End-to-End automation of Onboarding a Virtual Machine to a Defender for servers.
Overview: The Defender for Servers plan in Microsoft Defender for Cloud reduces security risk and exposure for machines in your organization by providing actionable recommendations to improve and remediate security posture. Defender for Servers also helps to protect machines against real-time security threats and attacks. Defender for servers Plan1 focuses on the EDR capabilities provided by the Defender for Endpoint integration. Microsoft Defender for Endpoint (MDE) is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. For more information about MDE refer Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn. This article focuses on the End-to-End automation of Onboarding a Virtual Mahine to a Defender for servers, MDE extension deployment and adding to a dynamic group to receive the desired MDE policy. High level steps include below. Deploy a virtual Machine (example Name: MDE) in Azure subscription. Create a dynamic group (example Name: MDE-Dynamic Group) in Intune (Endpoint.Microsoft.com) with a rule that Display Name starts with “MDE” add to “MDE-Dynamic Group”. Enable Microsoft Defender for Endpoint (MDE) security settings management. Create a AV policy (example Name: MDE-AV) in Intune and assigned to “MDE-Dynamic group”. Enabled Defender for servers plan on a subscription. Configure Endpoint protection auto provisioning in Settings & Monitoring. Device get onboarded to MDE (security.microsoft.com) automatically. Device get automatically added to MDE-Dynamic group. Device received the MDE-AV policy as it is part of MDE-Dynamic group. Let us go through the details steps of this Defender for servers onboarding and policy configuration. Deploy a virtual Machine (example Name: MDE) in Azure subscription. The below picture shows the Virtual Machine deployed in Azure Subscription. For instructions you can go through the link. Quickstart - Create a Windows VM in the Azure portal - Azure Virtual Machines | Microsoft Learn Create a dynamic group (example Name: MDE-Dynamic Group) in Intune To create a dynamic group in Intune: Sign in to the Microsoft Intune admin center. Go to Groups, then select New group. Set the following in the New Group pane: o Group type: Security o Group name: e.g., MDE-Dynamic Group o Group description: Optional o Membership type: Dynamic Device or Dynamic User Click Add dynamic query to define membership rules. In the Dynamic membership rules pane, use the rule builder or enter a custom query to specify criteria, e.g., (device.deviceOSType -eq "Windows") -and ((device.displayName -startsWith "MDE"). Save the query and Create the group. This will create a dynamic group that automatically includes devices or users based on your criteria. Enable Microsoft Defender for Endpoint (MDE) security settings management. When you integrate Microsoft Intune with Microsoft Defender for Endpoint, you can use Intune endpoint security policies to manage the Defender security settings on devices that are not enrolled with Intune. This capability is known as Defender for Endpoint security settings management. To support security settings management through the Microsoft Intune admin center, you must enable communication between them from within each console. The following sections guide you through that process. Configure Microsoft Defender for Endpoint In the Microsoft Defender portal, as a security administrator: a) Sign in to the Microsoft Defender portal and go to Settings > Endpoints > Configuration Management > Enforcement Scope and enable the platforms for security settings management. b) Initially, we recommend testing the feature for each platform by selecting the platforms option for On tagged devices and then tagging the devices with the MDE-Management tag. c) Configure the feature for Microsoft Defender for Cloud onboarded devices and Configuration Manager authority settings to fit your organization's needs: Configure Intune a) In the Microsoft Intune admin center, your account needs permissions equal to Endpoint Security Manager built-in Role based access control (RBAC) role. b) Sign in to the Microsoft Intune admin center. c) Select Endpoint security> Microsoft Defender for Endpoint, and set Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations to On. d) When you set this option to On, all devices in the platform scope for Microsoft Defender for Endpoint that are not managed by Microsoft Intune qualify to onboard to Microsoft Defender for Endpoint. For detailed information click on the link Learn about using Intune to manage Microsoft Defender settings on devices that aren't enrolled with Intune | Microsoft Learn Create a AV policy(example Name :MDE-AV) in Intune and assigned to “MDE-Dynamic group”. Step 1: Create the AV Policy Sign in to the Microsoft Intune admin center. Navigate to Endpoint security and select Antivirus.Integrating Microsoft Intune with Microsoft Defender for Endpoint allows you to manage Defender security settings on non-enrolled devices using Intune's endpoint security policies. This feature is called Defender for Endpoint security settings management. Click on Create Policy. For the Platform, select Windows 10 and later. For the Profile, select Microsoft Defender Antivirus and then click Create. On the Basics page, provide a Name (e.g., MDE-AV) and an optional Description. On the Configuration settings page, configure the