mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-17 07:47:22 +00:00
update content
This commit is contained in:
Joey Caparas
parent
48884ec1f4
commit
fe412a0163
@ -26,9 +26,9 @@ ms.topic: article
|
|||||||
In this section we will be using Microsoft Endpoint Manager (MEM) to deploy
|
In this section we will be using Microsoft Endpoint Manager (MEM) to deploy
|
||||||
Microsoft Defender ATP to your endpoints.
|
Microsoft Defender ATP to your endpoints.
|
||||||
|
|
||||||
For more information about MEM, see:
|
For more information about MEM, check out the following:
|
||||||
- [Microsoft Entpoint Manager page](https://docs.microsoft.com/en-us/mem/)
|
- [Microsoft Entpoint Manager page](https://docs.microsoft.com/en-us/mem/)
|
||||||
- The [blog post on convergence of Intune and ConfigMgr](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/)
|
- [Blog post on convergence of Intune and ConfigMgr](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/)
|
||||||
- [Introduction video on MEM](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace)
|
- [Introduction video on MEM](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace)
|
||||||
|
|
||||||
|
|
||||||
@ -42,8 +42,8 @@ This process is a multi-step process, you'll need to:
|
|||||||
|
|
||||||
- In MEM we'll guide you in creating a separate policy for each feature
|
- In MEM we'll guide you in creating a separate policy for each feature
|
||||||
|
|
||||||
Resources
|
## Resources
|
||||||
---------
|
|
||||||
|
|
||||||
Here are the links you'll need for the rest of the process:
|
Here are the links you'll need for the rest of the process:
|
||||||
|
|
||||||
@ -53,8 +53,8 @@ Here are the links you'll need for the rest of the process:
|
|||||||
|
|
||||||
- [Intune Security baselines](https://docs.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-defender-atp#microsoft-defender)
|
- [Intune Security baselines](https://docs.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-defender-atp#microsoft-defender)
|
||||||
|
|
||||||
## Idenfity target devices or users
|
## Identify target devices or users
|
||||||
In this section we will create a testing group to assign your configurations.
|
In this section we will create a test group to assign your configurations on.
|
||||||
|
|
||||||
>[!NOTE]
|
>[!NOTE]
|
||||||
>Intune uses Azure Active Directory (Azure AD) groups to manage devices and
|
>Intune uses Azure Active Directory (Azure AD) groups to manage devices and
|
||||||
@ -62,7 +62,7 @@ users. As an Intune admin, you can set up groups to suit your organizational
|
|||||||
needs.<br>
|
needs.<br>
|
||||||
> For more information, see [Add groups to organize users and devices](https://docs.microsoft.com/en-us/mem/intune/fundamentals/groups-add).
|
> For more information, see [Add groups to organize users and devices](https://docs.microsoft.com/en-us/mem/intune/fundamentals/groups-add).
|
||||||
|
|
||||||
### Group creation
|
### Create a group
|
||||||
|
|
||||||
1. Open the MEM portal.
|
1. Open the MEM portal.
|
||||||
|
|
||||||
@ -74,7 +74,7 @@ needs.<br>
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Add your test user / device
|
4. Add your test user or device.
|
||||||
|
|
||||||
>[!NOTE]
|
>[!NOTE]
|
||||||
>Azure Active Directory groups can contain users or devices, not combinations of both.
|
>Azure Active Directory groups can contain users or devices, not combinations of both.
|
||||||
@ -83,271 +83,264 @@ needs.<br>
|
|||||||
|
|
||||||
6. Click on **Members > Add members**.
|
6. Click on **Members > Add members**.
|
||||||
|
|
||||||
7. Find your test user/device and select it.
|
7. Find your test user or device and select it.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
8. Your testing group now has a member to test.
|
8. Your testing group now has a member to test.
|
||||||
|
|
||||||
Create a Configuration Policy
|
## Create a configuration policy
|
||||||
-----------------------------
|
In the following section, you'll create a number of configuration policies.
|
||||||
|
|
||||||
In the following section, you will create a number of configuration policies.
|
|
||||||
First is a configuration policy to select which groups of users or devices will
|
First is a configuration policy to select which groups of users or devices will
|
||||||
be onboarded to Defender ATP. Then you will continue by creating several
|
be onboarded to Microsoft Defender ATP. Then you will continue by creating several
|
||||||
different types of Endpoint Security policies.
