Onboard Windows 10 Devices from MDM | Microsoft Defender for Endpoint

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys hope you're all doing well welcome back to our channel and in this video i'm going to talk about microsoft defender for endpoints and i'm going to show you how the onboarding process works for windows 10 devices when you are using mdm servers or you're trying to do configuration from endpoint manager portal now if you're watching the series from the beginning in the last video we have discussed about the onboarding process with group policy object whereas the core agenda of this video will be knowing how to enable microsoft defender for endpoint connector from endpoint manager portal then we'll see how to create a configuration policy that will get the device onboarded to microsoft defender for endpoint and lastly we'll see that what are the logs or events can be monitored on the device that you're trying to onboard and which is not getting on board for some reason so let's start from the first prereq which must exist and that is the license now since in tune and microsoft defender for endpoint two different services are getting used so you have to make sure both the license is assigned and to know more details about the basic prerequisites about network requirements or roles or other things as well please watch the getting started with microsoft defender for endpoint video because in this video i have covered the network requirements in a lot more details so these two things you have to make sure which is in place and then proceed with this video now let's say you want to use the mdm capability to onboard devices in this case there will be three different scenarios the first one is user or your admin is azure 80 joining the device from there it gets onboarded to in tune and from there since the configuration policy is getting pushed the device gets onboarded to microsoft defender for endpoints the second one is mdm enrollment that means instead of azure 80 joining the device i am directly enrolling my device to mdm and from there it is getting onboarded to microsoft defender for endpoint and the last one is hybrid azure ready joined now this third category is slightly tricky because when we talk about hybrid azurity joint it means that you already have 80 and you can use group policy object to onboard the devices similarly there is a mdm policy in the group policies section itself which can be created to get the device onboarded to in tune and from there it gets directly on board to mde depending upon the configuration policy that you have okay so let's talk about our first use case wherein as a user or admin the device is getting azure adjoined now in this case what will happen a device object will get created in azure ada as well and from there the device gets onboarded to microsoft in tune because you have enabled automatic enrollment and then there is a configuration policy that exists in microsoft in tune which will get the device onboarded to microsoft defender for endpoints this will be the flow if you are going with the first use case and let's see all this in action so for that i'm going to switch to my browser where i have signed in as global admin to all the three portals portal.azure.com endpoint.microsoft.com and securitycenter.windows.com now let's talk about the first setting which is needed for you to enable this feature now for that you have to go to azure 80 then go to devices then go to device setting now this is a very generic setting and i assume it's enabled in your environment if it does not you can enable it from here now the question comes what exactly the setting is the setting is to allow the users to join their devices to azure 80 and this can be controlled from here if you want you can scope it for all the users or if you want you can scope to some groups or some set of users who have the privilege or who are admins who can join their devices to azure active directory whatever your requirement is you can customize it from here the second option that has to be enabled from this portal itself or from endpoint manager portal is the scoping of mdm now what do i mean by this that if i go to this particular section which says mobility mdm and mam and here what i have done is i have scoped microsoft in tune for all users or for all the categories to be very precise this means that when the device will get onboarded to azure active directory at the same time it will also be onboarded to microsoft in tune because here in endpoint manager portal when i go to windows and when i go to windows enrollment i have enabled automatic enrollment so if you will see this console now which will come it has the same settings right you can choose any of the path beat endpoint manager portal beatportal.azure.com but you have to make sure that this particular setting is enabled so that once the device is getting azure ad joined it should get automatically onboarded to in tune okay now the next setting that has to be done is on the same portal which is endpoint manager portal now you have to go to endpoint security section and here just click on microsoft defender for endpoints now if you are signing in or if you are logging on to this particular console for the very first time it may not show as enabled but if it is not enabled just enable this particular connector it is required second thing you have to make sure that this particular option is enabled which says windows 10 devices should get connected to microsoft defender for endpoint now since we are talking about windows 10 that's why i'm talking about this particular option but if you want you can enable it for other platforms as well okay now once you're done with this just scroll down and see there will be an option of create a device configuration profile for microsoft defender for endpoint sensor that's all you have to just click on this particular option and then you will be routed to a console from where you can create the