mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-17 07:47:22 +00:00
update content
This commit is contained in:
Joey Caparas
parent
48884ec1f4
commit
fe412a0163
@ -26,9 +26,9 @@ ms.topic: article
|
||||
In this section we will be using Microsoft Endpoint Manager (MEM) to deploy
|
||||
Microsoft Defender ATP to your endpoints.
|
||||
|
||||
For more information about MEM, see:
|
||||
For more information about MEM, check out the following:
|
||||
- [Microsoft Entpoint Manager page](https://docs.microsoft.com/en-us/mem/)
|
||||
- The [blog post on convergence of Intune and ConfigMgr](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/)
|
||||
- [Blog post on convergence of Intune and ConfigMgr](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/)
|
||||
- [Introduction video on MEM](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace)
|
||||
|
||||
|
||||
@ -42,8 +42,8 @@ This process is a multi-step process, you'll need to:
|
||||
|
||||
- In MEM we'll guide you in creating a separate policy for each feature
|
||||
|
||||
Resources
|
||||
---------
|
||||
## Resources
|
||||
|
||||
|
||||
Here are the links you'll need for the rest of the process:
|
||||
|
||||
@ -53,8 +53,8 @@ Here are the links you'll need for the rest of the process:
|
||||
|
||||
- [Intune Security baselines](https://docs.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-defender-atp#microsoft-defender)
|
||||
|
||||
## Idenfity target devices or users
|
||||
In this section we will create a testing group to assign your configurations.
|
||||
## Identify target devices or users
|
||||
In this section we will create a test group to assign your configurations on.
|
||||
|
||||
>[!NOTE]
|
||||
>Intune uses Azure Active Directory (Azure AD) groups to manage devices and
|
||||
@ -62,7 +62,7 @@ users. As an Intune admin, you can set up groups to suit your organizational
|
||||
needs.<br>
|
||||
> For more information, see [Add groups to organize users and devices](https://docs.microsoft.com/en-us/mem/intune/fundamentals/groups-add).
|
||||
|
||||
### Group creation
|
||||
### Create a group
|
||||
|
||||
1. Open the MEM portal.
|
||||
|
||||
@ -74,7 +74,7 @@ needs.<br>
|
||||
|
||||
|
||||
|
||||
4. Add your test user / device
|
||||
4. Add your test user or device.
|
||||
|
||||
>[!NOTE]
|
||||
>Azure Active Directory groups can contain users or devices, not combinations of both.
|
||||
@ -83,271 +83,264 @@ needs.<br>
|
||||
|
||||
6. Click on **Members > Add members**.
|
||||
|
||||
7. Find your test user/device and select it.
|
||||
7. Find your test user or device and select it.
|
||||
|
||||
|
||||
|
||||
|
||||
8. Your testing group now has a member to test.
|
||||
|
||||
Create a Configuration Policy
|
||||
-----------------------------
|
||||
|
||||
In the following section, you will create a number of configuration policies.
|
||||
## Create a configuration policy
|
||||
In the following section, you'll create a number of configuration policies.
|
||||
First is a configuration policy to select which groups of users or devices will
|
||||
be onboarded to Defender ATP. Then you will continue by creating several
|
||||
be onboarded to Microsoft Defender ATP. Then you will continue by creating several
|
||||
different types of Endpoint Security policies.
|
||||
|
||||
### Endpoint Detection and Response
|
||||
### Endpoint detection and response
|
||||
|
||||
1. Open the MEM portal
|
||||
1. Open the MEM portal.
|
||||
|
||||
2. Navigate to Endpoint security > Endpoint detection and response > Click
|
||||
on Create Profile
|
||||
2. Navigate to **Endpoint security > Endpoint detection and response**. Click
|
||||
on **Create Profile**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Under Platform, select Windows 10 and Later, Profile - Endpoint detection
|
||||
and response > Create
|
||||
3. Under** Platform, select Windows 10 and Later, Profile - Endpoint detection
|
||||
and response > Create**.
