使用 Intune 中的条件访问强制执行 Microsoft Defender ATP 的符合性Enforce compliance for Microsoft Defender ATP with Conditional Access in Intune

可以将 Microsoft Defender 高级威胁防护 (Microsoft Defender ATP) 和 Microsoft Intune 集成为 Mobile Threat Defense 解决方案。You can integrate Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) with Microsoft Intune as a Mobile Threat Defense solution. 集成可让你免受安全漏洞的威胁,并帮助限制组织中的漏洞影响。Integration can help you prevent security breaches and limit the impact of breaches within an organization.

Microsoft Defender ATP 适用于运行 Windows 10 或更高版本的设备以及 Android 设备。Microsoft Defender ATP works with devices that run Windows 10 or later, and with Android devices.

若要成功,你将配合使用以下配置:To be successful, you'll use the following configurations in concert:

  • 在 Intune 和 Microsoft Defender ATP 之间创建一个服务到服务的连接Establish a service-to-service connection between Intune and Microsoft Defender ATP. 通过这个连接,Microsoft Defender ATP 可以从使用 Intune 管理的受支持设备收集有关计算机风险的数据。This connection lets Microsoft Defender ATP collect data about machine risk from supported devices you manage with Intune.
  • 使用设备配置配置文件将设备载入 Microsoft Defender ATPUse a device configuration profile to onboard devices with Microsoft Defender ATP. 载入设备将其配置为与 Microsoft Defender ATP 进行通信,并提供有助于评估其风险级别的数据。You onboard devices to configure them to communicate with Microsoft Defender ATP and to provide data that helps assess their risk level.
  • 使用设备合规性策略设置要允许的风险级别Use a device compliance policy to set the level of risk you want to allow. 由 Microsoft Defender ATP 报告风险等级。Risk levels are reported by Microsoft Defender ATP. 将超出允许风险级别的设备识别为不合规。Devices that exceed the allowed risk level are identified as noncompliant.
  • “使用条件访问策略”阻止用户从不合规的设备访问公司资源。Use a conditional access policy to block users from accessing corporate resources from devices that are noncompliant.

将 Intune 与 Microsoft Defender ATP 集成时,可以充分利用 Microsoft Defender ATP 威胁和漏洞管理 (TVM) 并使用 Intune 修正由 TVM 标识的终结点漏洞When you integrate Intune with Microsoft Defender ATP, you can take advantage of Microsoft Defender ATPs Threat & Vulnerability Management (TVM) and use Intune to remediate endpoint weakness identified by TVM.

将 Microsoft Defender ATP 和 Intune 结合使用的示例Example of using Microsoft Defender ATP with Intune

下面的示例有助于解释这些解决方案如何协同工作以帮助保组织。The following example helps explain how these solutions work together to help protect your organization. 在此示例中,Microsoft Defender ATP 和 Intune 已经集成在一起了。For this example, Microsoft Defender ATP and Intune are already integrated.

有人向组织内的用户发送包含嵌入式恶意代码的 Word 附件。Consider an event where someone sends a Word attachment with embedded malicious code to a user within your organization.

  • 在用户打开附件时,将启用内容。The user opens the attachment, and enables the content.
  • 提升的权限攻击随即启动,且来自远程计算机的攻击者对受害者的设备具有管理权限。An elevated privilege attack starts, and an attacker from a remote machine has admin rights to the victim's device.
  • 然后,攻击者会远程访问用户的其他设备。The attacker then remotely accesses the user's other devices. 此安全漏洞可能会影响整个组织。This security breach can impact the entire organization.

Microsoft Defender ATP 可以帮助解决类似这种情况的安全事件。Microsoft Defender ATP can help resolve security events like this scenario.

  • 在本例中,Microsoft Defender ATP 检测设备是否存在以下情形:执行了异常代码、遇到了进程权限提升、插入了恶意代码,以及发布了可疑的远程 Shell。In our example, Microsoft Defender ATP detects that the device executed abnormal code, experienced a process privilege escalation, injected malicious code, and issued a suspicious remote shell.
  • 基于该设备的这些操作,Microsoft Defender ATP 将该设备分类为高风险,并在 Microsoft Defender 安全中心门户中包含可疑活动的详细报告。Based on these actions from the device, Microsoft Defender ATP classifies the device as high-risk and includes a detailed report of suspicious activity in the Microsoft Defender Security Center portal.

可以将 Microsoft Defender 高级威胁防护 (Microsoft Defender ATP) 和 Microsoft Intune 集成为 Mobile Threat Defense 解决方案。You can integrate Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) with Microsoft Intune as a Mobile Threat Defense solution. 集成可让你免受安全漏洞的威胁,并帮助限制组织中的漏洞影响。Integration can help you prevent security breaches and limit the impact of breaches within an organization.

因为你有 Intune 设备合规性策略来对具有“中等”或“高”风险级别的设备分类为不合规,所以受危害的设备被分类为不合规 。Because you have an Intune device compliance policy to classify devices with a Medium or High level of risk as noncompliant, the compromised device is classified as noncompliant. 这种分类允许条件访问策略介入并阻止从该设备访问公司资源。This classification allows your conditional access policy to kick in and block access from that device to your corporate resources.

对于运行 Android 的设备,你可以使用 Intune 策略修改 Android 上 Microsoft Defender ATP 的配置。For devices that run Android, you can use Intune policy to modify the configuration of Microsoft Defender ATP on Android. 有关详细信息,请参阅 Microsoft Defender ATP Web 保护For more information, see Microsoft Defender ATP web protection.

必备条件Prerequisites

若要将 Microsoft Defender ATP 与 Intune 结合使用,请确保已配置以下各项,并可供使用:To use Microsoft Defender ATP with Intune, be sure you have the following configured, and ready for use:

  • 企业移动性 + 安全性 E3 和 Windows E5(或 Microsoft 365 企业版 E5)的许可租户Licensed tenant for Enterprise Mobility + Security E3 and Windows E5 (or Microsoft 365 Enterprise E5)
  • Microsoft Intune 环境,包含同样加入了 Azure AD 的 Intune 托管的 Windows 10 或 Android 设备Microsoft Intune environment, with Intune managed Windows 10, or Android devices that are also Azure AD joined
  • Microsoft Defender ATP 环境将授予你对 Microsoft Defender 安全中心(ATP 门户)的访问权限Microsoft Defender ATP environment which will give you access to the Microsoft Defender Security Center (ATP portal)

备注

iOS/iPadOS 和 Android Intune 应用保护策略不支持 Microsoft Defender ATP。Microsoft Defender ATP is not supported with iOS/iPadOS and Android Intune app protection policies.

后续步骤Next steps

有关详细信息,请参阅 Intune 文档:Learn more from the Intune documentation:

有关详细信息,请参阅 Microsoft Defender ATP 文档:Learn more from the Microsoft Defender ATP documentation: