Getting started with Security Management for Microsoft Defender for Endpoint

This week is all about Security Management for Microsoft Defender for Endpoint. Security Management for Microsoft Defender for Endpoint is the new configuration channel that can be used for managing the security configuration for Microsoft Defender for Endpoint (MDE) on devices that are not enrolled into Microsoft Endpoint Manager (MEM). Not in Microsoft Intune, nor in Configuration Manager. With that new configuration channel, MDE retrieves, enforces, and reports on the policies that are assigned via MEM. After onboarding to MDE, the devices are automatically joined to Azure AD and become visible in the MEM (and Azure AD and Microsoft 365 Defender). Within MEM those devices are marked as managed by MDE.

This post will go through the steps to configure the required tenant configurations, the steps to enroll and group devices and the steps to assign security configurations. That means that the following will be addressed.

Important: At the moment of writing Security Management for Microsoft Defender for Endpoint is still in preview.

Configuring the tenant for Security Management with Microsoft Defender for Endpoint

The first step is to configure the tenant to support the Security Management for Microsoft Defender for Endpoint configuration channel. That configuration channel will make sure that security settings management in MEM can be enforced by MDE. To enable that configuration channel, the following two configurations are required to enable the integration between MEM and MDE.

Configuration 1: Enable security setting management in Microsoft 365 Defender

The first configuration that is required for this integration is to enable security setting management in Microsoft 365 Defender. That configuration can be achieved by following the two steps below.

  1. Open the Microsoft 365 Defender portal and navigate to Settings Endpoints > Enforcement scope
  2. On the Enable security setting management page (as shown in Figure 1), navigate to OS platform, switch the slider with Windows Client devices and Windows Server devices to On and click Save to enable security settings management for Windows client and server devices

Note: This step assumes that the Microsoft Intune connection was already enabled for compliance information.

Configuration 2: Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations in Microsoft Endpoint Manager admin center

The second configuration that is required for this integration is to allow MDE to enforce endpoint security configurations in MEM. That configuration can be achieved by following the two steps below.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Endpoint security > Microsoft Defender for Endpoint
  2. On the Endpoint security | Microsoft Defender for Endpoint blade (as shown in Figure 2), navigate to the setting Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations and switch the slider to On to enable devices to qualify to onboard to MDE

Onboarding devices in Microsoft Defender for Endpoint

The second step is to onboard Windows devices in MDE. There are different options for onboarding Windows devices in MDE, but not all methods might fit the current purpose. Pick the best option. The following two steps walk through the process of selecting the onboarding process and the deployment method. After going through those steps, use the deployment package to actually onboard devices in MDE.

  1. Open the Microsoft 365 Defender portal and navigate to Settings Endpoints > Onboarding
  2. On the Onboarding page (as shown in Figure 3), select the required operating system with Select operating system to start onboarding process, select the used deployment method with Deployment method and click Download onboarding package to download the package that can be used for onboarding Windows devices by using the preferred deployment method

Note: For this example, the local script deployment was used to onboard a Windows 10 device.

Tagging devices for Security Management for Microsoft Defender for Endpoint (required during preview)

The third step is to tag devices that are onboarded in MDE with the MDE-Management tag. That tag is required during the preview and will make sure that devices are enrolled in the Security Management for Microsoft Defender for Endpoint configuration channel. That will also make sure that devices are automatically joined in Azure AD. Those objects can be used for grouping and targetting. The following three steps walk through adding the required machine tag to the devices.

  1. Open the Microsoft 365 Defender portal and navigate to Device inventory
  2. On the Device inventory page, select the onboarded device and click Manage tags
  3. On the Manage machine tags page (as shown in Figure 4), specify MDE-Management as tag and click Save

Grouping devices based on Security Management for Microsoft Defender for Endpoint

The fourth step is to group devices based on the Security Management for Microsoft Defender for Endpoint configuration channel. That group can be used for assigning endpoint security policies to the required devices. The following four steps walk through the creation of such a group, by highlighting the main setting that is required for filtering the required devices.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Groups
  2. On the Groups | All groups page, click New group
  3. On the New group page, specify the basic information, select Dynamic device as Membership type and click Add dynamic query with Dynamic device members
  4. On the Dynamic membership rules page (as shown in Figure 5), specify (device.managementType -eq “MicrosoftSense”) with the Rule syntax and click Save

Note: Querying for MicrosoftSense as the managementType makes sure that the devices that are configured via the Security Management for Microsoft Defender for Endpoint configuration channel, are filtered.

Assigning policies for Security Management for Microsoft Defender for Endpoint

The fifth and last step is to create and assign endpoint security policies to devices via the Security Management for Microsoft Defender for Endpoint configuration channel. At this moment the Antivirus, Firewall, Firewall Rules and Endpoint Detection and Response endpoint security policies are available via this channel. The following six steps walk through the creation of such a endpoint security policy, by only highlighting the main settings that are required for this channel.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Endpoint security > and select one of the available endpoint security policies for the Security Management for Microsoft Defender for Endpoint channel
  2. On the Create a profile page (as shown in Figure 6), select Windows 10, Windows 11 and Windows Server as Platform, select the Profile and click Create
  1. On the Basics page, provide a Name and Description for the policy and click Next
  2. On the Configuration settings page, configure the settings to manage with the policy and click Next
  3. On the Assignments page, add the just created group that contains the required devices and click Next
  4. On the Review + create page, review the configuration and click Create

Important: Assignment filters are not supported for policies that are used for the Security Management for Microsoft Defender for Endpoint configuration channel and the assignments are only applicable to device objects.

Note: These policies will also apply to devices that are managed via Microsoft Intune.

