Manage Microsoft Defender for Endpoint on devices with Microsoft Endpoint Manager

Note

This feature is in public preview and will roll out to tenants gradually over the next few weeks. You can confirm your tenant has received this capability when the relevant toggles show in both the Microsoft Endpoint Manager admin center and Microsoft Defender for Endpoint.

With Microsoft Defender for Endpoint (MDE), you can now deploy security configurations from Microsoft Endpoint Manager directly to your onboarded devices without requiring a full Microsoft Endpoint Manager device enrollment. This capability is known as Security Management for Microsoft Defender for Endpoint. With this capability, devices that aren’t managed by a Microsoft Endpoint Manager service can receive security configurations for Microsoft Defender directly from Endpoint Manager.

When devices are managed through this capability:

  • You use the Microsoft Endpoint Manager admin center to configure endpoint security policies for MDE and assign those policies to Azure AD groups
  • Devices get the policies based on their Azure Active Directory device object. A device that isn’t already present in Azure Active Directory is joined as part of this solution
  • When a device receives a policy, the Defender for Endpoint components on the device enforce the policy and report on the devices status. The device's status is available in the Microsoft Endpoint Manager admin center

This scenario extends the Microsoft Endpoint Manager Endpoint Security surface to devices that aren't capable of enrolling in Endpoint Manager. When a device is managed by Endpoint Manager (enrolled to Intune) the device won't process policies for Security Management for Microsoft Defender for Endpoint. Instead, use Intune to deploy policy for Defender to your devices.

Conceptual diagram of the MDE-Attach solution.

Prerequisites

Review the following sections for requirements for the Security Management for Microsoft Defender for Endpoint Scenario:

Environment

When a device onboards to Microsoft Defender for Endpoint:

  • The device is surveyed for an existing Endpoint Manager presence, either Configuration Manager or Intune
  • Devices without an Endpoint Manager presence enable the Security Management feature
  • A trust is created with Azure Active Directory if one doesn't already exist
  • Azure Active Directory trust is used to communicate with Endpoint Manager (Intune) and retrieve policies
  • Policy retrieve from Endpoint Manager is enforced on the device by Microsoft Defender for Endpoint

Active Directory requirements

When a device that is domain joined creates a trust with Azure Active Directory, this scenario is referred to as a Hybrid Azure Active Directory Join scenario. The Security Management for Microsoft Defender for Endpoint fully supports this scenario with the following requirements:

  • Azure Active Directory Connect (AAD Connect) must be synchronized to the tenant that is used from Microsoft Defender for Endpoint
  • Hybrid Azure Active Directory Join must be configured in your environment (either through Federation or AAD Connect Sync)
  • AAD Connect Sync must include the device objects in scope for synchronization with Azure Active Directory (when needed for join)
  • AAD Connect rules for sync must be modified for Server 2012 R2 (when support for Server 2012 R2 is needed)

Connectivity requirements

Devices must have access to the following endpoints:

  • enterpriseregistration.windows.net - For Azure AD registration.
  • login.microsoftonline.com - For Azure AD registration.
  • *.dm.microsoft.com - The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.

Supported platforms

Policies for Microsoft Defender for Endpoint security management are supported for the following device platforms:

Licensing and subscriptions

To use security management for Microsoft Defender for Endpoint, you need:

  • A subscription that grants licenses for Microsoft Defender for Endpoint, like Microsoft 365, or a standalone license for only Microsoft Defender for Endpoint. For current information about options, see Minimum requirements for Microsoft Defender for Endpoint.

    Any subscription that grants Microsoft Defender for Endpoint licenses also grants your tenant access to the Endpoint security node of the Microsoft Endpoint Manager admin center. The Endpoint security node is where you'll configure and deploy policies to manage Microsoft Defender for Endpoint for your devices and monitor device status.

Architecture

The following diagram is a conceptual representation of the Microsoft Defender for Endpoint security configuration management solution.