antivirus settings as needed. Click Next to proceed through the remaining pages and then click Create to finalize the policy. Step 2: Assign the AV Policy to the Dynamic Group After creating the policy, go to Devices > Configuration profiles. Select the MDE-AV policy you created. In the Properties pane, select Assignments > Edit. Under Included groups, click Add groups and select the MDE-Dynamic Group. Click Select and then Review + Save to apply the assignment. This will ensure that the AV policy is applied to all devices in the "MDE-Dynamic Group." Enabling Defender for server’s plan on a subscription. To enable the Defender for Servers plan in Microsoft Defender for Cloud: Sign in to the Azure portal. Search for and select "Microsoft Defender for Cloud". Go to Environment settings in the menu. Choose the relevant Azure subscription, AWS account, or GCP project. On the Defender plans page, toggle the Servers switch to On. By default, this activates Defender for Servers Plan 2. You can choose Plan 1 or Plan 2 in the popup window. 6. Configured Endpoint protection auto provisioning in Settings & Monitoring. To configure Endpoint protection auto-provisioning in Microsoft Defender for Cloud, follow these steps: Sign in to the Azure portal. Navigate to Microsoft Defender for Cloud. In the Defender for Cloud menu, select Environment settings. Select the relevant subscription. Go to the Auto-provisioning page. For the Log Analytics agent / Azure Monitoring Agent, select Edit Configuration. Set the Auto-provisioning switch to On for the desired agents. Device got onboarded to MDE (security.microsoft.com) Once above steps performed the machine MDE gets onboarded to the security.microsoft.com portal automatically along with the MDE extension deployed. Device got automatically added to MDE-Dynamic group. You will observe that device “MDE” gets added to the Dynamic group named “MDE-Dynamic” automatically. Device received the MDE-AV policy as it is part of MDE-Dynamic group. You will also observe that the device gets the AV policy configured and assigned to the dynamic group. Policies are deployed successfully Below is the status of device in Intune portal Below is the status of device in MDE portal Summary When Defender for server's plan is enabled, the device was successfully onboarded to MDE (security.microsoft.com) and automatically added to the MDE-Dynamic group. It received the MDE-AV policy as part of this group, with policies deployed successfully. The status of the device can be viewed in both the Intune and MDE portals.
AWS Chime based apps (Slack or 3CX) calls drop-out - Only on Intune enrolled MacOS 15 + MS Defender
Hi Intune_Support_Team , I have recently come across with an Issue. Issue: Call Dropout, Network freeze on AV Calls for Apps / Platforms Description: I have noticed this issue on only MacOS Devices enrolled on Intune; that are later updated to MacOS15 Sequioa using Intune policy Mac Update policy + MS Defender for Endpoint Enrolled, with MS Defender Network Filter added to the list, hangs / freezes AV calls for 2-3 seconds like a network glitch on Slack Huddles. This also happens on 3CX Telephone app in bit different way as 3CX agent's audio is not heard by far-end Customer. Both of these only happens on Device upgraded to MacOS 15 + Defender + Network Filter with just Slack and 3CX. Google Meet, Zoom, Teams works well. NOTE : Compared to a Device which is not on Intune /Defender with MacOS 15 Slack Huddle and 3CX is a Charm. I also tried initially to look into Apple MacOS bugs, didnt find much, then raised a request to Slack Support, In Response I got this Hi there Swapnil, Thanks for contacting Slack support. What is happening here is that users are losing media connectivity to the huddles server, causing them to drop and then be reconnected. This can happen for a number of reasons, but if you've recently updated to macOS 15 Sequoia, there is a macOS networking bug which is highly likely to be the cause in this case (https://support.apple.com/en-au/102281). The issue is as follows: Overall the connection may be completely fine. Suddenly the media connection to the huddles server stops completely (even if the rest of the internet connection is fine). After the huddles server detects a period of no data being sent/received, it forces the client to reconnect to the huddle. This can help for some time but it may eventually repeat again through each huddle. Unfortunately in each case we cannot help explain the exact underlying cause is as it occurs on the end of each users network environment. In your case however, if users are experiencing the issue after upgrading to macOS 15, the aforementioned networking bug is the most likely cause. Normally the causes of these kinds of issues are as follows: Firewall or other network configuration closing websockets media connections. The macOS Sequoia bug causes this specific kind of problem. Overzealous modem/router throttling media connections. ISP throttling media connections. On the another response they also mentioned about something is probably not right with MS Defender Network Filter blocking out traffic for AWS Chime Server. Hi Swapnil, Thanks for your reply. Because there are so many variables we aren't going to be tracking this on our side. One thing I would say is that you should just be sure that there are no third party dependencies in your macOS environment which might be in need of