Intune 中关于终结点安全性的终结点检测和响应策略Endpoint detection and response policy for endpoint security in Intune

将 Microsoft Defender 高级威胁防护 (Microsoft Defender ATP) 和 Intune 进行集成时,可以使用用于终结点检测和响应 (EDR) 的终结点安全性策略来管理 EDR 设置并将设备加入 Microsoft Defender ATP。When you integrate Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) with Intune, you can use endpoint security policies for endpoint detection and response (EDR) to manage the EDR settings and onboard devices to Microsoft Defender ATP.

Microsoft Defender ATP 终结点检测和响应功能提供准实时且可操作的高级攻击检测。The capabilities of Microsoft Defender ATP endpoint detection and response provide advanced attack detections that are near real-time and actionable. 安全分析师可以有效地对警报进行优先级排序、全面了解漏洞,并采取响应操作来消除威胁。Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.

EDR 策略包括特定于平台的配置文件,用于管理 EDR 的设置。EDR policies include platform-specific profiles to manage settings for EDR. 配置文件自动包括用于 Microsoft Defender ATP 的加入包。The profiles automatically include an onboarding package for Microsoft Defender ATP. 加入包用于确定如何配置设备以将其与 Microsoft Defender ATP 结合使用。Onboarding packages are how devices are configured to work with Microsoft Defender ATP. 加入设备后,可以开始使用该设备的威胁数据。After a device onboards, you can start to use threat data from that device.

EDR 策略部署到使用 Intune 管理的 Azure Active Directory (Azure AD) 中的设备组,并部署到使用 Configuration Manager 管理的本地设备集合,包括 Windows 服务器。EDR policies deploy to groups of devices in Azure Active Directory (Azure AD) that you manage with Intune, and to collections of on-premises devices that you manage with Configuration Manager, including Windows servers. 不同管理路径的 EDR 策略需要不同的加入包。The EDR policies for the different management paths require different onboarding packages. 因此,需要为所管理的不同类型的设备创建单独的 EDR 策略。Therefore, you’ll create separate EDR policies for the different types of devices you manage.

Microsoft endpoint Manager 管理中心的“终结点安全性”节点的“管理”下查找用于 EDR 的终结点安全性策略。Find the endpoint security policies for EDR under Manage in the Endpoint security node of the Microsoft Endpoint Manager admin center.

查看终结点检测和响应配置文件设置的设置View settings for Endpoint detection and response profiles.

EDR 策略的先决条件Prerequisites for EDR policies

常规:General:

  • Microsoft Defender 高级威胁防护租户 - 必须先将 Microsoft Defender ATP 租户和 Microsoft Endpoint Manager 租户(Intune 订阅)集成,才能创建 EDR 策略。Tenant for Microsoft Defender Advanced Threat Protection – Your Microsoft Defender ATP tenant must be integrated with your Microsoft Endpoint Manager tenant (Intune subscription) before you can create EDR policies. 请参阅 Intune 文档中的使用 Microsoft Defender ATPSee Use Microsoft Defender ATP in the Intune documentation.

对 Configuration Manager 客户端的支持Support for Configuration Manager clients:

  • 为 Configuration Manager 设备设置租户附加 - 若要支持将 EDR 策略部署到 Configuration Manager 托管的设备,请配置 “租户附加”Set up tenant attach for Configuration Manager devices - To support deploying EDR policy to devices managed by Configuration Manager, configure tenant attach. 这包含配置 Configuration Manager 设备集合,以支持 Intune 终结点安全策略。This includes configuring Configuration Manager device collections to support endpoint security policies from Intune.

    若要设置租户附加,包括将 Configuration Manager 集合同步到 Microsoft Endpoint Manager 管理中心,并使其可以使用终结点安全策略,请参阅配置租户附加以支持 Endpoint Protection 策略To set up tenant attach, including the synchronization of Configuration Manager collections to the Microsoft Endpoint Manager admin center and enabling them to work with endpoint security policies, see Configure tenant attach to support endpoint protection policies.

EDR 配置文件EDR profiles

查看可为以下平台和配置文件配置的设置。View the settings you can configure for the following platforms and profiles.

