12.0 Defender for Endpoint(MDE): Security Settings Management
For the Intune-managed device, we deploy the policy from Intune but what if we have a device that is not Intune-managed and also not domain-joined then how to push security policies centrally? The answer is to use Defender for Endpoint's new feature 'Security Settings Management'. Below is the official word about these features.
With Microsoft Defender for Endpoint (MDE), you can now deploy security configurations from Microsoft Intune directly to your onboarded devices without requiring a full Microsoft Intune device enrollment. This capability is known as Security Management for Microsoft Defender for Endpoint. With this capability, devices that aren’t managed by a Microsoft Intune service can receive security configurations for Microsoft Defender for Endpoint directly from Endpoint Manager.
We need to make communication between Intune and MDE.
Enable Security Settings Management
On the MDE portal(security.microsoft.com), navigate to Settings->Endpoints->Enforcement scope and turn the switch.
Once it is turned on then we can choose the device type and scope. Here, we have enabled both windows client and server for all devices. It means, if any windows client or server will be onboarded to the MDE then we can push the policy from Intune. These are the only tasks we need to do on the MDE portal.
We also have to turn the settings on Intune portal. Navigate to Endpoint security->Microsoft Defender for Endpoint->Allow Microsoft Defender for Endpoint to enforce Endpoint Security COnfigurations(switch on).
Onboard workgroup windows server to MDE
Now Security Management for Microsoft Defender for Endpoint has been enabled on both sides. For this lab, we have a workgroup windows server. Let's onboard it manually. Refer to this on how to onboard unmanaged devices to MDE.
The onboarding has been completed and the windows server has appeared in the MDE portal. We can see the server is being managed by MDE.
Create AAD Group
In the background, the server automatically got registered to Azure Active Directory. We don't have to do a registered server for AAD. We can see the server in Intune portal as well. Once the device appears in Intune then we can push whatever policy we want to.
To deploy the policy for such devices, create a group and put the device there. We have created a group named MDE_Managed.
Create AV policy
For example, we are creating an AV policy. In the platform we can see, it also supports the windows servers so this policy will be deployed to the windows server without any issues.
Assigned the policy to the newly created group and policy will be applied to the server.
We can see the policy has been deployed successfully.
Security Management for Microsoft Defender for Endpoint is a great feature to deploy policies for unmanaged devices.
Hope this was helpful, contact me on Twitter @sakaldeep for any queries.