Two easy methods of onboarding Windows 10 devices to defender for Business

I recently detailed a way to use Endpoint Manager and Intune to onboard Windows 10 devices to Microsoft Defender for Business:

Onboarding Windows 10 devices to Microsoft Defender for Business

I’ve now extended that to include this video:

https://www.youtube.com/watch?v=UM-WZjHgy88

that shows that method plus using a local script. Using a local script is a good backup method to use if you are in a hurry or have issues with a device in your environment not receiving the policy.

Onboarding Windows 10 devices to Microsoft Defender for Business

One of the big benefits of Windows 10 devices when it comes to onboarding them to Microsoft Defender for Business is that they already have the ‘client’ software installed. That being Windows Defender. All the onboarding process needs to do is connect up the ‘backend plumbing’ so that Windows 10 also sends security information to the Microsoft 365 Security portal.

The first step in this onboarding process is to ensure that your Windows 10 devices are already Azure AD joined. You’ll also need to have a license for Intune/Endpoint Manager to enable this process from a centralised location.

Next, visit the Microsoft Endpoint Manager portal at:

https://endpoint.microsoft.com

image

As shown above, here, navigate to Endpoint Security, then Microsoft Defender for Endpoint. Ensure that the option Connection status is enabled. If it isn’t then open a new browser tab and navigate to:

https://security.microsoft.com

image

You should see the screen above. Scroll down this page.

image

Select Settings as shown above and then Endpoints from the options that appear on the right.

image

Scroll through the options presented and select Advanced features as shown. Location the Microsoft Intune connection option and set it to On. You may also want to have a look through the list of all the other available settings and also turn these on if desired.

You may need to wait a little while until connection status back in Endpoint Manager reports as being enabled.

image

You can always use the Refresh button at the top of the page, but be prepared for a short wait while the connection is made.

While you are on this Endpoint Manager page you will also probably want to turn all the settings available here.

image

Still in Endpoint Manager, you’ll now need to select Devices, then Configuration Policies, then Create profile as shown above.

image

Select Windows 10 and later for the Platform and Templates from the Profile type.

image

Scroll through the list of templates and select Microsoft Defender for Endpoint (desktop devices running Windows 10 or later).

image

Give this new policy a meaningful name and select the Next button at the bottom of the page to continue.

image

You don’t have to make any changes on the Configuration settings page but I like to Enable the option for Expedite telemetry reporting frequency. Select the Next button at bottom of the page to continue.

image

On the Assignments page you need to configure which groups this policy will include and exclude. Generally, you want to select All devices as shown above, but you can select whatever suits your configuration needs.

Continue through the remaining policy configuration pages and Create the new policy.

image

If you go back and look at the properties of the policy as shown above, you note an additional Configuration setting that wasn’t displayed when the policy was created – Microsoft Defender for configuration package type is set to Onboard. This is what effectively will onboard the Windows 10 devices for you automatically.

image

You can now use the Device Status option to monitor when this policy is applied to each device. Note that this status may take a while to change and the policy to be applied as it is dependent on when the devices ‘check in’ for policy updates.

image

Once the devices ‘check in’ and receive the policy, their status should be displayed as shown above with the Deployment status field now reporting as Succeeded.

image

You can see which devices have been successfully onboarded to Defender for Endpoint by selecting the Device inventory option in the Microsoft 365 Security Center as shown above. Until machines have their ‘plumbing’ connected back to this console via the onboarding process they will not appear.

image

Once that onboarding process is complete on the device, it should appear in the Device inventory as shown above.

image

If you return to Endpoint Manager and scroll to the bottom of the Microsoft Defender for Endpoint screen, as shown above, you’ll see a summary of the devices onboarded.

The great thing is that you only need to do all this once, because once the Intune connection and Device configuration policy is in place, all Windows 10 machines will automatically be onboarded to Defender for Endpoint and all the options the Microsoft Security Center.

How to remove a Win32 application using Intune

This video:

https://www.youtube.com/watch?v=Xilp56PVltI

will show you the steps to remove an Win32app from a Windows 10 desktop. It will utilise an existing Intune Application deployment policy to achieve this. It is able to do so because part of creating the initial deployment policy was the requirement to specify how to uninstall that same application. Thus, when you create an Application deployment policy in Intune you can use to add and remove that application from your environment.

Verify Endpoint Manager Service release

image

To verify the release you are on with your Microsoft Endpoint Manager environment, navigate to:

https://endpoint.microsoft.com

1. Select, Tenant administration from the menu on the left.

2. Ensure that Tenant details is selected as shown above.

3. Look for the Service release heading on the right as shown above.

The version number here is also linked to:

What’s new in Microsoft Intune

which provides more granular information about what capabilities have been added to the environment.

Remember, these service updates occur regularly, so ensure you check the updates regularly.

Basics of deploying AppLocker using Intune

One of the great things about deploying Windows AppLocker via Microsoft Intune is that it supports both Windows 10 Enterprise and Professional. It is also quite straight forward to deploy as I hope the video conveys.

Once you have your base policies, you create a custom Windows 10 device Configuration policy with Intune and deploy it to your device fleet. Once that process is complete you’ll have the same application control you had on a single device but now across as many machines as you wish.

Remember, that Windows AppLocker is free with Windows 10 and easily deployed to machined from the cloud using Microsoft Intune.

CIAOPS Need to Know Microsoft 365 Webinar – June

laptop-eyes-technology-computer

I think we should  try something a little different this month for the session. I’m going to attempt to use the new Microsoft Teams Webinars feature. For anyone who has attended a previous session this means the registration process will look a little different, but in the end it should achieve the same result but with less manual work by me. To start with you need to navigate to:

http://bit.ly/n2k2106

and submit your registration details. Shortly after this you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite!

How this all works come webinar time I’m still working out, but hopefully I should be across it all before the webinar starts. However, I’m sure there will be things that I’ll learn during the process, so if you want to see what unfolds then you best register to find and be part of the inaugural CIAOPS Teams webinar!

The topic for this month will be Device Management. I’ll dive into how you connect and manage devices in Microsoft 365 including iOS, Android and Windows devices. You’ll see how Microsoft 365 Device Management is a great way to improve the security of your information environment. As always, I’ll also share the latest news and events from Microsoft and as always, there’ll be plenty of time for your questions, so I hope you’ll join me at the event.

You can register for the regular monthly webinar here:

June Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – June 2021
Friday 25th of June 2021
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Another Defender for Endpoint integration

image

If you visit Microsoft Endpoint Manager | Endpoint Security | Microsoft Defender for Endpoint and scroll down the page on the right you see the new section App Policy Protection Settings as shown above. Turning this ON will basically allow the state of Microsoft Defender on both Android and iOS to feed into your compliance policies.

image

Once you have enabled these settings visit Apps | App Protection policies and edit or create an policy. During this process you will find a Conditional launch section. If you then scroll down to the bottom of tat page you will the screen shown above where  you can add the setting for Max allowed device threat option. This basically is the threat level you would allow on your device. If the threat level on a device goes above this then the selected action will take place. That action can either be Wipe or Block. Wipe is rather drastic, especially to start with, so Block is probably the best starting point.

You can read more about this new capability here:

Microsoft Defender for Endpoint risk signals available for your App protection policies (preview)

It is a nice integration we are beginning to see more of between device management and Defender for Endpoints.