|
different types of Endpoint Security policies.
|
||||||
|
|
||||||
### Endpoint Detection and Response
|
### Endpoint detection and response
|
||||||
|
|
||||||
1. Open the MEM portal
|
1. Open the MEM portal.
|
||||||
|
|
||||||
2. Navigate to Endpoint security > Endpoint detection and response > Click
|
2. Navigate to **Endpoint security > Endpoint detection and response**. Click
|
||||||
on Create Profile
|
on **Create Profile**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. Under Platform, select Windows 10 and Later, Profile - Endpoint detection
|
3. Under** Platform, select Windows 10 and Later, Profile - Endpoint detection
|
||||||
and response > Create
|
and response > Create**.
|
||||||
|
|
||||||
4. Enter name and description > Next
|
4. Enter name and description, then click **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. Select settings as required > Next
|
5. Select settings as required, then click **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
NOTE: this has been auto populated as I have integrated MDATP and Intune as
|
>[!NOTE]
|
||||||
per this
|
>In this instance, this has been auto populated Microsoft Defender ATP has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender ATP in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#enable-microsoft-defender-atp-in-intune).
|
||||||
[section](https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection#enable-microsoft-defender-atp-in-intune).
|
If you have not integrated Microsoft Defender ATP h and Intune, complete [these
|
||||||
If you have not integrated MDATP and Intune, complete [these
|
steps](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm#onboard-machines-using-microsoft-intune)
|
||||||
steps](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm#onboard-machines-using-microsoft-intune)
|
|
||||||
to create and upload an onboarding blob.
|
to create and upload an onboarding blob.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
6. Add scope tags if required > Next
|
6. Add scope tags if required, then click **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
7. Add test group by clicking on Select groups to include and choose your group
|
7. Add test group by clicking on Select groups to include and choose your group, then click **Next**.
|
||||||
> Next
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
8. Review and accept > Create
|
8. Review and accept, then click **Create**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
9. You can view your completed policy here
|
9. You can view your completed policy.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Antivirus
|
### Next-generation protection
|
||||||
|
|
||||||
1. Open the MEM portal
|
1. Open the MEM portal.
|
||||||
|
|
||||||
2. Navigate to Endpoint security > Antivirus > Click on Create Policy
|
2. Navigate to **Endpoint security > Antivirus > Create Policy**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. Select Platform - Windows 10 and Later - Windows and Profile – Microsoft
|
3. Select** Platform - Windows 10 and Later - Windows and Profile – Microsoft
|
||||||
Defender Antivirus > Create
|
Defender Antivirus > Create**.
|
||||||
|
|
||||||
4. Enter Name and Description - \> Next
|
4. Enter name and description, then click **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. In the Configuration settings page: Set the configurations you require for
|
5. In the Configuration settings page: Set the configurations you require for
|
||||||
Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real Time
|
Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real Time
|
||||||
Protection, and Remediation).
|
Protection, and Remediation).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
6. Add scope tags if required> Next
|
6. Add scope tags if required, then click **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
7. Select groups to include, assign to your test group > Next
|
7. Select groups to include, assign to your test group > Next
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
8. Review and create > create
|
8. Review and create, then click **Create**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
9. You can see the configuration policy you created as per below
|
9. You can see the configuration policy you created as per below
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Attack Surface Reduction – Attack surface reduction rules
|
### Attack Surface Reduction – Attack surface reduction rules
|
||||||
|
|
||||||
1. Open the MEM portal
|
1. Open the MEM portal.
|
||||||
|
|
||||||
2. Navigate to Endpoint security > Attack surface reduction
|
2. Navigate to **Endpoint security > Attack surface reduction**.
|
||||||
|
|
||||||
3. Click on Create Policy
|
3. Click on **Create Policy**.
|
||||||
|
|
||||||
4. NOTE: I will be setting these as audit
|
>[!NOTE]
|
||||||
|
>We will be setting these as Audit.
