Getting started with Security Management for Microsoft Defender for Endpoint

This week is all about Security Management for Microsoft Defender for Endpoint. Security Management for Microsoft Defender for Endpoint is the new configuration channel that can be used for managing the security configuration for Microsoft Defender for Endpoint (MDE) on devices that are not enrolled into Microsoft Endpoint Manager (MEM). Not in Microsoft Intune, nor in Configuration Manager. With that new configuration channel, MDE retrieves, enforces, and reports on the policies that are assigned via MEM. After onboarding to MDE, the devices are automatically joined to Azure AD and become visible in the MEM (and Azure AD and Microsoft 365 Defender). Within MEM those devices are marked as managed by MDE.

This post will go through the steps to configure the required tenant configurations, the steps to enroll and group devices and the steps to assign security configurations. That means that the following will be addressed.

Important: At the moment of writing Security Management for Microsoft Defender for Endpoint is still in preview.

Configuring the tenant for Security Management with Microsoft Defender for Endpoint

The first step is to configure the tenant to support the Security Management for Microsoft Defender for Endpoint configuration channel. That configuration channel will make sure that security settings management in MEM can be enforced by MDE. To enable that configuration channel, the following two configurations are required to enable the integration between MEM and MDE.

Configuration 1: Enable security setting management in Microsoft 365 Defender

The first configuration that is required for this integration is to enable security setting management in Microsoft 365 Defender. That configuration can be achieved by following the two steps below.

  1. Open the Microsoft 365 Defender portal and navigate to Settings Endpoints > Enforcement scope
  2. On the Enable security setting management page (as shown in Figure 1), navigate to OS platform, switch the slider with Windows Client devices and Windows Server devices to On and click Save to enable security settings management for Windows client and server devices

Note: This step assumes that the Microsoft Intune connection was already enabled for compliance information.

Configuration 2: Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations in Microsoft Endpoint Manager admin center

The second configuration that is required for this integration is to allow MDE to enforce endpoint security configurations in MEM. That configuration can be achieved by following the two steps below.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Endpoint security > Microsoft Defender for Endpoint
  2. On the Endpoint security | Microsoft Defender for Endpoint blade (as shown in Figure 2), navigate to the setting Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations and switch the slider to On to enable devices to qualify to onboard to MDE

Onboarding devices in Microsoft Defender for Endpoint

The second step is to onboard Windows devices in MDE. There are different options for onboarding Windows devices in MDE, but not all methods might fit the current purpose. Pick the best option. The following two steps walk through the process of selecting the onboarding process and the deployment method. After going through those steps, use the deployment package to actually onboard devices in MDE.

  1. Open the Microsoft 365 Defender portal and navigate to Settings Endpoints > Onboarding
  2. On the Onboarding page (as shown in Figure 3), select the required operating system with Select operating system to start onboarding process, select the used deployment method with Deployment method and click Download onboarding package to download the package that can be used for onboarding Windows devices by using the preferred deployment method

Note: For this example, the local script deployment was used to onboard a Windows 10 device.

Tagging devices for Security Management for Microsoft Defender for Endpoint (required during preview)

The third step is to tag devices that are onboarded in MDE with the MDE-Management tag. That tag is required during the preview and will make sure that devices are enrolled in the Security Management for Microsoft Defender for Endpoint configuration channel. That will also make sure that devices are automatically joined in Azure AD. Those objects can be used for grouping and targetting. The following three steps walk through adding the required machine tag to the devices.

  1. Open the Microsoft 365 Defender portal and navigate to Device inventory
  2. On the Device inventory page, select the onboarded device and click Manage tags
  3. On the Manage machine tags page (as shown in Figure 4), specify MDE-Management as tag and click Save

Grouping devices based on Security Management for Microsoft Defender for Endpoint

The fourth step is to group devices based on the Security Management for Microsoft Defender for Endpoint configuration channel. That group can be used for assigning endpoint security policies to the required devices. The following four steps walk through the creation of such a group, by highlighting the main setting that is required for filtering the required devices.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Groups
  2. On the Groups | All groups page, click New group
  3. On the New group page, specify the basic information, select Dynamic device as Membership type and click Add dynamic query with Dynamic device members
  4. On the Dynamic membership rules page (as shown in Figure 5), specify (device.managementType -eq “MicrosoftSense”) with the Rule syntax and click Save

Note: Querying for MicrosoftSense as the managementType makes sure that the devices that are configured via the Security Management for Microsoft Defender for Endpoint configuration channel, are filtered.

Assigning policies for Security Management for Microsoft Defender for Endpoint

The fifth and last step is to create and assign endpoint security policies to devices via the Security Management for Microsoft Defender for Endpoint configuration channel. At this moment the Antivirus, Firewall, Firewall Rules and Endpoint Detection and Response endpoint security policies are available via this channel. The following six steps walk through the creation of such a endpoint security policy, by only highlighting the main settings that are required for this channel.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Endpoint security > and select one of the available endpoint security policies for the Security Management for Microsoft Defender for Endpoint channel
  2. On the Create a profile page (as shown in Figure 6), select Windows 10, Windows 11 and Windows Server as Platform, select the Profile and click Create
  1. On the Basics page, provide a Name and Description for the policy and click Next
  2. On the Configuration settings page, configure the settings to manage with the policy and click Next
  3. On the Assignments page, add the just created group that contains the required devices and click Next
  4. On the Review + create page, review the configuration and click Create

Important: Assignment filters are not supported for policies that are used for the Security Management for Microsoft Defender for Endpoint configuration channel and the assignments are only applicable to device objects.

Note: These policies will also apply to devices that are managed via Microsoft Intune.

Experiencing Security Management for Microsoft Defender for Endpoint

There are multiple ways to experience Security Management for Microsoft Defender for Endpoint. The biggest changes, however, are shown in the MEM admin center portal. That portal provides status information about the different assigned endpoint security policies, but – even more interesting – it also provides very clear information about the management status of the devices. Below, in Figure 7, a device is shown that’s managed via Security Management for Microsoft Defender for Endpoint. A few interesting properties are highlighted, being MDE as Managed by (1), no compliance information (2) and Azure AD joined as Join Type (3). Especially the first and the last property are specific to Security Management for Microsoft Defender for Endpoint. The combination of the management and the join type.

Note: This information shown above is about a personal Windows 10 device that is managed via Security Management for Microsoft Defender for Endpoint.

More information

For more information about Security Management for Microsoft Defender for Endpoint, refer to the following docs.

4 thoughts on “Getting started with Security Management for Microsoft Defender for Endpoint”

  1. One little tidbit I grabbed from the CAT team for Defender for Endpoint that its in your screenshot:
    Don’t use the local script deployment – there are some performance impacts to the Defender for Antivirus services over if you deploy with Endpoint Manager or Intune

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.