使用 Microsoft Endpoint Manager 载入Onboarding using Microsoft Endpoint Manager

适用于:Applies to:

想要体验 Microsoft Defender for Endpoint?Want to experience Microsoft Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

本文是部署指南的一部分,并作为示例载入方法。This article is part of the Deployment guide and acts as an example onboarding method.

规划主题 中,提供了多种方法将设备载入服务。In the Planning topic, there were several methods provided to onboard devices to the service. 本主题介绍云本机体系结构。This topic covers the cloud-native architecture.

云本机体系结构的图像 环境体系结构关系图Image of cloud-native architecture Diagram of environment architectures

尽管 Defender for Endpoint 支持载入各种终结点和工具,但本文并未涵盖它们。While Defender for Endpoint supports onboarding of various endpoints and tools, this article does not cover them. 有关使用其他受支持的部署工具和方法进行常规载入的信息,请参阅 载入概述For information on general onboarding using other supported deployment tools and methods, see Onboarding overview.

Microsoft Endpoint Manager 是统一多个服务的解决方案平台。Microsoft Endpoint Manager is a solution platform that unifies several services. 它包括用于基于云的设备管理的 Microsoft Intune。It includes Microsoft Intune for cloud-based device management.

本主题指导用户:This topic guides users in:

  • 步骤 1:在 Microsoft Endpoint Manager 和 MEM (创建组,将设备载入) 分配配置Step 1: Onboarding devices to the service by creating a group in Microsoft Endpoint Manager (MEM) to assign configurations on
  • 步骤 2:使用 Microsoft Endpoint Manager 为终结点功能配置 DefenderStep 2: Configuring Defender for Endpoint capabilities using Microsoft Endpoint Manager

此载入指南将指导你完成使用 Microsoft Endpoint Manager 时需要执行以下基本步骤:This onboarding guidance will walk you through the following basic steps that you need to take when using Microsoft Endpoint Manager:

资源Resources

以下是此过程的其余部分所需的链接:Here are the links you'll need for the rest of the process:

有关 Microsoft Endpoint Manager 详细信息,请查看以下资源:For more information about Microsoft Endpoint Manager, check out these resources:

步骤 1:在 MEM 中创建组以在上分配配置来载入设备Step 1: Onboard devices by creating a group in MEM to assign configurations on

确定目标设备或用户Identify target devices or users

在此部分中,我们将创建一个测试组来分配配置。In this section, we will create a test group to assign your configurations on.

备注

Intune 使用 Azure Active Directory (Azure AD) 组来管理设备和用户。Intune uses Azure Active Directory (Azure AD) groups to manage devices and users. 作为 Intune 管理员,你可以设置组以满足你的组织需求。As an Intune admin, you can set up groups to suit your organizational needs.
有关详细信息,请参阅添加 组以组织用户和设备For more information, see Add groups to organize users and devices.

创建群组Create a group

  1. 打开 MEM 门户。Open the MEM portal.

  2. 打开 "组>新建组"。Open Groups > New Group.

    Microsoft Endpoint Manager 门户的图像1Image of Microsoft Endpoint Manager portal1

  3. 输入详细信息并创建新组。Enter details and create a new group.

    Microsoft Endpoint Manager 门户 2 的图像Image of Microsoft Endpoint Manager portal2

  4. 添加测试用户或设备。Add your test user or device.

  5. 从" 组>所有组"窗格中 ,打开新组。From the Groups > All groups pane, open your new group.

  6. 选择 "成员>添加成员"。Select Members > Add members.

  7. 查找测试用户或设备并选择它。Find your test user or device and select it.

    Microsoft Endpoint Manager 门户的图像3Image of Microsoft Endpoint Manager portal3

  8. 你的测试组现在具有要测试的成员。Your testing group now has a member to test.

步骤 2:创建配置策略以配置 Microsoft Defender 的终结点功能Step 2: Create configuration policies to configure Microsoft Defender for Endpoint capabilities

下一节将创建多个配置策略。In the following section, you'll create a number of configuration policies.

