Introduction
Defender for Endpoint (Formerly Defender ATP) is Microsoft’s enterprise grade endpoint protection solution which provides prevention, detection, investigation and response to advanced threats. I regularly work with customers who already use Defender anti-virus and want to dip their toes into the enhanced capabilities of Defender for Endpoint (MDE).
What are the steps to onboard a device already being managed by Microsoft Endpoint Manager?
Prerequisites
Firstly, obtain licensing. I recommend Microsoft Defender for Endpoint Plan 2.
Identify a Windows device or several devices for the test. These need to be active devices in MEM.
An Azure AD security group containing the devices/users in scope for the test needs to be created.
Browse to the Microsoft 365 Defender web page, if Defender hasn’t been previously enabled, click through the ‘first run’ options to choose region, data retention etc.
Then enable “Microsoft Intune Connection” under Settings -> Endpoints -> Advanced features. This connection may take up to 24 hours to establish.
Configuration
Now we’re ready to target a configuration profile to onboard a device with MDE.
To create the configuration profile within the MEM admin center, browse to Endpoint security -> Endpoint detection and response and create a new policy.
The onboarding blob is automatically created by the connection between MEM and MDE, so no further configuration is required in the profile here.
Once the profile is created, assign to the security group containing users/devices in scope for the test.
If all has gone well, the device will appear in the “Devices” section of the Microsoft 365 Defender page.
Testing
Once the configuration profile has been received by the device and telemetry has been sent to MDE, you’ll begin to see data in Microsoft 365 Defender webpage.
To test the connection with MDE, we can trigger a test alert by running the command line shown in the Onboarding section of Settings -> Endpoints.
A great way to verify MDE is working is to disable automated patching on the test device (exclude from Windows Update Rings). This will eventually result in the device to become behind in patching levels and further data will appear in Microsoft 365 Defender about known vulnerabilities.
Conclusion
Hopefully this post has provided some quick steps to onboard a test device or devices into Microsoft Defender for Endpoint ready for demonstration of further features.
I will be publishing more posts which demonstrate some of the excellent features MDE has to offer.
Next Post - Laying the foundations in Microsoft Defender for Endpoint
0 comments:
Post a Comment