Intune - 对于使用 Intune 管理的设备,支持以下内容:Intune – The following are supported for devices you manage with Intune:

  • 平台:Windows 10 及更高版本 - Intune 将策略部署到 Azure AD 组中的设备。Platform: Windows 10 and later - Intune deploys the policy to devices in your Azure AD groups.
  • 配置文件:终结点检测和响应 (MDM)Profile: Endpoint detection and response (MDM)

Configuration Manager - 使用 Configuration Manager 管理的设备支持以下功能:Configuration Manager - The following are supported for devices you manage with Configuration Manager:

  • 平台:Windows 10 和 Windows Server - Configuration Manager (ConfigMgr) 将策略部署到 Configuration Manager 集合中的设备。Platform: Windows 10 and Windows Server (ConfigMgr) - Configuration Manager deploys the policy to devices in your Configuration Manager collections.
  • 配置文件:终结点检测和响应 (ConfigMgr)Profile: Endpoint detection and response (ConfigMgr)

设置 Configuration Manager 以便支持 EDR 策略Set up Configuration Manager to support EDR policy

在将 EDR 策略部署到 Configuration Manager 设备之前,请完成以下各部分中详细介绍的配置。Before you can deploy EDR policies to Configuration Manager devices, complete the configurations detailed in the following sections.

在 Configuration Manager 控制台中生成这些配置并用于 Configuration Manager 部署。These configurations are made within the Configuration Manager console and to your Configuration Manager deployment. 如果不熟悉 Configuration Manager,可计划结合使用 Configuration Manager 管理中心来完成这些任务。If you’re not familiar with Configuration Manager, plan to work with a Configuration Manager admin to complete these tasks.

以下部分介绍了需完成的任务:The following sections cover the required tasks:

  1. 为 Configuration Manager 安装更新Install the update for Configuration Manager
  2. 启用租户附加Enable tenant attach

提示

若要详细了解如何将 Microsoft Defender ATP 与 Configuration Manager 结合使用,请参阅 Configuration Manager 内容中的以下文章:To learn more about using Microsoft Defender ATP with Configuration Manager, see the following articles in the Configuration Manager content:

任务 1:为 Configuration Manager 安装更新Task 1: Install the update for Configuration Manager

Configuration Manager 版本 2002 需要更新,以便支持结合使用从 Microsoft Endpoint Manager 管理中心部署的终结点检测和响应策略。Configuration Manager version 2002 requires an update to support use with Endpoint detection and response policies you deploy from the Microsoft Endpoint Manager admin center.

更新详细信息Update details:

  • Configuration Manager 2002 修补程序 (KB4563473)Configuration Manager 2002 Hotfix (KB4563473)

你会发现此更新是一项 Configuration Manager 2002 的控制台内部更新。You’ll find this update as an in-console update for Configuration Manager 2002.

若要安装此更新,请按照 Configuration Manager 文档中安装控制台内部更新中的指南进行操作。To install this update, follow the guidance from Install in-console updates in the Configuration Manager documentation.

安装更新后,返回此处以继续配置环境,使其能够支持 Microsoft Endpoint Manager 管理中心的 EDR 策略。After installing the update, return here to continue configuring your environment to support EDR policy from the Microsoft Endpoint Manager admin center.

任务 2:配置租户附加及同步集合Task 2: Configure tenant attach and synchronize collections

通过租户附加,可从 Configuration Manager 部署中指定要与 Microsoft Endpoint Manager 管理中心同步的设备集合。With Tenant attach you specify collections of devices from your Configuration Manager deployment to synchronize with the Microsoft Endpoint Manager admin center. 同步集合后,使用管理中心查看关于这些设备的信息并将 EDR 策略从 Intune 部署到集合。After collections synchronize, use the admin center to view information about those devices and to deploy EDR policy from Intune to them.

有关租户附加方案的详细信息,请参阅 Configuration Manager 内容中的启用租户附加For more information about the Tenant attach scenario, see Enable tenant attach in the Configuration Manager content.

在尚未启用共同管理时启用租户附加Enable tenant attach when co-management hasn’t been enabled

提示

使用 Configuration Manager 控制台中的“共同管理配置向导”启用租户附加,但无需启用共同管理。You use the Co-management Configuration Wizard in the Configuration Manager console to enable tenant attach, but you don’t need to enable co-management.

如果计划启用共同管理,请先熟悉共同管理、其先决条件以及如何管理工作负载,然后再继续。If you're planning to enable co-management, be familiar with co-management, its prerequisites, and how to manage workloads before you continue. 请参阅 Configuration Manager 文档中的什么是共同管理?See What is co-management? in the Configuration Manager documentation.

