Side Quest - Defender For Endpoint #Episode 2

Topics Covered: Setting Up Microsoft Defender for Endpoint

In this Side Quest article we will be performing the following activities to configure the Defender for Endpoint from Scratch and get it up and running.

• Activity 1: Setup Defender for Endpoint 
• Activity 2: Configure Roles
• Activity 3: Configure Device Groups
• Activity 4: Create Baseline Policies

Pre-Requisites:

• Valid Plan and Licensing
• Global Admin or Security Administrator Role

Activity 1: Setup Defender for Endpoint 

In this activity, you will perform the initialization of the Microsoft Defender for the Endpoint portal.

• Sign in to Microsoft Defender Portal
• Navigate to Investigation & Response -> Incidents & alerts -> Email & Collaboration alerts.

Note: If you do not see the options, please wait for 10-15 minutes to reflect the options. 

• In the new tab, open Microsoft Purview Compliance Portal
• On the Microsoft Purview Compliance Portal, from the left-navigation menu, select Settings and then click on Device Onboarding to expand it, Next Click on Devices.

• In devices, select Turn on device onboarding in Devices.
• In the Turn on device Onboarding tab click on OK.

If the Device monitoring is being turned on then click on OK

Go back to Microsoft Defender portal, from the left-navigation menu, select Settings.

• On the Settings page select Device discovery.

Note: If you do not see the Device Discovery option under Settings, log out by selecting the top-right circle with your account initials and choose Sign Out. Open the page in private mode (InPrivate) and afterwards, log in again using the Tenant Email credentials or other options to consider are refreshing the page. It might take 60-70 minutes to reflect the option on portal. Check after 10-15 mins interval for the option in the defender portal.        

• In the Discovery setup make sure Standard discovery (recommended) is selected.

Note: If you do not see the option, refresh the page, and wait for 10-15 minutes.        

Activity 2: Configure Roles 

• Sign in to Azure Portal.
• In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Microsoft Entra ID , and then select Microsoft Entra ID.

• Under Manage section, select Groups and then click on New group.

• Create a group with type : Microsoft 365
• Group Name: Defender Onboarding group
• Entra role: Yes
• Add a Member and create it.

• Click on Yes.

• The Group is created

• Navigate back to the Microsoft Defender portal tab. In the Microsoft Defender portal select Settings from the left menu bar, then select Endpoints.

• Select Roles under the permissions.
• Select the Turn on roles button.

• Select + Add Role.

In the Add role dialog enter the following, and select Next:

Role name : Onboarding Specialist Group

Permissions: Live Response capabilities > Advanced

On the Add role page, select Defender Onboarding Group and then select Add selected groups. Make sure it appears under Azure AD user groups with this role.

• Select Submit and Done. If you receive an error while saving the role, refresh the page and try again.

Activity 3: Configure Device Groups

In this Activity , you will configure device groups that allow for access control and automation configuration.

• In the Microsoft Defender portal select Settings from the left menu bar, then select Endpoints.
• Select Device groups under the permissions area.
• Select + Add device group icon.

Enter the following information on the General tab and select Next (3).

General setting: Value

Device group name: Regular Monitoring

Remediation level: Full-remediate threats automatically.

• On the Devices tab, for the OS condition select Windows 10 and select Next. If you have more info on condition, you can narrow down the selection.

• In the Preview devices tab, select Next.
• On the User access tab, select IT Group and then select Add selected groups button. Make sure it appears under Assigned Azure AD user groups. Select Submit.

• Select Done. 
• Device group configuration has changed. Select Apply changes to check matches and recalculate groupings.

• You are going to have two device groups now; the Regular you just created and the Ungrouped devices (default) with the same remediation level.

Activity 4: Create Baseline Policies

In this Activity, your objective is to implement the Windows Intune security baseline, which offers a comprehensive set of recommended settings essential for securely configuring devices running Windows. This includes configuring browser settings, PowerShell configurations, and specific settings for security features such as Microsoft Defender Antivirus.

• Open another tab and browse to the Microsoft Intune admin center. If prompted to sign in, sign in with the credential. 
• From the left navigation pane, select Endpoint security, under Overview section, select Security baselines.
• On the Endpoint security | Security baselines, select Security Baseline for Windows 10 and later.

• On the Create a profile, review the Platform and Profile default settings, then select Create.

• On the Configuration settings tab, review all configurations by expanding each one. If you want to edit any of the configurations, feel free to make your changes. Select Next.

• Keep the Scope tags tab as default, select Next.
• On the Assignments tab, under Included groups, select Add groups, on the Select groups to include page, choose IT Group, and click on Select. Select Next.

• Select Create.
• After the policy is created, you will be able to view it in the MDM Security Baseline | Profiles section.

In the next article, we'll go over On-boarding device to Defender.

#DefenderforEndpoint #Cybersecurity #EndpointSecurity #MicrosoftSecurity #ZeroTrust #ThreatProtection #EndpointManagement #AdvancedThreatProtection #SecureTheEndpoint #SecuritySolutions #SecOps #InfoSec #CyberDefense #DigitalDefense#MicrosoftIntune #azurecloud #cloudcomputingservices#m365 #saas #Modernworkplaceengineer #EnterpriseSecurity #itinfrastructuremanagement #modernworkplace #digitalworkplace #ITSecurity #technologyisawesome #learningandgrowing #linkedinconnections #linkedincommunity #like #share #support