Last Update: Sep 04, 2024 | Published: Dec 20, 2021
Security Management with Microsoft Defender for Endpoint is a new feature that can be used to apply security configuration to devices that do not enroll into Microsoft Endpoint Manager. In this scenario, Microsoft Defender for Endpoint retrieves, enforces, and reports on policies deployed via Microsoft Endpoint Manager. The devices are joined to your Azure Active Directory (Azure AD) and are also visible in the Microsoft Endpoint Manager admin center alongside other devices you manage with Intune and Configuration Manager.
Just released into Public Preview, Security Management with Microsoft Defender for Endpoint has a number of prerequisites and steps that must be taken in order to get started. This post will go through each of these in detail so that you can get up and running right away.
Security Management with Microsoft Defender for Endpoint is available to all tenants that are licensed for Microsoft Defender for Endpoint. Whilst Microsoft currently suggest that all Microsoft 365 licenses will grant access to this feature, our testing has shown that only tenants that are licensed for Microsoft Defender for Endpoint (P2) are able to leverage the automated Azure AD Join feature that allows policies to be targeted.
Within the Microsoft Security Portal > Settings > Endpoints > Configuration Management > Enforcement scope, it is possible to “Enable security setting management” on selected OS platforms.
In the example below, Security setting management has been enabled for Windows Client devices, but not Windows Server devices. In this post, we’ll focus on Windows client devices.
At the Endpoint Security Settings within Microsoft Endpoint Manager admin center, we are presented with the option to Enable Security Profile Settings. This feature will allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations independently of the device being managed by Mobile Device Management (MDM) or Configuration Manager (ConfigMgr).
Enabling this setting allows supported agents to report the status of applied profiles to Microsoft Endpoint Manager, and agents will appear in device views and reports relevant to Endpoint Security profile management.
Complete the following steps to enable endpoint security profile settings:
In order for devices to be able to receive Security Settings policy from Microsoft Endpoint Manager, devices must be onboarded to Microsoft Defender for Endpoint. It is not required for devices to be Azure AD Joined before onboarding, but devices will be Azure AD joined (or Hybrid Azure AD Joined) as part of the configuration process for Security Management with Microsoft Defender for Endpoint. There are multiple ways to onboard devices into Microsoft Defender for Endpoint:
Not all methods are appropriate in the scenario we’re describing here. In fact, in an environment that is completely unmanaged, only Local Script onboarding is viable. Microsoft advise that the Local Script method is only to be used for less than 10 devices and that another method should be leveraged for rollouts of a larger scale. This is due to the increased overhead when using the Local Script method.
During public preview, only onboarded devices that are tagged (in Defender for Endpoint) with the MDE-Management tag will be joined to Azure AD and enrolled in the Security Management for Microsoft Defender for Endpoint configuration management channel. This is important, as an Azure AD computer object is required to target Security Configurations from Microsoft Endpoint Manager.
In order to target Security Policy to onboarded devices, they must be a member of an Azure AD Group. To reduce administrative overhead, it is recommended to create an Azure AD Group with Dynamic Device Membership, so that newly onboarded devices automatically receive policy.
Now let’s assign policies for security configuration.
Devices that are onboarded into Security Management for Microsoft Defender for Endpoint can be viewed and interacted with in multiple ways. For example, in the Microsoft Endpoint Manager admin center portal, devices are listed as being Managed by “MDE”, as below.
In the Microsoft Security Center, onboarded devices provide a rich set of information that would normally only be available from devices managed by Microsoft Endpoint Manager.
Insights such as Security Recommendations, Alert timelines and Software Inventory are made available.
Security Management for Microsoft Defender for Endpoint extends the Microsoft Endpoint Manager Endpoint Security surface to devices that aren’t capable of enrolling into Microsoft Endpoint Manager. With this capability, devices that aren’t managed by Microsoft Intune or ConfigMgr can receive security configurations for Microsoft Defender directly from Endpoint Manager.
Whilst this overview focused on unmanaged Windows 10 and 11 devices, devices that are part of a Windows Server Active Directory Domain Services domain are able to leverage this capability, as are Windows Server devices.
Related articles: