Onboarding using Microsoft Endpoint Manager

Applies to:

This article is part of the Deployment guide and acts as an example onboarding method.

In the Planning topic, there were several methods provided to onboard devices to the service. This topic covers the cloud-native architecture.

Image of cloud-native architecture Diagram of environment architectures

While Defender for Endpoint supports onboarding of various endpoints and tools, this article does not cover them. For information on general onboarding using other supported deployment tools and methods, see Onboarding overview.

Microsoft Endpoint Manager is a solution platform that unifies several services. It includes Microsoft Intune for cloud-based device management.

This topic guides users in:

  • Step 1: Onboarding devices to the service by creating a group in Microsoft Endpoint Manager (MEM) to assign configurations on
  • Step 2: Configuring Defender for Endpoint capabilities using Microsoft Endpoint Manager

This onboarding guidance will walk you through the following basic steps that you need to take when using Microsoft Endpoint Manager:

Resources

Here are the links you'll need for the rest of the process:

For more information about Microsoft Endpoint Manager, check out these resources:

Step 1: Onboard devices by creating a group in MEM to assign configurations on

Identify target devices or users

In this section, we will create a test group to assign your configurations on.

Note

Intune uses Azure Active Directory (Azure AD) groups to manage devices and users. As an Intune admin, you can set up groups to suit your organizational needs.
For more information, see Add groups to organize users and devices.

Create a group

  1. Open the MEM portal.

  2. Open Groups > New Group.

    Image of Microsoft Endpoint Manager portal

  3. Enter details and create a new group.

    Image of Microsoft Endpoint Manager portal

  4. Add your test user or device.

  5. From the Groups > All groups pane, open your new group.

  6. Select Members > Add members.

  7. Find your test user or device and select it.

    Image of Microsoft Endpoint Manager portal

  8. Your testing group now has a member to test.

Step 2: Create configuration policies to configure Microsoft Defender for Endpoint capabilities

In the following section, you'll create a number of configuration policies.

First is a configuration policy to select which groups of users or devices will be onboarded to Defender for Endpoint:

Then you will continue by creating several different types of endpoint security policies:

Endpoint detection and response

  1. Open the MEM portal.

  2. Navigate to Endpoint security > Endpoint detection and response. Click on Create Profile.

    Image of Microsoft Endpoint Manager portal

  3. Under Platform, select Windows 10 and Later, Profile - Endpoint detection and response > Create.

  4. Enter a name and description, then select Next.

    Image of Microsoft Endpoint Manager portal

  5. Select settings as required, then select Next.

    Image of Microsoft Endpoint Manager portal

    Note

    In this instance, this has been auto populated as Defender for Endpoint has already been integrated with Intune. For more information on the integration, see Enable Microsoft Defender for Endpoint in Intune.

    The following image is an example of what you'll see when Microsoft Defender for Endpoint is NOT integrated with Intune:

    Image of Microsoft Endpoint Manager portal

  6. Add scope tags if necessary, then select Next.

    Image of Microsoft Endpoint Manager portal

  7. Add test group by clicking on Select groups to include and choose your group, then select Next.

    Image of Microsoft Endpoint Manager portal

  8. Review and accept, then select Create.

    Image of Microsoft Endpoint Manager portal

  9. You can view your completed policy.

    Image of Microsoft Endpoint Manager portal

Next-generation protection

  1. Open the MEM portal.

  2. Navigate to Endpoint security > Antivirus > Create Policy.

    Image of Microsoft Endpoint Manager portal

  3. Select Platform - Windows 10 and Later - Windows and Profile – Microsoft Defender Antivirus > Create.

  4. Enter name and description, then select Next.

    Image of Microsoft Endpoint Manager portal

  5. In the Configuration settings page: Set the configurations you require for Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time Protection, and Remediation).