首先,配置策略用于选择哪些用户组或设备将载入到适用于终结点的 Defender:First is a configuration policy to select which groups of users or devices will be onboarded to Defender for Endpoint:

然后,继续创建几种不同类型的终结点安全策略:Then you will continue by creating several different types of endpoint security policies:

终结点检测和响应Endpoint detection and response

  1. 打开 MEM 门户。Open the MEM portal.

  2. 导航到 终结点安全>终结点检测和响应Navigate to Endpoint security > Endpoint detection and response. 单击"创建配置文件"。Click on Create Profile.

    Microsoft Endpoint Manager 门户的图像4Image of Microsoft Endpoint Manager portal4

  3. 平台下,选择 Windows 10 和更高版本,配置文件 - 终结点检测和响应>创建Under Platform, select Windows 10 and Later, Profile - Endpoint detection and response > Create.

  4. 输入名称和说明,然后选择"下一 步"。Enter a name and description, then select Next.

    Microsoft Endpoint Manager 门户的图像5Image of Microsoft Endpoint Manager portal5

  5. 按要求选择设置,然后选择"下一 步"。Select settings as required, then select Next.

    Microsoft Endpoint Manager 门户的图像6Image of Microsoft Endpoint Manager portal6

    备注

    在此实例中,已自动填充,因为 Defender for Endpoint 已与 Intune 集成。In this instance, this has been auto populated as Defender for Endpoint has already been integrated with Intune. 有关集成详细信息,请参阅在 Intune 中启用Microsoft Defender for Endpoint。For more information on the integration, see Enable Microsoft Defender for Endpoint in Intune.

    下图是当 Microsoft Defender for Endpoint 未与 Intune 集成时你将看到的示例:The following image is an example of what you'll see when Microsoft Defender for Endpoint is NOT integrated with Intune:

    Microsoft Endpoint Manager 门户的图像7

  6. 如有必要,添加范围标记,然后选择下一 Add scope tags if necessary, then select Next.

    Microsoft Endpoint Manager 门户的图像8Image of Microsoft Endpoint Manager portal8

  7. 通过单击"选择要包含的 "并选择你的组来添加测试组,然后选择"下一步 "。Add test group by clicking on Select groups to include and choose your group, then select Next.

    Microsoft Endpoint Manager 门户的图像9Image of Microsoft Endpoint Manager portal9

  8. 查看并接受, 然后选择创建Review and accept, then select Create.

    Microsoft Endpoint Manager 门户的图像10Image of Microsoft Endpoint Manager portal10

  9. 可以查看已完成的策略。You can view your completed policy.

    Microsoft Endpoint Manager 门户的图像11Image of Microsoft Endpoint Manager portal11

下一代保护Next-generation protection

  1. 打开 MEM 门户。Open the MEM portal.

  2. 导航到 终结点安全>防病毒>创建策略。Navigate to Endpoint security > Antivirus > Create Policy.

    Microsoft Endpoint Manager 门户的图像12Image of Microsoft Endpoint Manager portal12

  3. 选择 平台 - Windows 10 和更高版本 - Windows 和配置文件 – Microsoft Defender 防病毒>创建Select Platform - Windows 10 and Later - Windows and Profile – Microsoft Defender Antivirus > Create.

  4. 输入名称和说明,然后选择下一 Enter name and description, then select Next.

    Microsoft Endpoint Manager 门户的图像13Image of Microsoft Endpoint Manager portal13

  5. 在" 配置设置"页:设置 Microsoft Defender 防病毒 (云保护、排除、Real-Time保护和修正) 。In the Configuration settings page: Set the configurations you require for Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time Protection, and Remediation).

    Microsoft Endpoint Manager 门户的图像14Image of Microsoft Endpoint Manager portal14

  6. 如有必要,添加范围标记,然后选择下一 Add scope tags if necessary, then select Next.

    Microsoft Endpoint Manager 门户的图像15Image of Microsoft Endpoint Manager portal15

  7. 选择要包含的组,分配给你的测试组,然后选择下一 Select groups to include, assign to your test group, then select Next.

    Microsoft Endpoint Manager 门户的图像16Image of Microsoft Endpoint Manager portal16

  8. 查看并创建,然后选择"创建 "。Review and create, then select Create.