an update. I'll give you a random example: Organisations using the Zscaler client connector would have encountered a variation of this issue (https://help.zscaler.com/client-connector/firewall-posture-check-failure-macos-sequoia). The macOS updates alone would not have addressed it, Zscaler needed to issue an update to their client connector software. Until users were running the Zscaler client with the relevant fix, no amount of system updates would have prevented them from running into the compatibility issue. So all I am saying is that you should be keeping an eye out for updates to both macOS and any relevant 3rd party dependencies - it's possible you will need to take manual action in some way first. The public facing macOS updates tend to be quite vague, so it is probably best to start with MS Defender and any other relevant 3rd party configurations before waiting on a macOS update to ultimately fix the issue. You may also prefer to pre-emptively seek confirmation from their respective support services so you know exactly what your next steps are. I hope this gives you a better idea on how to approach the issue and plan for updates Swapnil, and apologies I couldn't provide more guidance. After reading about this I tried to dig little more and understood, 3CX is also using AWS Chime A/V Servers. My users are stuck and losing their Slack Huddles which is day to day quick AV. Any insightful info on this one will be helpful. Thanks Swapnil email address removed for privacy reasonsMacOS Defender and Full Disk Access
Working on deploying Defender on MacOS via intune...most of it is solid, however I noticed "Microsoft Defender Endpoint Security Extension" doesnt have full disk access and needs it...the native "Microsoft Defender" has it ok...its deployed as the option for Defender under MacOS and not a LOB...anyone else run into this?Defender for Endpoint AMA: The next evolution of automatic attack disruption
Defenders need every edge they can get in the fight against ransomware. We're excited to share that Microsoft Defender for Endpoint customers will now be able automatically to disrupt human-operated attacks like ransomware early in the kill chain without needing to deploy any other capabilities. Join our AMA to ask questions on how you can use automatic attack disruption to stop a sophisticated attack early in the kill chain and how your organization can leverage unique protective capabilities offered exclusively by Microsoft 365 Defender. An AMA is a live text-based online event similar to an "Ask Me Anything," on Reddit. This AMA gives you the opportunity to connect with members of the Defender for Endpoint product group who will be on hand to answer your questions and listen to feedback. Feel free to post your questions about Defender for Endpoint anytime in the comments before the event starts, although the team will only be answering questions during the live hour.
Defender Antivirus and Microsoft Defender for Endpoint (ATP) for Servers
Hi All, Our company is looking into migrating our antivirus solution for our server estate from Sophos to Microsoft Defender Antivirus and Microsoft Defender for Endpoint (ATP). Was hoping to get some advice on the best way to approach this. I have listed some points below which I was hoping to get some clarity on. - Servers that are considered as “down-level devices” that do not have MS Defender preinstalled by default i.e. 2008R2, 2012 and 2012R2 what would the best Microsoft solution to provide security. Have been looking at Microsoft’s System Center Endpoint Protection (SCEP) as a solution. Is there any services that can be used from Azure to protect on-prem servers? - We have a Hybrid Azure AD setup. None of our on-premise servers are HAADJ. Do we need to have server as a Azure resource for us to manage Defender AV and ATP (Server 2016 +). We currently manage our W10 workstation using the MEM - Microsoft Defender for Endpoint Baseline. - Majority of our servers do not have any internet access. To tighten the firewall rule, is there a list of IPs and URLs that are associated with Defender ATP so the servers can only communicate to these IPs etc. - Is there any pre-req work needed for servers such as 2008R2, 2012 and 2012R2 before on-boarding to ATP. Install updates, telemetry services updates etc - Anyone that is using defender ATP for servers that are on-prem. What type of setup do you have and any recommendations. Thank you MoIntune Android Enterprise Fully Managed Defender for Endpoint activation
Hi All, Scenario: Intune > Android > Fully Managed profile > Defender for Endpoint deployment Is there any way to reach a zero-touch / silent method for activating Defender for Endpoint on Android devices ? Users currently need to run through a series of questions to activate it and until they do it does not show up in the Security portal Inventory. We are using a Compliance policy based on machine risk score to identify devices which haven't activated Defender - this marks them non-compliant until they do. I'd rather use a deployment/policy to activate Defender silently without any user intervention. As it is a security product on Android Enterprise Fully Managed devices it seems I must be missing a trick here to manage them without user involvement and blocking the user via a non-compliant conditional access policy seems an inefficient way to resolve the issue for everyone. Is it possible ? Many thanks Jas.