configuration policy the other way to come to the same console is go to the devices section and then go to windows and then go to configuration policy and then click on create profile from here select windows 10 or later and then select templates and you will get this option which is microsoft defender for endpoint windows 10 okay so you can choose any of these methods and you will be landing up to the same configuration setting which is required for a device to get onboarded to microsoft defender for endpoint i'll choose the previous method as it is easier and as it is convenient to land up to the same console okay so right now i am into microsoft defender for endpoint and then i'm clicking on create a device configuration profile now let's say i'm just going to name it as on board and then i'm going to name it as test in the description i have just typed test now i'm going to click on next now if you guys remember when we were discussing about group policy object there were two different files that we have copied to a specific folder with adml extension which actually enables a specific setting to be available in computer configuration so that we can enable sample collection here it is enabled by default but if you want you can block it and the same process is applied for reporting frequency as well if you want you can customize this particular setting okay now i'll click on next when it comes to assignment you can scope this policy to specific groups devices whatever scope you want to define since this is a test environment i can say add all users and then i'll click on next likewise i have said all users i can also do all devices whatever you find feasible you can do that and as i said before you can have custom groups as well the same concept applies for the exclusion section as well when i can exclude some of the groups okay and then i'll click on next now this section that you see here is more fine grained in terms of defining scope now what do i mean by this that i can actually have a rule in place which says assign this profile if a specific edition of os or a specific version of os exists on the device which is about to get onboarded right so this is more fine-grained scope in terms of defining uh the area or in in terms of defining the actual devices which you will allow to get onboarded okay i'll click on next and that's it the moment i'll click on create the policy will get created so for this demo i have already created one configuration policy and for that i'll go to devices and then i'll go to windows and then i'll go to configuration profile and i'll click on mdatp now if i'll click on properties you can see i have not made any change to sample sharing or reporting frequency settings as well as this has been scoped to all the devices okay now one last thing that you have to verify from portal perspective is the connection that is enabled between microsoft defender for endpoint and microsoft in tune and how to check that for that you have to go to securitycenter.windows.com or security.microsoft.com then go to settings then go to advanced features and here make sure microsoft intune connection is enabled okay this particular option is set as on or this particular option is enabled so this is all about the settings that should exist in terms of making sure the right configuration exists so that your device can get onboarded now what i'm going to do is i'm going to switch to one of my machine which i will onboard now by the method of azure id joining in okay so this is my machine and the host name is azure ready join mdm hyphen mde so if i'll come back to my azure 80 and if i'll try to search for any device with the same name it is not going to exist but just to be sure about it i'm just going to show you that as of now there is no access device which exists here so the device which i will be onboarding will get azure ready join first from there it will get onboarded to microsoft intune and from there it will get onboarded to microsoft defender for endpoint so as of now if i'll show you the detail of this particular machine it is not domain joined and not azure 80 joint as you can see it's a typical workgroup machine so i'll go to settings now and then i'll go to access worker school account settings and then i'll click on connect and here i'm going to type in my username and password so that this machine gets azure 80 joined okay now as i said before that since we have enabled automatic enrollment it's obvious that once your machine gets azure rejoined it will get automatically onboarded to microsoft in tune as well now i'm going to type in my password the expected behavior is i will get the prompt which says join and the moment i will click on join my device will get already joined okay so i have clicked on sign in let's wait for a couple of seconds so that we can get that option which says join okay so as you can see now i'm getting this option of join i'm just going to click on this and one more thing that i will do is i will restart this device after waiting for a couple of minutes so that the entire enrollment process gets completed okay now one more thing which i would like to highlight here that based on the several uh aspects that we have discussed before in terms of verifying whether your device is onboarded to microsoft defender for endpoint or not the first method is to just type this command which says sc query sense and as you can see as of now it is showing stopped because still the entire onboarding process is not completed as of now this machine has already joined we'll wait for a couple of minutes we'll wait for configuration policy to be in place likewise the sync should be completed all the configuration policy should get initiated on this device then only things will work as expected so to speed up this what i'll do is i'll restart this machine i will sign in with one of my azure edi account and then i will resume the video so as you can see my machine has restarted now and i'm