Conceptual representation of the Microsoft Defender for Endpoint security configuration management solution

  1. Devices onboard to Microsoft Defender for Endpoint.

  2. A trust is established between each device and Azure AD. When a device has an existing trust, that is used. When devices haven't registered, a new trust is created.

  3. Devices use their Azure AD Identity to communicate with Endpoint Manager. This identity enables Microsoft Endpoint Manager to distribute policies that are targeted to the devices when they check in.

  4. Defender for Endpoint reports the status of the policy back to Endpoint Manager.

Configure your tenant to support Microsoft Defender for Endpoint Security Configuration Management

To support Microsoft Defender for Endpoint security configuration management through the Microsoft Endpoint Manager admin center, you must enable communication between them from within each console.

  1. Sign in to Microsoft 365 Defender portal and go to Settings > Endpoints > Configuration Management > Enforcement Scope and enable the platforms for security settings management:

    Enable Microsoft Defender for Endpoint settings management in the Microsoft 365 Defender portal.

  2. Make sure the relevant users have permissions to manage endpoint security settings in Microsoft Endpoint Manager or grant those permissions by configuring a role in the Microsoft 365 Defender portal. Go to Settings > Roles > Add item:

    Create a new role in the Microsoft 365 Defender portal.

    Tip

    You can modify existing roles and add the necessary permissions versus creating additional roles in Microsoft Defender for Endpoint

  3. When configuring the role, add users and be sure to select Manage endpoint security settings in Microsoft Endpoint Manager:

    Grant users permissions to manage settings.

  4. Sign in to the Microsoft Endpoint Manager admin center.

  5. Select Endpoint security > Microsoft Defender for Endpoint, and set Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations (Preview) to On.

    Enable Microsoft Defender for Endpoint settings management in the Microsoft Endpoint Manager admin center.

    When you set this option to On, all devices in the platform scope in Microsoft Defender for Endpoint that aren't managed by Microsoft Endpoint Manager will qualify to onboard to Microsoft Defender for Endpoint.

Onboard devices to Microsoft Defender for Endpoint

Microsoft Defender for Endpoint supports several options to onboard devices. For current guidance, see Onboarding tools and methods for Windows devices in the Defender for Endpoint documentation.

Important

After a device onboards with Microsoft Defender for Endpoint, it must and be tagged with MDE-Management before it can enroll with Security Management for Microsoft Defender for Endpoint. For more information on device tagging in MDE, see Create and manage device tags](/microsoft-365/security/defender-endpoint/machine-tag).

Devices that you manage with Intune are not supported for this scenario.

Create Azure AD Groups

After devices onboard to Defender for Endpoint, you'll need to create device groups to support deployment of policy for Microsoft Defender for Endpoint.

To identify devices that have enrolled with Microsoft Defender for Endpoint but aren't managed by Intune or Configuration Manager:

  1. Sign in to Microsoft Endpoint Manager admin center.

  2. Go to Devices > All devices, and then select the column Managed by to sort the view of devices.

    Devices that onboard to Microsoft Defender for Endpoint and have registered but aren't managed by Intune or Configuration Manager display Microsoft Defender for Endpoint in the Managed by column. These are the devices that can receive policy for security management for Microsoft Defender for Endpoint.

You can create groups for these devices in Azure AD or from within the Microsoft Endpoint Manager admin center.

Deploy policy

After creating one or more Azure AD groups that contain devices managed by Microsoft Defender for Endpoint, you can create and deploy the following policies for Security Management for Microsoft Defender for Endpoint to those groups:

  • Antivirus
  • Firewall
  • Firewall Rules
  • Endpoint Detection and Response

Tip

Avoid deploying multiple policies that manage the same setting to a device.

Microsoft Endpoint Manager supports deploying multiple instances of each endpoint security policy type to the same device, with each policy instance being received by the device separately. Therefore, a device might receive separate configurations for the same setting from different policies, which results in a conflict. Some settings (like Antivirus Exclusions) will merge on the client and apply successfully.

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Go to Endpoint security and then select the type of policy you want to configure, either Antivirus or Firewall, and then select Create Policy.

