Practice Lab: Configuring Endpoint security using Intune
Summary
In this lab, you will create a policy to configure Microsoft Defender for managed devices in Intune.
Prerequisites
To following lab(s) must be completed before this lab:
-
0203-Manage Device Enrollment into Intune
-
0204-Enrolling devices into Intune
-
0301-Creating and Deploying Configuration Profiles
Note: You will also need a mobile phone that can receive text messages used to secure Windows Hello sign in authentication to Azure AD.
Scenario
You've been asked to ensure that the Contoso Developers Group have Microsoft Defender correctly configured. It's been requested that:
- Tamper protection be prevented
- Hide the Account protection, App and browser control, Device security, Device performance and health, and Family options areas in the Windows Security app
- Company name and phone number must be added.
- Real-time protection, Remediation, and scan settings are also to be configured.
Settings will be verified by testing on an enrolled device, SEA-WS1 and a non-enrolled device, SEA-CL1.
Task 1: Configure Windows Security Experience in Intune
-
Sign in to SEA-SVR1 as Contoso\Administrator with the password Pa55w.rd.
-
On the taskbar, select Microsoft Edge.
-
In Microsoft Edge, type https://intune.microsoft.com in the address bar, and then press Enter.
-
Sign in as as
[email protected]
with the default tenant password. -
From the navigation pane select Endpoint security, then select Antivirus.
-
On the Endpoint security |Antivirus pane, select Create Policy.
-
In the Create a profile pane, for Platform, select Windows 10, Windows 11, and Windows Server.
-
In the Profile list, select Windows Security experience. Then select Create.
-
On the Basics tab, in the Name field, enter Windows Security Settings. Select Next.
-
On the Configuration settings tab, Under Defender, configure the following settings:
- TamperProtection (Device): On
-
Under Windows Defender Security Center, configure the following settings:
- Disable Account Protection UI: Enable
- Disable App Browser UI: Enable
- Disable Device Security UI: Enable
- Disable Family UI: Enable
- Disable Health UI: Enable
- Enable Customized Toasts: Enable
-
Under Company name, select Configured, and then enter Contoso IT.
-
For Phone, select Configured and then enter 555-1234 and then select Next.
-
On the Scope tags page, select Next.
-
On the Assignments tab, under Included groups select Add groups. Choose the Contoso Developer Devices group, click Select and then select Next.
-
On the Review + create tab, review the information and select Create.
Task 2: Configure Microsoft Defender Antivirus policy in Intune
-
On the Endpoint security |Antivirus pane, select Create Policy.
-
In the Create a profile pane, for Platform, select Windows 10, Windows 11, and Windows Server.
-
In the Profile list, select Microsoft Defender Antivirus, then select Create.
-
On the Basics tab, in the Name field, enter Microsoft Defender Antivirus Settings. Select Next.
-
On the Configuration settings tab, configure the following settings:
- Allow scanning of all downloaded files and attachments: Allowed
- Allow Realtime Monitoring: Allowed
- Check For Signatures Before Running Scan: Enabled
- Days to Retain Cleaned Malware: 60
- Schedule Quick Scan Time: 60 (represents 1:00AM)
- Submit samples consent: Send safe samples automatically
-
On the Configuration settings tab, select Next twice.
-
On the Assignments tab, under Included groups select Add groups.
-
Choose the Contoso Developer Devices group and then choose Select and then select Next.
-
On the Review + create tab, review the information and select Create.
Task 3: Sync the managed devices
-
In the Microsoft Intune admin center, select Devices and then select All devices.
-
On the Devices | All devices pane, select SEA-WS1 and then on the SEA-WS1 blade, select Sync on the toolbar, and then select Yes.
Wait for 3-4 minutes for the sync to complete.
-
Close Microsoft Edge.
Task 4: Verify the configuration
-
Switch to SEA-CL1.
-
If necessary, sign in as Contoso\Administrator with the password of Pa55w.rd.
-
On SEA-CL1, select Start, type Windows Security, and then under the Windows Security icon select Open.
Notice that all security options are displayed. This is because SEA-CL1 is not enrolled to Intune.
-
Close Windows Security and sign out of SEA-CL1.
-
Switch to SEA-WS1, and sign in as as Aaron Nicholls with the PIN: 102938.
-
Select Start, type Windows Security, and then under the Windows Security icon select Open.
Notice that all of the restricted areas as configured in the Intune policy are not displayed. SEA-WS1 is enrolled in Intune, which has applied the security settings.
-
Close Windows Security and sign out of SEA-WS1.
Results: After completing this exercise, you will have successfully created and applied a policy to configure Microsoft Defender for managed devices in Intune.
END OF LAB