Currently in general availability is the new Security Settings Management in Microsoft Defender for Endpoint. Security Management for Microsoft Defender for Endpoint is the new method to manage Security settings for devices and servers that are not enrolled yet in Microsoft Endpoint Manager/ Intune. The new feature makes it possible to manage security settings from one single portal. Since late 2021 the feature has been in public preview and is currently generally available.

Update: The article is completely rewritten based on the GA release

The new feature in Microsoft Defender for Endpoint makes it possible to deploy directly configurations from Microsoft Endpoint Manager (MEM) directly to MDE onboarded devices without the need to completely onboard devices into MEM/ Intune. The new features bring the name Security Management for Microsoft Defender for Endpoint. Useful for “standalone” devices that aren’t managed by Microsoft Endpoint Manager, Intune, or Microsoft Endpoint Configuration Manager. Currently, most of the devices not part of MEM are managed with GPO, PowerShell, or other management options. Ideally for servers in a network segment without a management presence or where local teams are not allowed for managing security settings. The new way of managing devices makes it possible to centrally manage exclusions.

Currently, the following management methods are available for MDE.

  • Cloud-only (Intune)
  • Co-management (Intune/ MECM)
  • On-premises Windows 10 (MECM,GPO or PowerShell)
  • On-premises Windows Server (MECM Tenant Attach, GPO or Powershell)

The new Unified Endpoint Security experience brings Endpoint Manager directly to MDE joined devices. With the new management solution devices will get the policies from Microsoft Endpoint Manager. Devices get the policies based on their Azure Active Directory device object and MDE SENSE service. A device that isn’t already visible in Azure Active Directory will join the main tenant where Defender for Endpoint (MDE) is activated as part of the new solution. For domain-joined devices the AD Connect join/ federation AAD Join process is needed for onboard devices.

Source: Documentation Microsoft

This blog will focus only on the new management. MDE onboarding is not part of the blog. For 2012R2, 2016 onboarding see: Install the new unified Microsoft Defender for Endpoint agent on Server 2012R2 and 2016 


Prerequisites

For the new management solution, some prerequisites are needed.

Connectivity:

Devices must have access to the following URLs:

  • enterpriseregistration.windows.net – For Azure AD registration.
  • login.microsoftonline.com – For Azure AD registration.
  • *.dm.microsoft.com – The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.

Operating system (KB’s installed):

The following platforms are supported. Some of them require a specific KB or higher for enabling the new management option.

Operating systems Not supported: 

The following operating systems are currently not supported:

  • Domain controllers ( Reason: Azure Active Directory Trust is required)
  • Server Core installations

Source: Microsoft Frequently asked questions and considerations

Active Directory joined devices:

  • Authentication with a domain controller
  • Azure AD connect configured to sync computer objects which are in scope
  • Sync rule enabled for 2012 R2 ( only if 2012R2 is needed)
  • Azure Active Directory Tenant ID from Microsoft Defender for Endpoint Tenant matching SCP entry of a domain

License:

Any subscription that grants Microsoft Defender for Endpoint licenses also grants your tenant access to the Endpoint security node of the Microsoft Endpoint Manager admin center. There is no need to buy separate licenses for the Microsoft Endpoint Manager admin center. Included is the Endpoint security node for configuring policies.

Notice:  If you have access to Microsoft Defender for Endpoint as part of a Microsoft Defender for Cloud only license (formerly Azure Security Center), the Security Management for Microsoft Defender for Endpoint functionality isn’t available. Source: Microsoft


How does it work?

Let’s explain first before we go to the technical configuration part. Two situations:

Situation 1: Device without a local domain (workgroup)

  1. Onboard device to MDE
  2. Trust is established between devices and AzureAD. Target AzureAD object is located in the configured MDE tenant. If not already available, the process will create a new trust.
  3. Devices use their Azure AD Identity to communicate with Endpoint Manager and create objects in MEM/Intune.
  4. Deploy policies to AzureAD Group
  5. Apply and report policy

Situation 2: Device with domain (Active Directory joined devices with AzureAD connected or not connected): 