  1. 在 Configuration Manager 管理控制台中,转到“管理” > “概述” > “云服务” > “共同管理” 。In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Co-management.
  2. 在功能区中,单击“配置共同管理”打开向导。In the ribbon, click Configure co-management to open the wizard.
  3. 在“租户加入”页面上,为环境选择“AzurePublicCloud” 。On the Tenant onboarding page, select AzurePublicCloud for your environment. 不支持 Azure 政府云。Azure Government cloud isn't supported.
    1. 单击“登录”。Click Sign In. 使用全局管理员帐户登录。Use your Global Administrator account to sign in.

对于使用 Intune 管理的设备,支持以下内容:The following are supported for devices you manage with Intune:

  • 平台:Windows 10 及更高版本 - Intune 将策略部署到 Azure AD 组中的设备。Platform: Windows 10 and later - Intune deploys the policy to devices in your Azure AD groups.
    • 配置文件:终结点检测和响应 (MDM)Profile: Endpoint detection and response (MDM)

Configuration Manager 托管的设备 (处于预览状态)Devices managed by Configuration Manager (In preview)

使用 Configuration Manager 通过租户附加方案管理的设备支持以下功能:The following are supported for devices you manage with Configuration Manager through the tenant attach scenario:

  • 平台:Windows 10 和 Windows Server - Configuration Manager (ConfigMgr) 将策略部署到 Configuration Manager 集合中的设备。Platform: Windows 10 and Windows Server (ConfigMgr) - Configuration Manager deploys the policy to devices in your Configuration Manager collections.
    • 配置文件:终结点检测和响应 (ConfigMgr)(预览)Profile: Endpoint detection and response (ConfigMgr) (Preview)

创建和部署 EDR 策略Create and deploy EDR policies

将 Microsoft Defender ATP 订阅与 Intune 集成时,可以创建和部署 EDR 策略。When you integrate your Microsoft Defender ATP subscription with Intune, you can create and deploy EDR policies. 可以创建两种不同类型的 EDR 策略。There are two distinct types of EDR policy you can create. 一种策略类型适用于通过 MDM 并使用 Intune 管理的设备。One policy type for devices you manage with Intune through MDM. 第二种类型适用于使用 Configuration Manager 管理的设备。The second type is for devices you manage with Configuration Manager.

通过为策略选择平台,可在配置新的 EDR 策略时选择要创建的策略类型。You choose the type of policy to create while configuring a new EDR policy, by choosing a platform for the policy.

将策略部署到由 Configuration Manager 托管的设备之前,需要先在 Microsoft Endpoint Manager 管理中心将 Configuration Manager 设置为支持 EDR 策略。Before you can deploy policy to devices managed by Configuration Manager, set up Configuration Manager to support EDR policy from the Microsoft Endpoint Manager admin center. 请参阅配置租户附加以支持 Endpoint Protection 策略See Configure tenant attach to support endpoint protection policies.

创建 EDR 策略Create EDR policies

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“终结点安全性” > “终结点检测和响应” > “创建策略” 。Select Endpoint security > Endpoint detection and response > Create Policy.

  3. 为策略选择平台和配置文件。Select the platform and profile for your policy. 可通过以下信息确定选项:The following information identifies your options:

    • Intune - Intune 将策略部署到 Azure AD 组中的设备。Intune - Intune deploys the policy to devices in your Azure AD groups. 创建策略时,请选择:When you create the policy, select:

      • 平台:Windows 10 及更高版本Platform: Windows 10 and later
      • 配置文件:终结点检测和响应 (MDM)Profile: Endpoint detection and response (MDM)
    • Configuration Manager - Configuration Manager 将策略部署到 Configuration Manager 集合中的设备。Configuration Manager - Configuration Manager deploys the policy to devices in your Configuration Manager collections. 创建策略时,请选择:When you create the policy, select:

      • 平台:Windows 10 和 Windows Server (ConfigMgr)Platform: Windows 10 and Windows Server (ConfigMgr)
      • 配置文件:终结点检测和响应 (ConfigMgr)Profile: Endpoint detection and response (ConfigMgr)
  4. 选择“创建”。Select Create.

  5. 在“基本信息”页上,输入配置文件的名称和说明,然后选择“下一步” 。On the Basics page, enter a name and description for the profile, then choose Next.