Experiencing Security Management for Microsoft Defender for Endpoint

There are multiple ways to experience Security Management for Microsoft Defender for Endpoint. The biggest changes, however, are shown in the MEM admin center portal. That portal provides status information about the different assigned endpoint security policies, but – even more interesting – it also provides very clear information about the management status of the devices. Below, in Figure 7, a device is shown that’s managed via Security Management for Microsoft Defender for Endpoint. A few interesting properties are highlighted, being MDE as Managed by (1), no compliance information (2) and Azure AD joined as Join Type (3). Especially the first and the last property are specific to Security Management for Microsoft Defender for Endpoint. The combination of the management and the join type.

Note: This information shown above is about a personal Windows 10 device that is managed via Security Management for Microsoft Defender for Endpoint.

More information

For more information about Security Management for Microsoft Defender for Endpoint, refer to the following docs.

32 thoughts on “Getting started with Security Management for Microsoft Defender for Endpoint”

  1. One little tidbit I grabbed from the CAT team for Defender for Endpoint that its in your screenshot:
    Don’t use the local script deployment – there are some performance impacts to the Defender for Antivirus services over if you deploy with Endpoint Manager or Intune

    Reply
  2. Have you tested the scenario of onboarding Server 2012 R2 to Defender for Endpoint using Azure AD Hybrid Join. Did you manage to sync Server 2012 R2 computer objects to Azure AD?

    Reply
  3. Can you only enforce settings from the “Antivirus” tab? Or can you also configure settings from Firewall, Attack Surface Reduction etc?
    We followed your guide, Antivirus settings are pushed correctly, but Attack Surface Reduction rules are still on pending.

    Reply
  4. Peter, i’m confused. This article mentions ASR should be possible https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/security-config-management?view=o365-worldwide#which-solution-should-i-use

    Do you know , know a link what’s not supported with the new MEM method?
    Furthermore can you ‘combine’ the MEM method with MDE GPO’s. So if a policy is not possible via MEM can you configure it via GPO?
    What method is prefered today when starting to implement MDE?

    Reply
  5. Peter, kwartje valt, dank… I was in the assumption that the MEM column was the new security management method but its MDE Security column i understand now by your comment. Its a bit confusing because you deploy the policy via MEM (console).
    So would this mean that we deploy Defender polcies via the new MDE Security and for example ASR polcies via GPO?

    Dank voor je reactie 🙂

    Reply
  6. Hi, one question please,
    device enrolled in intune with company portal and azure ad registered

    Company portal show me this warning “Enroll your device in Microsoft Defender for Endpoint” but, I can see the device in MDE dashboard in onboarded state

    Why? Isn’t azure ad registered device compatible?

    Reply
  7. Hi, Peter, we would like to join our VCenter servers but only want Defender Antivirus to protect our servers and no other configs or policies. This seems to be the best options. When I turn on “Use MDE to enforce security configuration settings from MEM” my concerns are how will this affect devices we’ve already added to Endpoint management. It seems they would not be affected I’m I correct? Also when it says they will be AD joined, our server are already joined to our local AD so how will they be affected? I’m new to managing devices and have be tasked with this project.

    Reply
  8. Hi Peter
    Thanks for the article , How can I enforce the compliance check with Intune ? when I open settings app –> Work Account , I can see that the machine is registered with Azure AD but I can’t find a way to a Sync as there is no account as it was joined automatically by MDE.

    Reply
  9. Hello Peter,

    Do you have more information about “Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations”?
    What exactly it is?
    Why exactly it is needed? We have onboarded devices using Configuration profile from MS Docs PDF file and works fine.

    Reply
      • Hello Peter,

        Thanks for the info! Recently MS Support told us we should enable this as a very required parameter for security.microsoft.com portal, while the procedure to onboard managed devices by MDM does not explain this step or even MS Support cannot explain what exactly will be happening if this setting is enabled, like what is “enforced” as they say in the enabling menu 🙂

        Reply
        • Hi Oscar,
          That setting is only useful when you’re using MEM for creating the configuration profiles and not relying on MDM. In that case MDE will be making sure that the configuration will be applied.
          Regards, Peter

          Reply
  10. Polices in MEM/MS Intune doesn’t reflect on assigned endpoints. please help. The endpoints was now managed by ‘MEM’ not ‘MDE’ yet as per the Device information. Do all the above configurations.. I used the MS intune deployment. The endpoint is also now enrolled into MS Intune..

    Reply
      • On MEM, Devices> Configuration profiles> Created policy> Config settings below:
        Configuration settings:
        Microsoft Defender for Endpoint Microsoft Defender for Endpoint client configuration package type: Onboard
        Onboard Configuration Package: WindowsDefenderATP.onboarding
        Sample sharing for all files: Not configured
        Expedite telemetry reporting frequency: Enable

        Note:
        – I believe MS Intune connection is working. (Just that the environment is a Hybrid Azure AD join for our laptops)
        – ASR – Device control policy (with USB Storage blocking) reflected already… as it was change from USB being detected and when I have applied this policy and test an hour… my USB flash drive is not opening anymore.

        I’m guessing a possible cause for this is that the clients are Hybrid Azure AD join. Meaning they got most of the settings on the AD GPO policy on prem.. Any MS Intune endpoint security settings that are not in AD onprem GPO will be working..

        Now I’m I am looking why the other policy such as the Firewall (domain, private, public) are enabled in MS Intune security policy but in the testing assigned clients are still OFF. Do you a thoughts for this?

        Thank you very much.

        Reply
  11. Hello,
    What if I want to create different policies for Defender for different type of servers (for example policy for DC servers, another for Exchange server, third for SCCM, etc.). Will I be able to do this?
    Thank you

    Reply

Leave a Reply to Peter van der Woude Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.