  1. Onboard device to MDE
  2. Trust is established between devices and AzureAD with existing infrastructure to complete Hybrid Azure Active Directory Join. (AAD Connect or Federation provider)
    1. The device is part of the Azure AD Connect sync OUs
    2. Sync rule enabled for 2012R2
    3. Device synced to MDE tenant
  3. Devices use their Azure AD Identity to communicate with Endpoint Manager and create objects in MEM/Intune.
  4. Apply and report policy

Notice: For servers/workstations which are domain joined and not connected with AzureAD, the Active Directory requirements are needed for using the new feature. Read more: Troubleshoot security configuration management onboarding issues

Notice: Azure Active Directory Connect (AAD Connect) must be synchronized with the main tenant that is used for Microsoft Defender for Endpoint. The Azure Active Directory Tenant ID (MDE tenant) needs to match the Service Connection Point (SCP) Tenant ID. Tip: For checking the SCP Tenant ID and Azure AD Device ID. Use the MDE Client Analyzer. MDE Client Analyzer Results.htm provides the information.

Technical overview:

Source; Microsoft

Domain onboarding flow:

Current Device StateNew Device State with MDE management enabled
Already AADJ or HAADJRemains as is
Not AADJ or Hybrid Azure Active Directory Join (HAADJ) + Domain joinedDevice is HAADJ’d
Not AADJ or HAADJ + Not domain joinedDevice is AADJ’d

Enable Security Configuration Management in MDE

First, we need to enable the feature in Microsoft 365 Defender. For enabling the feature use steps below. Important is to configure the pilot mode when testing for a small subset of devices.

  • Sign in to Microsoft 365 Defender portal
  • Go to Settings -> Endpoints >  Enforcement Scope
  • Configure the checkbox Use MDE to enforce security configuration settings from MEM
  • Configure the checkbox for which OS platform (Server/ Client) the settings will be applied

Use pilot mode (1) for testing and validating the rollout on a small number of devices. Without using the Pilot Mode all devices which are part of the scope will be configured and onboarded. Pilot Mode works directly with the tag; MDE-Management to define the enforcement scope.

In some environments it might be desired to manage devices with Configuration Manager tenant attach, when both are enabled – it created the opportunity for conflicts and undesired results/health issues. When using Security Management for Microsoft Defender for Endpoint with Configuration Manager settings are only managed from one single channel from Configuration Manager.


Enable MDE Security Configuration Management in Endpoint Manager

For the first-time set-up, it is required to enable the new check-box in Endpoint Manager. For enabling the new modern management method:

  • Sign in to the Microsoft Endpoint Manager portal
  • Go to Endpoint Security -> Microsoft Defender for Endpoint
  • Enable the setting: Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations

MDE Permissions

For the relevant users, there is a new role available in Microsoft 365 Defender for security settings management. For configuring the new role:

Go to Settings > Roles and use the following permission: Manage endpoint security settings in Microsoft Endpoint Manager. Users with the new permissions can change and create Endpoint security settings in Microsoft Endpoint Manager without the complete Endpoint Manager Roles.


Create Azure AD Groups

Before creating policies it is recommended to configure a couple of Azure AD Groups for deploying the new policies. Two methods are available:

  • Assigned group
  • Dynamic group

For the best security practice, it is recommended to use the Dynamic Device group member group creation. Dynamic gives the advantage of automatically adding devices in the correct group and deploying the policies when devices are managed by the new management.

For the configuration rules use the property systemLabels part of the AzureAD device object. Below values are available:

  • MDEJoined – Devices that are joined the directory
  • MDEManaged – Devices that are actively using the security management for Microsoft Defender for Endpoint

SystemLabels Object view ( Microsoft Graph Explorer):


Create first profile

For the new MDE feature, we can use directly the Endpoint security node in Microsoft Endpoint Manager admin center. Only this blade will work for configuring and deploying settings.

Currently, not all security settings are supported for the new feature. Below is included:

  • Antivirus policies
  • Firewall  policies
  • Firewall rule policies
  • Endpoint detection and response policies

Duplicate policies and duplicated exclusions

Avoid deploying multiple policies that manage the same setting to a device. Currently there is no support to deploy different configurations which include different settings.

