium or high threat levels as noncompliant.
  • Medium. The device is compliant if the threats found on the device are low or medium level. Microsoft Defender for Endpoint assesses devices with high threat levels as noncompliant.
  • High. This level is the least secure and allows all threat levels, using Mobile Threat Defense (MTD) for reporting purposes only. Devices must have the MTD app activated with this setting.Select one of the following recommended options for the administrator to perform based on the threat level Action:
  • Block access
  • Wipe data
• Assignments. Assign the policy to groups of users. Intune app protection evaluates the devices used by the group's members for access to corporate data on targeted apps.

Important

If you create an app protection policy for any protected app, Microsoft Defender for Endpoint assesses the device's threat level. Depending on the configuration, Microsoft Intune either blocks or selectively wipes (through conditional launch) the devices that don’t meet an acceptable level. Blocked devices can't access corporate resources until the chosen MTD vendor resolves the threat on the device and reports it to Intune.

Create a Conditional Access policy

Conditional Access policies can use data from Microsoft Defender for Endpoint to block access to resources for devices that exceed the threat level you set. You can block access from the device to corporate resources, such as SharePoint or Exchange Online. This service enforces Conditional Access policies for Microsoft 365 and other Microsoft cloud services. When Microsoft Defender for Endpoint deems a device noncompliant, the Conditional Access service receives a notification and can take action to block access to corporate resources for that device.

In summary:

• Microsoft Defender for Endpoint provides the threat intelligence and risk assessment data the Conditional Access service uses to determine whether a device is compliant.
• Microsoft Intune deploys compliance policies to devices and ensures they meet the required security standards.
• The Conditional Access service in Microsoft Entra ID blocks devices that exceed the threat level set by an organization.

Tip

Conditional Access is a Microsoft Entra technology. The Conditional Access node found in the Microsoft Intune admin center is the node from Microsoft Entra.

Complete the following steps to create a conditional access policy based on device compliance:

1. Navigate to the Microsoft Intune admin center as previously instructed.
2. In the Microsoft Intune admin center, select Endpoint security in the left-hand navigation pane.
3. On the Endpoint security | Overview page, under the Manage section in the middle pane, select Conditional Access.
4. On the Conditional Access | Policies page, select +New policy on the menu bar.
5. On the New page, enter a policy Name. Then define the Assignments and Access controls associated with the policy. For example:
   • Under the Users section, use the Include or Exclude tabs to configure groups that receive this policy.
   • For Target resources, set Select what this policy applies to to Cloud apps, and then choose which apps to protect. For example, choose Select apps and then for Select, search for and select Office 365 SharePoint Online and Office 365 Exchange Online.
   • For Conditions, select Client apps and then set Configure to Yes. Next, select the check boxes for Browser and Mobile apps and desktop clients. Then, select Done to save the client app configuration.
   • For Grant, configure this policy to apply based on device compliance rules. For example:
     1. Select Grant access.
     2. Select the check box for Require device to be marked as compliant.
     3. Select Require all the selected controls. Choose Select to save the Grant configuration.
   • For Enable policy, select On and then Create to save your changes.

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge

1.

As the Microsoft 365 Administrator for Fabrikam, Holly Spencer is considering whether to create both a device configuration policy and an endpoint detection and response policy to manage the same device setting - in this case, onboarding devices to Microsoft Defender for Endpoint. What could happen if Holly creates these policies?

Fabrikam's devices report their risk levels to Microsoft Defender for Endpoint

Fabrikam could end up with policy conflicts for devices

An administrator either blocks or selectively wipes the devices that don’t meet an acceptable device threat level

You must answer all questions before checking your work.

Continue