  3. Enter the following properties or the policy type you selected:

    • For Antivirus policy, select:

      • Platform: Windows 10, Windows 11, and Windows Server (Preview)
      • Profile: Microsoft Defender Antivirus (Preview)
    • For Firewall policy, select:

      • Platform: Windows 10, Windows 11, and Windows Server (Preview)
      • Profile: Microsoft Defender Firewall (Preview)
    • For Firewall Rules policy, select:

      • Platform: Windows 10, Windows 11, and Windows Server (Preview)
      • Profile: Microsoft Defender Firewall Rules (Preview)
    • For Endpoint Detection and Response policy, select:

      • Platform: Windows 10, Windows 11, and Windows Server (Preview)
      • Profile: Endpoint detection and response (Preview)
  4. Select Create.

  5. On the Basics page, enter a name and description for the profile, then choose Next.

  6. On the Configuration settings page, select the settings you want to manage with this profile. To learn more about a setting, expand its information dialog and select the Learn more link to view the CSP information for the setting in the on-line documentation.

    When your done configuring settings, select Next.

  7. On the Assignments page, select the Azure AD groups that will receive this profile. For more information on assigning profiles, see Assign user and device profiles.

    Select Next to continue.

    Tip

    • Assignment filters are not supported for Security Configuration Management profiles.
    • Only Device Objects are applicable for Microsoft Defender for Endpoint management. User targeting is not supported.
    • Policies configured will apply to both Microsoft Intune and Microsoft Defender for Endpoint clients
  8. Complete the policy creation process and then on the Review + create page, select Create. The new profile is displayed in the list when you select the policy type for the profile you created.

  9. Wait for the policy to be assigned and view a success indication that policy was applied.

  10. You can validate that settings are applied locally on the client by using the Get-MpPreference command utility.

Monitor status

Status and reports for MDE policies are available from the policy node under Endpoint security in the Microsoft Endpoint Manager admin center.

Drill in to the policy type, Antivirus or Firewall, and then select the policy to view its status. Policies for MDE have a Policy type of either Microsoft Defender Antivirus (Preview) or Microsoft Defender Firewall (Preview).

When you select a policy, you'll see information about the device check-in status, and can select:

  • View report - View a list of devices that received the policy. You can select a device to drill in and see its per-setting status. You can then select a setting to view more information about it, including other policies that manage that same setting, which could be a source of conflict.

  • Per setting status - View the settings that are managed by the policy, and a count of success, errors, or conflicts for each setting.

Known limitations and considerations

Co-existence with Microsoft Endpoint Configuration Manager

When using Configuration Manager, the best path for management of security policy is using the Configuration Manager tenant attach. In some environments it may be desired to use Security Management for Microsoft Defender. When using Security Management for Microsoft Defender with Configuration Manager, endpoint security policy should be isolated to a single control plane. Controlling policy through both channels will create the opportunity for conflicts and undesired results.

Active Directory joined devices

Devices that are joined to Active Directory will use their existing infrastructure to complete Hybrid Azure Active Directory join. While the Defender for Endpoint component will start this process, the join action uses your Federation provider or Azure Active Directory Connect (AAD Connect) to complete the join. Review Plan your hybrid Azure Active Directory join implementation to learn more about configuring your environment.

To troubleshoot Azure Active Directory onboarding issues, see Troubleshoot Security Configuration Management Azure Active Directory onboarding issues.

Managing Security Configurations on domain controllers

Currently, devices are not supported to complete a Hybrid Join to Azure Active Directory. Since an Azure Active Directory trust is required, domain controllers aren't currently supported. We are looking at ways to add support in the future.

Non-persistent VDI environments

Due to the potential effect on Azure Active Directory environments with respect to device lifecycle and service quota, we advise against testing the current installation files and builds shared in this public preview in a non-persistent VDI environment.

Server Core installation

Due to the limited scope of Server core installations, these are not supported by Security Management for Microsoft Defender for Endpoint.

Next steps

Monitor Defender for Endpoint