Tenant attach: Create and deploy endpoint security policies from the admin center (preview)

Applies to: Configuration Manager (current branch)

Important

This information relates to a preview feature which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center. Create Microsoft Defender antivirus policies in the Microsoft Endpoint Manager console and deploy them to Configuration Manager collections.

Prerequisites

To support managing tamper protection your environment must additionally meet the prerequisites for managing tamper protection with Intune as detailed in the Windows documentation.

To support firewall policies, install KB4578605 for Configuration Manager version 2006. The update is available in the Configuration Manager console.

Supported endpoint security profiles for tenant attached devices

The following profiles are supported for devices you manage with Configuration Manager current branch 2006 or later, through the tenant attach scenario:

  • Platform: Windows 10 and Windows Server (ConfigMgr)

    • Profile: Microsoft Defender Antivirus Policy (preview) - Manage Antivirus policy settings for Configuration Manager devices, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)
      • Windows Server 2019 and later (x64)
      • Windows Server 2016 (x64)
      • Windows 8.1 (x86, x64), starting in Configuration Manager version 2010
      • Windows Server 2012 R2 (x64), starting in Configuration Manager version 2010
    • Profile: Windows Security experience (preview) - Manage Windows Security app settings for Configuration Manager devices, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)
      • Windows Server 2019 and later (x64)
  • Platform: Windows 10 and later

    • Profile: Microsoft Defender Firewall (ConfigMgr) (preview) - Manage firewall policy settings for Configuration Manager devices, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)

Assign Microsoft Defender Antivirus policy to a collection

  1. In a browser, go to the Microsoft Endpoint Manager admin center.
  2. Select Endpoint security then Antivirus.
  3. Select Create Policy.
  4. For the Platform, select Windows 10 and Windows Server (ConfigMgr).
  5. For the Profile, select Microsoft Defender Antivirus (Preview) then Create.
  6. Assign a Name and optionally a Description on the Basics page.
  7. On the Configuration settings page, configure the settings you want to manage with this profile. When your done configuring settings, select Next. For more information about available policies, see Antivirus policy settings for tenant attached devices.
  8. Assign the policy to a Configuration Manager collection on the Assignments page.

Assign Windows Security experience policy to a collection

  1. In a browser, go to the Microsoft Endpoint Manager admin center.
  2. Select Endpoint security then Antivirus.
  3. Select Create Policy.
  4. For the Platform, select Windows 10 and Windows Server (ConfigMgr).
  5. For the Profile, select Windows Security experience (preview) then Create.
  6. Assign a Name and optionally a Description on the Basics page.
  7. On the Configuration settings page, configure the settings you want to manage with this profile. When your done configuring settings, select Next. For more information about the available settings, see Settings for Windows Security experience Antivirus policy for tenant attached devices.
  8. Assign the policy to a Configuration Manager collection on the Assignments page.

Assign firewall policies to a collection

  1. Go to the Microsoft Endpoint Manager admin center.

  2. Select Endpoint security > Firewall then Create Policy.

  3. Create a profile with the following settings:

    • Platform: Windows 10 and later
      • Only Windows 10 clients can be targeted with firewall policies currently.
    • Profile: Microsoft Defender Firewall (ConfigMgr) (preview)
  4. Select Create then give the profile a Name and a Description.

  5. On the Configuration settings page, set the firewall settings for the devices. For more information about the available settings, see Settings for firewall policy for tenant attached devices

  6. On the Assignments page, select the collections to include for the policy assignment then choose Next.

  7. Review the settings on the Review + Create page and select Create when you're done.

Antivirus policy exclusions merge

(Introduced in 2103)

Starting in Configuration Manager 2103, When a tenant attached device is targeted with two or more antivirus policies, the settings for antivirus exclusions will merge before being applied to the client. This change results in the client receiving the exclusions defined in each policy, allowing for more granular control of antivirus exclusions. For earlier versions of Configuration Manager, Antivirus exclusions from a single policy are applied. With this behavior, the last policy applied determines the effective exclusions.

To use this functionality, create an antivirus policy from the Microsoft Endpoint Manager admin center that includes some antivirus exclusions. Create a second antivirus policy including only antivirus exclusions that are different from the first policy. Apply both antivirus policies to the same collection. Antivirus exclusions from both policies are applied on clients in the targeted collection.

Next steps