just going to sign in with one of my users and then i will see whether this device is successfully onboarded or not by running the command and then we'll also see the same in the portal as well okay so now i'm going to open command prompt on this particular machine and i will just verify the host name it should be azure 80 hyphen join hyphen md sorry mdm hyphen mde and now i'm going to say sc query and then sends perfect it is showing as of now running okay now i'll come back to my portal and see if uh the machine is getting listed over here or not and it should show azure adjoin hyphen mdm because there is some limit in terms of characters which are available so let's see what we get here okay so as you can see it is showing me azure 80 join hyphen mdm this is the device which we have just on boarded my user is also showing here and it is in tune compliant as well that means the machine also got onboarded to in tune and as you can see it is showing me here azure 80 join hyphen mdm which was onboarded by this particular user or this user has recently signed in the primary user upn now i'll come back to securitycenter.windows.com and as you can see it is showing me here azure 80 join hyphen md m hyphen mde okay and as you can see it is also showing you the status of large already joined no risk because still the telemetry is getting captured it is getting analyzed and then we'll get the respective results or the exposure level whatever we want to see okay now i'll come back to my device once and this time i will go to event viewer and there are some logs which we can check just to verify that it was the mdm settings which has onboarded the device to microsoft defender for endpoint now think about this depending upon the method that you are using if you are using group policy object then for sure you're going to see the logs for group policy object folder but when we talk about mdm the folder is different when it comes to the section or when it comes to the service which will push the settings okay when we talk about sense folder or when we talk about uh the folders which are associated with microsoft defender for endpoint they will remain same but when we talk about the folders or when we talk about the service which we are using it may vary okay so i think there is some issue with the event here i'll just restart this quickly and then i'll show you the respective logs all together okay perfect so this time it has open i'll go to microsoft folder in application and service logs and then i'll go to windows and here the folder that you have to see is device management enterprise diagnostic provider and i'll click on admin and as you can see all the logs that are getting listed over here they just show that which configuration profile has been pushed there is a lot more detailed uh discussion on this that i've already done when i was talking about mdm so if you want you can go ahead and watch that series as well and you'll come to know what exactly happens and why these logs and how these logs are getting generated but this is the folder which you can refer to if your device is not getting onboarded as expected okay now the next folder which you can refer to for troubleshooting perspective is the sense folder itself you can go to the operational section and you'll come to know that whether the device is successfully onboarded or not or whether there is any issue as well as there is a client analyzer as well that i have covered slightly in our getting started video and there will be a dedicated video for client analyzer as well okay now let's talk about the next use case which is mdm enrollment that means the user is not azurely joining the device he or she has simply open settings and then he or she has clicked on and roll this device to mdm management in this case the device will get directly onboarded to microsoft in tune and from here the configuration profile will be pushed and the device will get onboarded to microsoft defender for endpoint now let's see how exactly this setting is going to work so this is my machine now another machine and this machine's host name is mdm hyphen mde okay host name mdm hyphen mde so that this machine will not be azure already joined basically i will directly enroll this to microsoft and tune and from there as a work group machine it should get onboarded to microsoft defender for endpoints okay so now what i'm going to do is i'm going to click on accounts and i'm again going to click on access worker school account and this time instead of clicking on connect i will click on this option which says enroll only in device management that's exactly what i'm going to do now what this will result in on my device the user will be signing in with his or her account local account or personal account but the device can be managed with uh with microsoft defender for endpoint okay so now i'm going to enter my username and here i'm going to type in my password as well and i'll just get this device enrolled now this enrollment that means uh this kind of request which a user is trying to initiate does require admin access on the device okay so make sure the user with which you're trying to achieve this particular use case that has local admin privilege on this particular machine altogether so now i've clicked on sign in and in couple of minutes this device should get enrolled so i'll pause the video and we'll resume once this device is registered perfect so as you can see it is showing me that your device is now about to get set up it's setting up my device it may take a couple of minutes that means here i can just click on info and then i can click on my current status of when the policy was refreshed and when was the last thing that was completed okay so i'll wait for a couple of minutes or to be very precise let's just come back to our portal and see if the device is getting reflected here or not okay so i'll just refresh this and see if our device gets listed over here or not and as you can