{"id":7573,"date":"2021-12-16T06:07:20","date_gmt":"2021-12-16T06:07:20","guid":{"rendered":"https:\/\/www.insentragroup.com\/gb\/?p=7573"},"modified":"2022-03-30T08:25:53","modified_gmt":"2022-03-30T08:25:53","slug":"defend-at-all-cost-your-endpoints-need-you","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/gb\/insights\/geek-speak\/secure-workplace\/defend-at-all-cost-your-endpoints-need-you\/","title":{"rendered":"Defend At All cost \u2013 Your Endpoints Need You"},"content":{"rendered":"\n

Hey folks! Pure Awesomeness here and I know what you\u2019re thinking\u2026 \u201cwhere on earth have you been with your updates? We\u2019ve been waiting impatiently for the next release!\u201d Well, to tell you the truth, things have been absolute mayhem from trying to keep the kids entertained to working from home to finally sitting down and watching Season 5 of Money Heist. However, I\u2019m back now with all of my energy focused on releasing a new kick a** blog.<\/p>\n\n\n\n

For this blog, given the huge focus around all things security and combined with a recent deployment opportunity with a client, I\u2019ve decided to share my wisdom and knowledge on the deployment of Microsoft Defender for Endpoint (let\u2019s be honest, you probably already figured it out from the title of the blog, however, occasionally I like to build up the suspense).<\/p>\n\n\n\n

Now before we kick things into gear, you know what you must do:<\/p>\n\n\n\n

  1. Grab a cup of that world-famous Arabica infused liquid gold<\/li>
  2. Watch my FastTrack Updates<\/a> and don\u2019t forget to Like\/Share them because social media is now king<\/li>
  3. Subscribe to Insentra<\/a> on YouTube<\/li><\/ol>\n\n\n\n

    Now buckle up and enjoy the ride as I take you through the wonder which is Microsoft Defender for Endpoint. Here we go!<\/p>\n\n\n\n

    WHAT IS DEFENDER FOR ENDPOINT?<\/span><\/h3>\n\n\n\n

    Microsoft couldn\u2019t just stop at Windows Defender. The wizards behind the scenes who have been responsible for building the Microsoft 365 cloud from the infant days of fog or mist to the cumulonimbus it is today (yep, I\u2019m also a Nephrologist \u2013 had to refer to Google on this one), have introduced another portal into the ecosystem.  With this portal, you can onboard your devices and it will provide you with a whole bunch of security threat detection insights and remediation tasks to apply. This is Pure Awesomeness\u2019s definition. Microsoft\u2019s definition goes like this – Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate and respond to advanced threats.<\/p>\n\n\n\n

    Pretty close if you ask me. Moving on!<\/p>\n\n\n\n

    So how do I onboard devices into the Defender portal (aka the new security.microsoft.com portal) I hear you ask? Keep reading my loyal apprentice for the answer to said question.<\/p>\n\n\n\n

    DEVICE ONBOARDING<\/span><\/h3>\n\n\n\n

    Ok, so you have a fleet of Windows 10 devices (hopefully running 21H2\u2026if not, email me separately and let\u2019s talk<\/a>) with Windows Defender preloaded and running as the active AV (of course it is right?). The business has procured M365 E5 licenses and now you want to take advantage of Microsoft Defender for Endpoint. Actually, let\u2019s just call it MDE because let\u2019s face it, we live by acronyms. How do you now onboard the devices? Well, you\u2019ve got a few options available, depending on how you\u2019re managing these Windows 10 devices today.<\/p>\n\n\n\n

    ConfigMgr<\/strong><\/p>\n\n\n\n

    If you currently manage your Windows 10 fleet using ConfigMgr and have no intent to move management capabilities into Microsoft Endpoint Manager (or MEM because acronyms<\/a>), firstly, contact me<\/a> and let\u2019s dive into why you don\u2019t want to use MEM and then only if I\u2019m convinced, you can proceed with step two, which is to create the Endpoint Protection policy directly through ConfigMgr and upload the MDE onboarding package. Don\u2019t stress\u2026I\u2019m about to tell you how to get access to the onboarding package.<\/p>\n\n\n\n

    Log into the Defender Portal (security.microsoft.com) and then click on Settings \u2013 Endpoints \u2013 Onboarding Select Windows 10 as the operating system and select System Centre Configuration Manager or Microsoft Endpoint Configuration Manager (depending on the version of ConfigMgr you are running) as the deployment method and then click on download.<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    Next, in ConfigMgr, navigate to Asset and Compliance \u2013 Overview \u2013 Endpoint Protection \u2013 Microsoft Defender ATP Policies, create a new policy, upload the package file, assign it to your device collection and bingo\u2026devices onboarded! Well not instantly, it\u2019s the public cloud\u2026since when is any change ever instant?<\/p>\n\n\n\n

    Then, log back into the Defender portal and under Device Inventory, you should see your onboarded devices!<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    I\u2019d usually refer to the Carlton dance for a celebration like this but this time, it\u2019s time for the Gru dance<\/a>!<\/p>\n\n\n\n