|
||||
|
||||
4. Enter name and description > Next
|
||||
4. Enter name and description, then click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
5. Select settings as required > Next
|
||||
5. Select settings as required, then click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
NOTE: this has been auto populated as I have integrated MDATP and Intune as
|
||||
per this
|
||||
[section](https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection#enable-microsoft-defender-atp-in-intune).
|
||||
If you have not integrated MDATP and Intune, complete [these
|
||||
steps](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm#onboard-machines-using-microsoft-intune)
|
||||
>[!NOTE]
|
||||
>In this instance, this has been auto populated Microsoft Defender ATP has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender ATP in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#enable-microsoft-defender-atp-in-intune).
|
||||
If you have not integrated Microsoft Defender ATP h and Intune, complete [these
|
||||
steps](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm#onboard-machines-using-microsoft-intune)
|
||||
to create and upload an onboarding blob.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Add scope tags if required > Next
|
||||
6. Add scope tags if required, then click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Add test group by clicking on Select groups to include and choose your group
|
||||
> Next
|
||||
7. Add test group by clicking on Select groups to include and choose your group, then click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
8. Review and accept > Create
|
||||
8. Review and accept, then click **Create**.
|
||||
|
||||
|
||||
|
||||
|
||||
9. You can view your completed policy here
|
||||
9. You can view your completed policy.
|
||||
|
||||
|
||||
|
||||
|
||||
### Antivirus
|
||||
### Next-generation protection
|
||||
|
||||
1. Open the MEM portal
|
||||
1. Open the MEM portal.
|
||||
|
||||
2. Navigate to Endpoint security > Antivirus > Click on Create Policy
|
||||
2. Navigate to **Endpoint security > Antivirus > Create Policy**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Select Platform - Windows 10 and Later - Windows and Profile – Microsoft
|
||||
Defender Antivirus > Create
|
||||
3. Select** Platform - Windows 10 and Later - Windows and Profile – Microsoft
|
||||
Defender Antivirus > Create**.
|
||||
|
||||
4. Enter Name and Description - \> Next
|
||||
4. Enter name and description, then click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
5. In the Configuration settings page: Set the configurations you require for
|
||||
Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real Time
|
||||
Protection, and Remediation).
|
||||
|
||||
|
||||
|
||||
|
||||
6. Add scope tags if required> Next
|
||||
6. Add scope tags if required, then click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Select groups to include, assign to your test group > Next
|
||||
|
||||
|
||||
|
||||
|
||||
8. Review and create > create
|
||||
8. Review and create, then click **Create**.
|
||||
|
||||
|
||||
|
||||
|
||||
9. You can see the configuration policy you created as per below
|
||||
|
||||
|
||||
|
||||
|
||||
### Attack Surface Reduction – Attack surface reduction rules
|
||||
|
||||
1. Open the MEM portal
|
||||
1. Open the MEM portal.
|
||||
|
||||
2. Navigate to Endpoint security > Attack surface reduction
|
||||
2. Navigate to **Endpoint security > Attack surface reduction**.
|
||||
|
||||
3. Click on Create Policy
|
||||
3. Click on **Create Policy**.
|
||||
|
||||
4. NOTE: I will be setting these as audit
|
||||
>[!NOTE]
|
||||
>We will be setting these as Audit.
|
||||
|
||||
5. Select Platform - Windows 10 and Later – Profile - Attack surface reduction
|
||||
rules > Create
|
||||
5. Select **Platform - Windows 10 and Later – Profile - Attack surface reduction
|
||||
rules > Create**.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Enter Name and Description > Next
|
||||
6. Enter a name and description, then click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
7. In the Configuration settings page: Set the configurations you require for
|
||||
Attack surface reduction rules > Next
|
||||
|
||||
NOTE: I am configuring all of my Attack surface reduction rules to Audit.
|
||||
>[!NOTE]
|
||||
>We will be configuring all of the Attack surface reduction rules to Audit.
|
||||
|
||||
Details on Attack surface reduction rules:
|
||||
<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>
|
||||
For more information, see [Attack surface reduction rules](attack-surface-reduction.md).