    Microsoft Endpoint Manager 门户的图像17Image of Microsoft Endpoint Manager portal17

  9. 你将看到你创建的配置策略。You'll see the configuration policy you created.

    Microsoft Endpoint Manager 门户的图像18Image of Microsoft Endpoint Manager portal18

攻击面减少 – 攻击面减少规则Attack Surface Reduction – Attack surface reduction rules

  1. 打开 MEM 门户。Open the MEM portal.

  2. 导航到 终结点安全>攻击面减少Navigate to Endpoint security > Attack surface reduction.

  3. 选择 "创建策略"。Select Create Policy.

  4. 选择 平台 - Windows 10 和更高版本 – 配置文件 - 攻击面减少规则>创建Select Platform - Windows 10 and Later – Profile - Attack surface reduction rules > Create.

    Microsoft Endpoint Manager 门户的图像19Image of Microsoft Endpoint Manager portal19

  5. 输入名称和说明,然后选择"下一 步"。Enter a name and description, then select Next.

    Microsoft Endpoint Manager 门户的图像20Image of Microsoft Endpoint Manager portal20

  6. 在"配置设置"页:设置攻击面减少规则需要的配置,然后选择"下一 步"。In the Configuration settings page: Set the configurations you require for Attack surface reduction rules, then select Next.

    备注

    我们将配置所有攻击面减少规则以审核。We will be configuring all of the Attack surface reduction rules to Audit.

    有关详细信息,请参阅攻击 面减少规则For more information, see Attack surface reduction rules.

    Microsoft Endpoint Manager 门户的图像21Image of Microsoft Endpoint Manager portal21

  7. 根据需要添加范围标记,然后选择"下一 步"。Add Scope Tags as required, then select Next.

    Microsoft Endpoint Manager 门户的图像22Image of Microsoft Endpoint Manager portal22

  8. 选择要包含并分配给测试组的组,然后选择"下一 步"。Select groups to include and assign to test group, then select Next.

    Microsoft Endpoint Manager 门户的图像23Image of Microsoft Endpoint Manager portal23

  9. 查看详细信息,然后选择"创建 "。Review the details, then select Create.

    Microsoft Endpoint Manager 门户的图像24Image of Microsoft Endpoint Manager portal24

  10. 查看策略。View the policy.

    Microsoft Endpoint Manager 门户的图像25Image of Microsoft Endpoint Manager portal25

攻击面减少 – Web 保护Attack Surface Reduction – Web Protection

  1. 打开 MEM 门户。Open the MEM portal.

  2. 导航到 终结点安全>攻击面减少Navigate to Endpoint security > Attack surface reduction.

  3. 选择 "创建策略"。Select Create Policy.

  4. 选择 "Windows 10 和更高版本 – Web >创建"。Select Windows 10 and Later – Web protection > Create.

    Microsoft Endpoint Manager 门户的图像26Image of Microsoft Endpoint Manager portal26

  5. 输入名称和说明,然后选择"下一 步"。Enter a name and description, then select Next.

    Microsoft Endpoint Manager 门户的图像27Image of Microsoft Endpoint Manager portal27

  6. 在"配置设置"页:设置 Web 保护需要的配置,然后选择"下一步 "。In the Configuration settings page: Set the configurations you require for Web Protection, then select Next.

    备注

    我们正在将 Web 保护配置为阻止。We are configuring Web Protection to Block.

    有关详细信息,请参阅Web Protection。For more information, see Web Protection.

    Microsoft Endpoint Manager 门户的图像28Image of Microsoft Endpoint Manager portal28

  7. 根据需要 在 Next 中添加>标记Add Scope Tags as required > Next.

    Microsoft Endpoint Manager 门户的图像29Image of Microsoft Endpoint Manager portal29

  8. 选择 "分配到测试组>下一步"。Select Assign to test group > Next.

    Microsoft Endpoint Manager 门户的图像30Image of Microsoft Endpoint Manager portal30

  9. 选择 "审阅并创建>创建"。Select Review and Create > Create.

    Microsoft Endpoint Manager 门户的图像31Image of Microsoft Endpoint Manager portal31

  10. 查看策略。View the policy.