  6. 在“配置设置”页面上,配置要使用此配置文件管理的设置。On the Configuration settings page, configure the settings you want to manage with this profile. 加入包自动包含在内,且不可进行配置。The onboarding package is automatically included and isn’t something you can configure.

    完成配置设置后,选择“下一步”。When your done configuring settings, select Next.

  7. 此步骤仅适用于“终结点检测和响应(MDM)”配置文件:This step only applies for the Endpoint detection and response (MDM) profile:

    在“作用域标记”页上,选择“选择作用域标记”以打开“选择标记”窗格,将作用域标记分配给配置文件 。On the Scope tags page, choose Select scope tags to open the Select tags pane to assign scope tags to the profile.

    选择“下一步”继续操作。Select Next to continue.

  8. 在“分配”页上,选择将接收此策略的组或集合。On the Assignments page, select the groups or collections that will receive this policy. 选择取决于所选的平台和配置文件:The choice depends on the platform and profile you selected:

    • 对于 Intune,需要从 Azure AD 中选择组。For Intune, you’ll select groups from Azure AD.
    • 对于 Configuration Manager,需要从 Configuration Manager 中选择已同步到 Microsoft Endpoint Manager 管理中心并已能够使用 Microsoft Defender ATP 策略的集合。For Configuration Manager, you'll select collections from Configuration Manager that you’ve synced to Microsoft Endpoint Manager admin center and enabled for Microsoft Defender ATP policy.

    可以选择不在此时分配组或集合,而是在以后编辑策略来添加分配。You can choose not to assign groups or collections at this time, and later edit the policy to add an assignment.

    完成后,选择“下一步”。When ready to continue, select Next.

  9. 完成后,在“查看 + 创建”页上,选择“创建” 。On the Review + create page, when you're done, choose Create.

    为创建的配置文件选择策略类型时,新配置文件将显示在列表中。The new profile is displayed in the list when you select the policy type for the profile you created.

EDR 策略报告EDR policy reports

可以在 Microsoft Endpoint Manager 管理中心查看有关所部署的 EDR 策略的详细信息。You can view details about the EDR policies you deploy in the Microsoft Endpoint Manager admin center. 若要查看详细信息,请转到“终结点安全性” > “终结点部署和响应”,然后选择要查看合规性详细信息的策略 :To view details, go to Endpoint security > Endpoint deployment and response, and select a policy for which you want to view compliance details:

  • 对于面向 Windows 10 及更高版本 (Intune) 的策略,会显示策略合规性概述。For policies that target the Windows 10 and later platform (Intune), you’ll see an overview of compliance to the policy. 还可以选择图表以查看接收了策略的设备的列表,并深入了解各个设备的详细信息。You can also select the chart to view a list of devices that received the policy, and drill-in to individual devices for more details.

    “具有 ATP 传感器的设备” 的图表仅显示通过使用 Windows 10 及更高版本配置文件成功加入 Microsoft Defender ATP 的设备。The chart for Devices with ATP sensor displays only devices that successfully onboard to Microsoft Defender ATP through use of the Windows 10 and later profile. 若要确保此图表中完整显示你的设备,请将加入配置文件部署到你的所有设备中。To ensure you have full representation of your devices in this chart, deploy the onboarding profile to all your devices. 通过外部方法(如组策略或 PowerShell)加入 Microsoft Defender ATP 的设备被视为不具有 ATP 传感器的设备。Devices that onboard to Microsoft Defender ATP by external means, like Group Policy or PowerShell, are counted as Devices without the ATP sensor.

  • 对于面向Windows 10 和 Windows Server 平台 (Configuration Manager) 的策略,会看到策略合规性概述,但无法深入了解其他详细信息。For policies that target the Windows 10 and Windows Server (ConfigMgr) platform (Configuration Manager), you’ll see an overview of compliance to the policy but can't drill-in to view additional details. 此视图的信息有限,因为管理中心从 Configuration Manager 接收到的状态详细信息有限,Configuration Manager 管理 Configuration Manager 设备的策略部署。The view is limited because the admin center receives limited status details from Configuration Manager, which manages the deployment of the policy to Configuration Manager devices.

查看可同时为平台和配置文件配置的设置。View the settings you can configure for both platforms and profiles.

后续步骤Next steps