    Image of Microsoft Endpoint Manager portal

  6. Add scope tags if necessary, then select Next.

    Image of Microsoft Endpoint Manager portal

  7. Select groups to include, assign to your test group, then select Next.

    Image of Microsoft Endpoint Manager portal

  8. Review and create, then select Create.

    Image of Microsoft Endpoint Manager portal

  9. You'll see the configuration policy you created.

    Image of Microsoft Endpoint Manager portal

Attack Surface Reduction – Attack surface reduction rules

  1. Open the MEM portal.

  2. Navigate to Endpoint security > Attack surface reduction.

  3. Select Create Policy.

  4. Select Platform - Windows 10 and Later – Profile - Attack surface reduction rules > Create.

    Image of Microsoft Endpoint Manager portal

  5. Enter a name and description, then select Next.

    Image of Microsoft Endpoint Manager portal

  6. In the Configuration settings page: Set the configurations you require for Attack surface reduction rules, then select Next.

    Note

    We will be configuring all of the Attack surface reduction rules to Audit.

    For more information, see Attack surface reduction rules.

    Image of Microsoft Endpoint Manager portal

  7. Add Scope Tags as required, then select Next.

    Image of Microsoft Endpoint Manager portal

  8. Select groups to include and assign to test group, then select Next.

    Image of Microsoft Endpoint Manager portal

  9. Review the details, then select Create.

    Image of Microsoft Endpoint Manager portal

  10. View the policy.

    Image of Microsoft Endpoint Manager portal

Attack Surface Reduction – Web Protection

  1. Open the MEM portal.

  2. Navigate to Endpoint security > Attack surface reduction.

  3. Select Create Policy.

  4. Select Windows 10 and Later – Web protection > Create.

    Image of Microsoft Endpoint Manager portal

  5. Enter a name and description, then select Next.

    Image of Microsoft Endpoint Manager portal

  6. In the Configuration settings page: Set the configurations you require for Web Protection, then select Next.

    Note

    We are configuring Web Protection to Block.

    For more information, see Web Protection.

    Image of Microsoft Endpoint Manager portal

  7. Add Scope Tags as required > Next.

    Image of Microsoft Endpoint Manager portal

  8. Select Assign to test group > Next.

    Image of Microsoft Endpoint Manager portal

  9. Select Review and Create > Create.

    Image of Microsoft Endpoint Manager portal

  10. View the policy.

    Image of Microsoft Endpoint Manager portal

Validate configuration settings

Confirm Policies have been applied

Once the Configuration policy has been assigned, it will take some time to apply.

For information on timing, see Intune configuration information.

To confirm that the configuration policy has been applied to your test device, follow the following process for each configuration policy.

  1. Open the MEM portal and navigate to the relevant policy as shown in the steps above. The following example shows the next generation protection settings.

  2. Select the Configuration Policy to view the policy status.

  3. Select Device Status to see the status.

  4. Select User Status to see the status.

  5. Select Per-setting status to see the status.

    Tip

    This view is very useful to identify any settings that conflict with another policy.

Endpoint detection and response

  1. Before applying the configuration, the Defender for Endpoint Protection service should not be started.

  2. After the configuration has been applied, the Defender for Endpoint Protection Service should be started.

  3. After the services are running on the device, the device appears in Microsoft Defender Security Center.

Next-generation protection

  1. Before applying the policy on a test device, you should be able to manually manage the settings as shown below.

    Image of setting page

  2. After the policy has been applied, you should not be able to manually manage the settings.

    Note

    In the following image Turn on cloud-delivered protection and Turn on real-time protection are being shown as managed.

    Image of setting page

Attack Surface Reduction – Attack surface reduction rules

  1. Before applying the policy on a test device, pen a PowerShell Window and type Get-MpPreference.

  2. This should respond with the following lines with no content:

    AttackSurfaceReductionOnlyExclusions:

    AttackSurfaceReductionRules_Actions:

    AttackSurfaceReductionRules_Ids:

    Image of command line

  3. After applying the policy on a test device, open a PowerShell Windows and type Get-MpPreference.

  4. This should respond with the following lines with content as shown below:

    Image of command line

Attack Surface Reduction – Web Protection

  1. On the test device, open a PowerShell Windows and type (Get-MpPreference).EnableNetworkProtection.

  2. This should respond with a 0 as shown below.

    Image of command line

  3. After applying the policy, open a PowerShell Windows and type (Get-MpPreference).EnableNetworkProtection.

  4. This should respond with a 1 as shown below.

    Image of command line