|
||||
|
||||
|
||||
|
||||
|
||||
8. Add Scope Tags as required > Next
|
||||
8. Add Scope Tags as required, then click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
9. Select groups to include and assign to test group > Next
|
||||
9. Select groups to include and assign to test group, then click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
10. Review and Create - \> Create
|
||||
10. Review the details, then click **Create**.
|
||||
|
||||
|
||||
|
||||
|
||||
11. You can View the policy
|
||||
11. View the policy.
|
||||
|
||||
|
||||
|
||||
|
||||
### Attack Surface Reduction – Web Protection
|
||||
|
||||
1. Open the MEM portal
|
||||
1. Open the MEM portal.
|
||||
|
||||
2. Navigate to Endpoint security > Attack surface reduction
|
||||
2. Navigate to **Endpoint security > Attack surface reduction**.
|
||||
|
||||
3. Click on Create Policy
|
||||
3. Click on **Create Policy**.
|
||||
|
||||
4. Select Windows 10 and Later – Web protection > Create
|
||||
4. Select **Windows 10 and Later – Web protection > Create**.
|
||||
|
||||
|
||||
|
||||
|
||||
5. Enter Name and Description > Next
|
||||
5. Enter name and description, then click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
6. In the Configuration settings page: Set the configurations you require for
|
||||
Web Protection> Next
|
||||
** Web Protection > Next**.
|
||||
|
||||
NOTE: I am configuring Web Protection to Block.
|
||||
>[!NOTE]
|
||||
>We are configuring Web Protection to Block.
|
||||
|
||||
Details on Web Protection:
|
||||
<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview>
|
||||
For more information, see [Web Protection](web-protection-overview.md).
|
||||
|
||||
|
||||
|
||||
|
||||
7. Add Scope Tags as required > Next
|
||||
7. Add **Scope Tags as required > Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
8. Assign to test group > Next
|
||||
8. Select **Assign to test group > Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
9. Review and Create - \> Create
|
||||
9. Select **Review and Create > Create**.
|
||||
|
||||
|
||||
|
||||
|
||||
10. You can View the policy
|
||||
10. View the policy.
|
||||
|
||||
|
||||
|
||||
|
||||
Validate
|
||||
========
|
||||
## Validate configuration settings
|
||||
|
||||
|
||||
### Confirm Policies have applied
|
||||
|
||||
Confirm Policies have applied
|
||||
-----------------------------
|
||||
|
||||
Once the Configuration policy has been assigned it will take some time to apply.
|
||||
|
||||
You can see the timing for Intune at this link:
|
||||
For information on timing, see [Intune configuration information](https://docs.microsoft.com/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
|
||||
|
||||
<https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned>
|
||||
|
||||
To confirm that the configuration policy have been applied to your test device
|
||||
follow the below process for each Configuration policy.
|
||||
To confirm that the configuration policy has been applied to your test device
|
||||
follow the following process for each configuration policy.
|
||||
|
||||
1. Open the MEM portal and navigate to the relevant policy as shown in the
|
||||
steps above. I will use Antivirus for this example
|
||||
steps above. The following example shows the next generation protection settings.
|
||||
|
||||
|
||||
|
||||
|
||||
2. Click on the Configuration Policy to view the policy status
|
||||
2. Click on the **Configuration Policy** to view the policy status.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Click on “Device Status” to see the per device status
|
||||
3. Click on **Device Status** to see the status.
|
||||
|
||||
|
||||
|
||||
|
||||
4. Click on “User Status” to see the per user status
|
||||
4. Click on **User Status** to see the status.
|
||||
|
||||
|
||||
|
||||
|
||||
5. Click on “Per-setting status” to see the Per-setting status
|
||||
5. Click on **Per-setting status** to see the status.
|
||||
|
||||
Note: This View is very useful to identify any settings that conflict with
|
||||
another policy
|
||||
>[!TIP]
|
||||
>This view is very useful to identify any settings that conflict with another policy.