    Microsoft Endpoint Manager 门户的图像32Image of Microsoft Endpoint Manager portal32

验证配置设置Validate configuration settings

确认已应用策略Confirm Policies have been applied

分配配置策略后,需要一些时间应用。Once the Configuration policy has been assigned, it will take some time to apply.

有关计时的信息,请参阅 Intune 配置信息For information on timing, see Intune configuration information.

若要确认配置策略已应用于测试设备,请针对每个配置策略执行以下过程。To confirm that the configuration policy has been applied to your test device, follow the following process for each configuration policy.

  1. 打开 MEM 门户并导航到相关策略,如上述步骤所示。Open the MEM portal and navigate to the relevant policy as shown in the steps above. 以下示例显示了下一代保护设置。The following example shows the next generation protection settings.

  2. 选择 配置策略 以查看策略状态。Select the Configuration Policy to view the policy status.

  3. 选择 "设备状态 "以查看状态。Select Device Status to see the status.

  4. 选择 "用户状态 "以查看状态。Select User Status to see the status.

  5. 选择 "每设置状态 "以查看状态。Select Per-setting status to see the status.

    提示

    此视图对于标识与另一个策略冲突的任何设置非常有用。This view is very useful to identify any settings that conflict with another policy.

终结点检测和响应Endpoint detection and response

  1. 在应用配置之前,不应启动 Defender for Endpoint Protection 服务。Before applying the configuration, the Defender for Endpoint Protection service should not be started.

  2. 应用配置后,应启动 Defender for Endpoint Protection Service。After the configuration has been applied, the Defender for Endpoint Protection Service should be started.

  3. 在设备上运行服务后,设备将显示在 Microsoft Defender 安全中心中。After the services are running on the device, the device appears in Microsoft Defender Security Center.

下一代保护Next-generation protection

  1. 在测试设备上应用策略之前,你应该能够手动管理设置,如下所示。Before applying the policy on a test device, you should be able to manually manage the settings as shown below.

    设置页面 1 的图像Image of setting page1

  2. 应用策略后,你将无法手动管理设置。After the policy has been applied, you should not be able to manually manage the settings.

    备注

    在下图中 ,"启用云提供的 保护"和 " 启用实时保护"将显示为托管保护。In the following image Turn on cloud-delivered protection and Turn on real-time protection are being shown as managed.

    设置页面 2 的图像Image of setting page2

攻击面减少 – 攻击面减少规则Attack Surface Reduction – Attack surface reduction rules

  1. 在测试设备上应用该策略之前,笔使用 PowerShell 窗口并键入 Get-MpPreferenceBefore applying the policy on a test device, pen a PowerShell Window and type Get-MpPreference.

  2. 此响应应包含以下行,无内容:This should respond with the following lines with no content:

    AttackSurfaceReductionOnlyExclusions:AttackSurfaceReductionOnlyExclusions:

    AttackSurfaceReductionRules_Actions:AttackSurfaceReductionRules_Actions:

    AttackSurfaceReductionRules_Ids:AttackSurfaceReductionRules_Ids:

    命令行 1 的图像

  3. 在测试设备上应用该策略后,打开 PowerShell Windows 并键入 Get-MpPreferenceAfter applying the policy on a test device, open a PowerShell Windows and type Get-MpPreference.

  4. 这应该会以以下行作为响应,内容如下所示:This should respond with the following lines with content as shown below:

    命令行 2 的图像

攻击面减少 – Web 保护Attack Surface Reduction – Web Protection

  1. 在测试设备上,打开 PowerShell Windows 并键入 (Get-MpPreference).EnableNetworkProtectionOn the test device, open a PowerShell Windows and type (Get-MpPreference).EnableNetworkProtection.

  2. 这应该会以 0 作为响应,如下所示。This should respond with a 0 as shown below.

    命令行 3 的图像

  3. 应用策略后,打开 PowerShell Windows 并键入 (Get-MpPreference).EnableNetworkProtectionAfter applying the policy, open a PowerShell Windows and type (Get-MpPreference).EnableNetworkProtection.

  4. 这应该会以 1 作为响应,如下所示。This should respond with a 1 as shown below.

    命令行 4 的图像