|
||||||
|
|
||||||
5. Select Platform - Windows 10 and Later – Profile - Attack surface reduction
|
5. Select **Platform - Windows 10 and Later – Profile - Attack surface reduction
|
||||||
rules > Create
|
rules > Create**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
6. Enter Name and Description > Next
|
6. Enter a name and description, then click **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
7. In the Configuration settings page: Set the configurations you require for
|
7. In the Configuration settings page: Set the configurations you require for
|
||||||
Attack surface reduction rules > Next
|
Attack surface reduction rules > Next
|
||||||
|
|
||||||
NOTE: I am configuring all of my Attack surface reduction rules to Audit.
|
>[!NOTE]
|
||||||
|
>We will be configuring all of the Attack surface reduction rules to Audit.
|
||||||
|
|
||||||
Details on Attack surface reduction rules:
|
For more information, see [Attack surface reduction rules](attack-surface-reduction.md).
|
||||||
<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
8. Add Scope Tags as required > Next
|
8. Add Scope Tags as required, then click **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
9. Select groups to include and assign to test group > Next
|
9. Select groups to include and assign to test group, then click **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
10. Review and Create - \> Create
|
10. Review the details, then click **Create**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
11. You can View the policy
|
11. View the policy.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Attack Surface Reduction – Web Protection
|
### Attack Surface Reduction – Web Protection
|
||||||
|
|
||||||
1. Open the MEM portal
|
1. Open the MEM portal.
|
||||||
|
|
||||||
2. Navigate to Endpoint security > Attack surface reduction
|
2. Navigate to **Endpoint security > Attack surface reduction**.
|
||||||
|
|
||||||
3. Click on Create Policy
|
3. Click on **Create Policy**.
|
||||||
|
|
||||||
4. Select Windows 10 and Later – Web protection > Create
|
4. Select **Windows 10 and Later – Web protection > Create**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. Enter Name and Description > Next
|
5. Enter name and description, then click **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
6. In the Configuration settings page: Set the configurations you require for
|
6. In the Configuration settings page: Set the configurations you require for
|
||||||
Web Protection> Next
|
** Web Protection > Next**.
|
||||||
|
|
||||||
NOTE: I am configuring Web Protection to Block.
|
>[!NOTE]
|
||||||
|
>We are configuring Web Protection to Block.
|
||||||
|
|
||||||
Details on Web Protection:
|
For more information, see [Web Protection](web-protection-overview.md).
|
||||||
<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
7. Add Scope Tags as required > Next
|
7. Add **Scope Tags as required > Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
8. Assign to test group > Next
|
8. Select **Assign to test group > Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
9. Review and Create - \> Create
|
9. Select **Review and Create > Create**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
10. You can View the policy
|
10. View the policy.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Validate
|
## Validate configuration settings
|
||||||
========
|
|
||||||
|
|
||||||
|
### Confirm Policies have applied
|
||||||
|
|
||||||
Confirm Policies have applied
|
|
||||||
-----------------------------
|
|
||||||
|
|
||||||
Once the Configuration policy has been assigned it will take some time to apply.
|
Once the Configuration policy has been assigned it will take some time to apply.
|
||||||
|
|
||||||
You can see the timing for Intune at this link:
|
For information on timing, see [Intune configuration information](https://docs.microsoft.com/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
|
||||||
|
|
||||||
<https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned>
|
To confirm that the configuration policy has been applied to your test device
|
||||||
|
follow the following process for each configuration policy.
|
||||||
To confirm that the configuration policy have been applied to your test device
|
|
||||||
follow the below process for each Configuration policy.
|
|
||||||
|
|
||||||
1. Open the MEM portal and navigate to the relevant policy as shown in the
|
1. Open the MEM portal and navigate to the relevant policy as shown in the
|
||||||
steps above. I will use Antivirus for this example
|
steps above. The following example shows the next generation protection settings.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
2. Click on the Configuration Policy to view the policy status
|
2. Click on the **Configuration Policy** to view the policy status.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. Click on “Device Status” to see the per device status
|
3. Click on **Device Status** to see the status.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Click on “User Status” to see the per user status
|
4. Click on **User Status** to see the status.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. Click on “Per-setting status” to see the Per-setting status
|
5. Click on **Per-setting status** to see the status.
|
||||||
|
|
||||||
Note: This View is very useful to identify any settings that conflict with
|
>[!TIP]
|
||||||
another policy
|
>This view is very useful to identify any settings that conflict with another policy.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Endpoint Detection and Response
|
### Endpoint Detection and Response
|
||||||
-------------------------------
|
|
||||||
|
|
||||||
1. Before applying the configuration, the Windows Defender Advanced Threat
|
|
||||||
Protection Service should not be started.