|
||||
|
||||
|
||||
|
||||
|
||||
Endpoint Detection and Response
|
||||
-------------------------------
|
||||
### Endpoint Detection and Response
|
||||
|
||||
1. Before applying the configuration, the Windows Defender Advanced Threat
|
||||
Protection Service should not be started.
|
||||
|
||||
|
||||
1. Before applying the configuration, the Microsoft Defender ATP
|
||||
Protection service should not be started.
|
||||
|
||||
2. After the config has been applied the Windows Defender Advanced Threat
|
||||
Protection Service should be started
|
||||
|
||||
|
||||
|
||||
2. After the configuration has been applied the Microsoft Defender ATP
|
||||
Protection Service should be started.
|
||||
|
||||
|
||||
|
||||
3. After the services is running on the device, the device appears in Microsoft
|
||||
Defender Security Center
|
||||
Defender Security Center.
|
||||
|
||||
|
||||
|
||||
|
||||
Antivirus
|
||||
---------
|
||||
### Next-generation protection
|
||||
|
||||
1. Before applying the policy on a test device, you should be able to manually
|
||||
manage the settings as per below.
|
||||
manage the settings as shown below.
|
||||
|
||||
|
||||
|
||||
|
||||
1. After the policy has been applied, you should not be able to manually manage
|
||||
the settings as per below.
|
||||
2. After the policy has been applied, you should not be able to manually manage
|
||||
the settings.
|
||||
|
||||
NOTE: In the below image “**Turn on cloud-delivered protection”** and
|
||||
**“Turn on real-time protection”** are being shown as managed.
|
||||
>[!NOTE]
|
||||
> In the following image **Turn on cloud-delivered protection** and
|
||||
**Turn on real-time protection** are being shown as managed.
|
||||
|
||||
|
||||
|
||||
|
||||
Attack Surface Reduction – Attack surface reduction rules
|
||||
---------------------------------------------------------
|
||||
### Attack Surface Reduction – Attack surface reduction rules
|
||||
|
||||
1. Before applying the policy on A test device
|
||||
|
||||
2. Open a PowerShell Window and type “Get-MpPreference”
|
||||
1. Before applying the policy on a test device, pen a PowerShell Window and type `Get-MpPreference`.
|
||||
|
||||
3. This should respond with the following lines with no content
|
||||
2. This should respond with the following lines with no content
|
||||
|
||||
1. AttackSurfaceReductionOnlyExclusions :
|
||||
|
||||
@ -355,33 +348,26 @@ Attack Surface Reduction – Attack surface reduction rules
|
||||
|
||||
3. AttackSurfaceReductionRules_Ids :
|
||||
|
||||
|
||||
|
||||
|
||||
1. After applying the policy on A test device
|
||||
3. After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`.
|
||||
|
||||
2. Open a PowerShell Windows and type “Get-MpPreference”
|
||||
4. This should respond with the following lines with content as shown below:
|
||||
|
||||
3. This should respond with the following lines with content as shown below
|
||||
|
||||
|
||||
|
||||
### Attack Surface Reduction – Web Protection
|
||||
|
||||
Attack Surface Reduction – Web Protection
|
||||
-----------------------------------------
|
||||
1. On the test device, open a PowerShell Windows and type
|
||||
`(Get-MpPreference).EnableNetworkProtection`.
|
||||
|
||||
1. On the test device
|
||||
2. This should respond with a 0 as shown below.
|
||||
|
||||
2. Open a PowerShell Windows and type
|
||||
“(Get-MpPreference).EnableNetworkProtection”
|
||||
|
||||
|
||||
3. This should respond with a “0” as shown below
|
||||
3. After applying the policy, open a PowerShell Windows and type
|
||||
`(Get-MpPreference).EnableNetworkProtection`.
|
||||
|
||||
|
||||
4. This should respond with a 1 as shown below.
|
||||
|
||||
4. After Applying the Policy
|
||||
|
||||
5. Open a PowerShell Windows and type
|
||||
“(Get-MpPreference).EnableNetworkProtection”
|
||||
|
||||
6. This should respond with a “1” as shown below
|
||||
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user