see it is not getting listed so what i'll do is i'll restart this particular machine i will sign in again with my account and i will resume the video perfect so as you can see my device has restarted now and i'm not getting any option to sign in with my azure id account the reason behind that is this device is not already joined it is just mdm enrolled okay so my local account is mdatp and i have just typed in my password and now i'm trying to sign in once i've signed in i'll show you the service status and i'll show you the details of this device on the portal and how it got onboarded perfect so now i'm just going to open command prompt and we'll check again the host name okay is mdm hyphen mde then again sc query sends and then enter okay so this device is still not onboarded let's come back and see what is the state that we get on the portal okay let's just refresh this perfect so as of now it is showing me that this particular device has onboarded and for sure there is a compliance uh state showing us not evaluated and in this case what we can do is we can just come back and we can push a sink and let's see if it shows as saying or if it shows as on board or or not and one more thing uh you know which we can confirm here is if still this device is not onboarded even after a manual sync then we'll go ahead and check the logs in the event viewer just to be sure that the configuration policy is applied now the reason why i'm showing all this in real time because i'm just letting you know the approach that i typically take whenever there is any issue that i'm experiencing okay so without any delay let's quickly open event viewer and let's directly go to that particular folder in terms of figuring out what exactly is wrong or why this device was not onboarded in the first go itself okay so i've open event viewer i'll go to application and service logs i hope it should not stop this time it should just open and perfect it's there so i'll open now microsoft i'll go to windows and then i'll go to device management and here i'm going to click on admin and here it does not give any error for the policy that we have just created okay so let's check the sense folder now just to verify if the logs are getting generated perfect here also the logs are getting generated okay okay so as you can see that the onboarding process is going on but it's not yet completed and all the settings are in place so we'll just refresh this once again and i'll come back here and now we'll check the state perfect you can see it's running now okay so i have not made any change apart from just waiting for a minute or so and as you can see the device onboarding is completed as expected okay so now just refresh this and let's see if you are getting any state perfect you can see now from unknown this has been changed as personal and if i'll come back to this particular console let's refresh our endpoints list as well and let's see if there is any device getting listed over here as mdm hyphen mde perfect you can see that this particular device is getting listed over here but this device is also a work group machine so this was all about knowing how the onboarding process works if you're trying to use mdm first thing first make sure you have the right set of licenses in place the network requirement is the most important requirement which you have to make sure that both of your endpoints be the one which is azure ready joining in or be the one which is the manual mdm enrollment they both have the right set of connectivity to all the endpoints which are required for microsoft defender for endpoint okay now the last use case is the hybrid azure radio join one wherein you can have your domain joined pc onboard to azure 80 with the help of sync and then you can have configuration profile created in microsoft in tune to push that mdm setting now once you push the setting the device will get onboarded to mde okay now hybrid azure 80 joined devices that means how hybrid agility joint works is something that i have covered in a lot more detail i will share that link in the description as well as how to onboard hybrid rgd join machines to in tune is also something which i have already covered so i will share that link as well in the description the last section of this configuration profile settings is something that i have covered in this particular video so now you're already sorted with all the three steps that you have to do and you can achieve this particular stage as well when you have hybrid azure dejoined devices but for some reason you don't want to use group policy object and you want to use mdn then in that case you can just create the configuration profile that i've just shown and scope that to your hybrid azure ready join devices so this was all about knowing how the onboarding of windows 10 works when you're trying to use mdm or endpoint manager portal let's talk about a quick summary of what all we have discussed in this video we have discussed about enablement of the connector settings on endpoint manager portal how we should create the configuration profile what are the logs that has to be checked on the device which is not getting onboarded for some reason in the next video i'm going to talk about onboarding of windows servers to microsoft defender for endpoint so if you think that this channel is helping you to learn anything new please feel free to subscribe and share this video with your technical community thank you so much thanks for your time
Info
Channel: Concepts Work
Views: 3,526
Rating: undefined out of 5
Keywords: Microsoft, Security, CISO, Microsoft Security, Endpoint Security, Endpoint Detection and Response, Microsoft Endpoint Security, Azure, Microsoft azure, Threat and Vulnerability Management, Microsoft Threat Experts, MITRE, MDATP, Microsoft Defender Advanced Threat Protection
Id: jSgLlLjEu_I
Channel Id: undefined
Length: 27min 21sec (1641 seconds)
Published: Sun Jun 13 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.