    So, that\u2019s onboarding through ConfigMgr. Next up, Intune!<\/p>\n\n\n\n

    INTUNE<\/span><\/h3>\n\n\n\n

    OK, now I draw your attention to door number two, where your onboarding tasks are completed using Intune. The process is a little different than the ConfigMgr approach and requires the integration between Intune and Defender to be enabled as a prerequisite.<\/p>\n\n\n\n

    How does the integration get established you say? What kind of blog would this be if I didn\u2019t tell you?<\/p>\n\n\n\n

    Log into the Defender portal and then click on Settings \u2013 Endpoints \u2013 Advanced Features. Scroll down until you see Microsoft Intune Connection and turn it on. It\u2019s that simple!<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    Once it\u2019s turned on, log into the Intune portal and click Endpoint Security \u2013 Microsoft Defender for Endpoint and confirm the connection status shows Available. Once the connection is established, Intune and Defender will synchronise with each other at least once every 24 hours.<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    The one thing to note and this is where the onboarding process is different compared to ConfigMgr is once the integration is established between Intune and Defender, Intune receives an onboarding configuration package from MDE, so there\u2019s nothing to download. However, you will need to configure a Configuration Profile for MDE to deploy the package to your Windows devices.<\/p>\n\n\n\n

    So, since this is a purely awesome blog written by Pure Awesomeness, I\u2019m going to let you know how to configure the profile. To create the Configuration Profile, follow these steps:<\/p>\n\n\n\n

    • Click on Devices \u2013 Windows \u2013 Configuration Profiles<\/li>
    • Click Create Profile and select the following:
      • Platform: Windows 10 and later<\/li><\/ul>
        • Profile Type: Microsoft Defender for Endpoint (desktop devices running Windows 10 or later)<\/li><\/ul>
          • Click Create<\/li><\/ul><\/li>
          • Give the profile an easily identifiable name and click Next<\/li><\/ul>\n\n\n\n

            Configure the Endpoint Detection and Response (EDR) settings and click Next<\/p>\n\n\n\n

            \"\"<\/figure>\n\n\n\n
            • Assign the profile to a group of devices \u2013 start with a test\/pilot group<\/li>
            • Set the Applicability Rules if need be
              • Intune will only apply the profile to devices which meet the combined criteria of these rules<\/li><\/ul><\/li>
              • Review the profile settings and click Create<\/li><\/ul>\n\n\n\n

                Once the profile has been created, you can check the properties to confirm the package type:<\/p>\n\n\n\n

                \"\"<\/figure>\n\n\n\n

                DETECTION TEST<\/span><\/h3>\n\n\n\n

                Finally, once your devices are onboarded, how do you know they\u2019ve been onboarded successfully? Well, Microsoft has kindly provided a detection script which can be run from each onboarded device. So, no more \u201cI\u2019ve onboarded my devices into MDE and given nothing is instant with the public cloud, I need to wait 8 hours for the devices to show up\u201d.<\/p>\n\n\n\n

                Simply log into the devices you just onboarded and follow the below steps:<\/p>\n\n\n\n

                • Create a folder: C:test-MDATP-test<\/li>
                • Open an elevated command-line prompt on the device and run the below script:
                  • powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = ‘silentlycontinue’;(New-Object System.Net.WebClient).DownloadFile(‘http:\/\/127.0.0.1\/1.exe’, ‘C:\\test-MDATP-test\\invoice.exe’);Start-Process ‘C:\\test-MDATP-test\\invoice.exe’<\/em><\/strong><\/li><\/ul><\/li><\/ul>\n\n\n\n

                    The command prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded device in about 10 minutes.<\/p>\n\n\n\n

                    There you have it, folks! A brand new blog by yours truly on a topic I\u2019ve started to dive into more. Stay tuned for additional releases on the beast which is MDE.<\/p>\n\n\n\n

                    Until next time, Pure Awesomeness signing off!<\/p>\n\n\n\n

                    \u201cMany of life’s failures are people who did not realise how close they were to success when they gave up\u201d – Thomas A. Edison<\/strong><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

                    Hey folks! Pure Awesomeness here and I know what you\u2019re thinking\u2026 \u201cwhere on earth have you been with your updates? We\u2019ve been waiting impatiently for the next release!\u201d<\/p>\n","protected":false},"author":52,"featured_media":7574,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[20],"tags":[233,232,231,58,132,59,60,107,134,96],"class_list":["post-7573","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-workplace","tag-config-manager","tag-configmgr","tag-endpoint-security","tag-it-security","tag-m365","tag-microsoft","tag-microsoft-365","tag-microsoft-defender","tag-microsoft-fast-track","tag-windows-10","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/7573","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/users\/52"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/comments?post=7573"}],"version-history":[{"count":2,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/7573\/revisions"}],"predecessor-version":[{"id":8903,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/7573\/revisions\/8903"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/media\/7574"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/media?parent=7573"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/categories?post=7573"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/tags?post=7573"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}