Microsoft gives the following advice:

Microsoft Endpoint Manager supports deploying multiple instances of each endpoint security policy type to the same device, with each policy instance being received by the device separately. Therefore, a device might receive separate configurations for the same setting from different policies, which results in a conflict. Some settings (like Antivirus Exclusions) will merge on the client and apply successfully.

For exclusions the items will be merged which gives the following option for more exclusion control. Important: Always limit the use of exclusions when possible.

  • Profile A: Global exclusions (deployed to all systems)
  • Profile B: Citrix exclusions (deployed to a specific set of systems hosting Citrix)
  • Result: items from A will be merged together with B.

Create Security profiles

For creating the first profiles – follow the below steps:

  • Sign in to the Microsoft Endpoint Manager portal
  • Go to Endpoint Security and select the type of policies. For each policy select the platform: Windows 10, Windows 11, and Windows Server
  • Configure the settings

Antivirus

Firewall / Firewall Rules

Endpoint Detection and Response

Configuring Antivirus profile

On the Configuration settings page, select the settings you want to manage with this profile.

On the Assignments page, select the Azure AD groups that will receive this profile. Only Device Objects are applicable for Microsoft Defender for Endpoint management. Targeting users is not supported.

A new policy is created with the target scope mdm,MicrosoftSense


MDE Device tagPilot group

For scoping the initial scope using the Pilot Mode, it is required to use the MDE device tag for limiting the scope. For enabling the management use the tag: MDE-Management for each device. After applying the devices is available for joining the new management process. When removing the Pilot Mode all devices will be automatically part of the new management service when supported.

Configuring device tags is possible from the portal or directly from the registry. Read more: Create and manage device tags.


Result

After enabling the configuration in MEM and MDE we onboard two new devices to Defender for Endpoint with the latest onboarding files.

  • 1x Windows 10 (workplace joined)
  • 1x Server 2016 (workplace joined)

This gives the following result:

AzureAD

Device AzureAD Joined with the MDM status; Microsoft Intune

MEM

Visible in MEM and managed by MDE. Managed by MDE means the device is managed by Defender for Endpoint using the new configuration feature.

MEM Policy:

Policy applied and check-in status success

Settings correctly applied and reporting with the status: Succeeded

MDE portal

Device visible in Defender for Endpoint with the status; Managed by MDE


Troubleshooting onboarding

Troubleshooting is possible with multiple portals and tools. Through the Microsoft Defender for Endpoint portal, security administrators can use the Managed By entry for checking the onboarding state.

To see a list of all devices that have failed the Security Management for Microsoft Defender for Endpoint onboarding process, filter the device inventory page on the Managed By – MDE error item.

Defender for Endpoint Device page

 The Microsoft Defender for Endpoint device page shows more information. The section Device management shows more information about the managed by state(1) and MDE enrollment status(2). Failures are directly visible in the MDE Enrollment status field.

Screenshot below shows device vm-pc-win05 which is correctly managed by MDE and gives the status success.

Defender for Endpoint Device page – Enforcement errors

Enforcement errors are visible directly from the MDE device page. When there is an issue; the title shows: This device has a configuration enforcement error.

Other enforcement errors examples:

  • The error indicates that OS failed to perform hybrid join. Use Troubleshoot hybrid Azure Active Directory-joined devices as guide for troubleshooting OS-level hybrid join failures
  • Invalid DNS settings on the workstation’s side. Active directory requires you to use domain DNS to work properly.

Client Analyzer

For more advanced details use the MDE Client Analyzer or MDE Client Analyzer Beta.

Find troubleshooting error code

Check the registry key EnrollmentStatus to find more information and the enrollment status:

Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SenseCM

View the Microsoft docs for the complete error-code list.

Reporting configuration management

Part of Defender for Endpoint is the Configuration management blade. The Device configuration management blade shows the following MDE Management information.

Part of the reporting:

  • Configuration method
  • Onboarded via MDE security management ( including failures)

Sources

Microsoft: Announcing Preview of New Security Management Capabilities for Microsoft Defender for Endpoint

Microsoft: Security Settings Management in Microsoft Defender for Endpoint is now generally available

Microsoft: Security Management documentation

Microsoft: Troubleshoot onboarding issues with MDE management