|
|
||||||
|
|
||||||
|
1. Before applying the configuration, the Microsoft Defender ATP
|
||||||
|
Protection service should not be started.
|
||||||
|
|
||||||
2. After the config has been applied the Windows Defender Advanced Threat
|
|
||||||
Protection Service should be started
|
|
||||||
|
|
||||||
|
2. After the configuration has been applied the Microsoft Defender ATP
|
||||||
|
Protection Service should be started.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. After the services is running on the device, the device appears in Microsoft
|
3. After the services is running on the device, the device appears in Microsoft
|
||||||
Defender Security Center
|
Defender Security Center.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Antivirus
|
### Next-generation protection
|
||||||
---------
|
|
||||||
|
|
||||||
1. Before applying the policy on a test device, you should be able to manually
|
1. Before applying the policy on a test device, you should be able to manually
|
||||||
manage the settings as per below.
|
manage the settings as shown below.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
1. After the policy has been applied, you should not be able to manually manage
|
2. After the policy has been applied, you should not be able to manually manage
|
||||||
the settings as per below.
|
the settings.
|
||||||
|
|
||||||
NOTE: In the below image “**Turn on cloud-delivered protection”** and
|
>[!NOTE]
|
||||||
**“Turn on real-time protection”** are being shown as managed.
|
> In the following image **Turn on cloud-delivered protection** and
|
||||||
|
**Turn on real-time protection** are being shown as managed.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Attack Surface Reduction – Attack surface reduction rules
|
### Attack Surface Reduction – Attack surface reduction rules
|
||||||
---------------------------------------------------------
|
|
||||||
|
|
||||||
1. Before applying the policy on A test device
|
|
||||||
|
|
||||||
2. Open a PowerShell Window and type “Get-MpPreference”
|
1. Before applying the policy on a test device, pen a PowerShell Window and type `Get-MpPreference`.
|
||||||
|
|
||||||
3. This should respond with the following lines with no content
|
2. This should respond with the following lines with no content
|
||||||
|
|
||||||
1. AttackSurfaceReductionOnlyExclusions :
|
1. AttackSurfaceReductionOnlyExclusions :
|
||||||
|
|
||||||
@ -355,33 +348,26 @@ Attack Surface Reduction – Attack surface reduction rules
|
|||||||
|
|
||||||
3. AttackSurfaceReductionRules_Ids :
|
3. AttackSurfaceReductionRules_Ids :
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
1. After applying the policy on A test device
|
3. After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`.
|
||||||
|
|
||||||
2. Open a PowerShell Windows and type “Get-MpPreference”
|
4. This should respond with the following lines with content as shown below:
|
||||||
|
|
||||||
3. This should respond with the following lines with content as shown below
|
|
||||||
|
|
||||||
|
### Attack Surface Reduction – Web Protection
|
||||||
|
|
||||||
Attack Surface Reduction – Web Protection
|
1. On the test device, open a PowerShell Windows and type
|
||||||
-----------------------------------------
|
`(Get-MpPreference).EnableNetworkProtection`.
|
||||||
|
|
||||||
1. On the test device
|
2. This should respond with a 0 as shown below.
|
||||||
|
|
||||||
2. Open a PowerShell Windows and type
|
|
||||||
“(Get-MpPreference).EnableNetworkProtection”
|
|
||||||
|
|
||||||
3. This should respond with a “0” as shown below
|
3. After applying the policy, open a PowerShell Windows and type
|
||||||
|
`(Get-MpPreference).EnableNetworkProtection`.
|
||||||
|
|
||||||
|
4. This should respond with a 1 as shown below.
|
||||||
|
|
||||||
4. After Applying the Policy
|
|
||||||
|
|
||||||
5. Open a PowerShell Windows and type
|
|
||||||
“(Get-MpPreference).EnableNetworkProtection”
|
|
||||||
|
|
||||||
6. This should respond with a “1” as shown below
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user