Security Management with Defender for Endpoint

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
if you're watching this thinking this guy has absolutely no idea what he's talking about yeah you're right um i've not really looked at this yet and this will be the first time i've already given it any thought because i if i turned all the features on in my environment then i'd have to turn them off in order to show you how it all works from scratch so i thought we'd just learn together and you know be as one as one kind of team we're looking at security management for microsoft defender for endpoint and the idea here is that we can manage the security settings in defender for endpoint on devices that we don't manage the rest of the settings for um this can apply to windows client and windows server the windows server bit is really making me think for the future but i'm really not giving it too much though because i've not looked at it too much just yet um so yeah the idea is that we don't manage the intune piece they're not enrolled into in tune or config manager but we can manage the security side through endpoint manager in tune uh just for defender for endpoint so we're going to give it a go i'll jump over to my defender portal because there's a couple of things we need to do here first to get this up and running this portal for clarity has a defender for endpoint licenses so i've got defender for endpoint licenses in this environment so we'll jump down to settings and then go over to endpoints and then choose configuration management enforcement scope and we get this option here so it says it will apply on devices that are not yet enrolled into endpoint manager or conflict manager and the word yet this this sentence is making me think that there's an intent behind it there's a thought behind how this is going to work so this isn't necessarily something that will will always be the case but the devices are in a transition phase to maybe be enrolled in endpoint manager in the future the word yet there is really making me a little bit cautious of what the idea is behind this so it says you'll need to do some other things but we're going to go through that all later on we need to enable the platforms i'm going to turn on windows client devices i'm not going to turn on service because i might be interested in doing that later on so i'll just save this one final thing before we move on it says for the public preview which is what i mean at the moment you need to tag the devices with mde dash management so in maybe five minutes when i forget that i've read that you can all point and laugh at me about the fact that i should have tagged my devices but hopefully you will remember but that's something you need to do during the preview so don't forget that heading over to endpoint manager so endpoint.microsoft.com into endpoint security i'm going to configure or set up defender for endpoint okay so we've got this one here we've got endpoint security profile settings allow microsoft defender for endpoint to enforce endpoint security configurations preview it's set to on i don't remember setting that to on but i think i might have at some point so it's set to on um which is good but it doesn't need to be set to on for this to work so that's all good no action required here from me but make sure in your environment that it is set to on the next thing we need to do is onboard our devices into defender for endpoint now there's a section in the security portal about how you do that and it always confused me because i've never needed to use it when i've been onboarding my devices in any of the demonstrations i've been doing in the past i've been able to just use my endpoint manager configuration to push that config obviously for these specific devices in this demonstration the devices are not in endpoint manager so pushing a config via endpoint manager obviously isn't possible similarly they're not in config managers so that's not going to work so we're going to need to take a look at this local onboarding concept from the security center so we'll jump over to that now so back over to here and we've got this is the screen that i left i left you one and we're going to look at onboarding so choose onboarding and it's windows 10 so actually it's windows 11 but it's windows 10 and 11 and then we've got a few deployment methods so i'll leave this on the screen while we have a look at it we're going to choose um local script group policy uh config manager config manager in tune or vdi obviously we're not in tune we're not in this case we're not vdi i'm not running config manager at least in this demonstration i'm not so neither of these theoretically i could use group policy but i'm this computer actually is is emulating a personal computer it's just a a local device with a standard user account um rather than a group policy managed a domain managed device so i can't use that so we've got local script for up to 10 devices um it says it's been optimized for usage with a limited number of devices so i don't think that's a hard limit um it'd be odd if it wasn't very difficult for them to limit it to to uh i mean it's possible they could limit it but that'd be very weird so we should use one of the other methods if you're deploying at scale in this case i have the luxury of choosing the easy option i'm running this local script but i appreciate that many of you will want to do a scale roll out of this perhaps i don't know maybe it depends how useful it is so we'll try we'll take a look at group policy and see what it actually gives us so let's download this just out of interest okay so what this has given me is this file here in a very roundabout way it's giving me a command file and uh that's what happens if it's not running as admin it determines the processor architecture runs powershell it's a big old script isn't it this is right so it i mean it's still a command file so interesting let's see how this differs to if i run in the local script okay so a slightly different script it can be used for onboarding machines to defend for endpoint the machine will be available within 30 minutes and needs internet connectivity plugged in etc and i mean it looks like it does very much the same thing clearly i mean it's going to be enrolling on boarding the device into into endpoint manager into defender for endpoint so okay fine let's use i'm going to use this this um this script method local script and i appreciate that's a cop-out but really the idea is that we test it out so apologies for not using root policy but in order to group policy i would need to set up a domain joint device and i don't want to so i'm not gonna but you should that's certainly something you should do if you want to we'll try the local script so i have my local script and i'm going to take it over to my device now i just want to quickly show you it's very bland device isn't it um wow uh i'm going to show you some things about this device very quickly that might be interesting for you so it is not as you're already joined it's not domain joined or enterprise joined and the device name is windows 11 dev so it's just a computer that i log into and back into there if i type who am i clearly dean but this is a local computer nothing special going on here i'm going to try and copy this file over to it just there hopefully i'm i'm local admin so i'll be able to run this so what i'm going to do is enroll this device into defender for endpoint and to make that more clear let's run this as admin from terminal as admin and then go into the desktop and run that command ah nice little bit of information there is quite cute so it's going to take 30 minutes and [Music] it's on boarding a single machine optimized for onboarding a single machine and shouldn't be used for a large scale deployment don't do that don't do that i'm going to choose y for yes and then you're going to crack on and do the onboarding so it's successfully onboarded my machine into microsoft defender for endpoint so i'm chuffed what i need to do next is uh this thing about where is it this thing about tagging the machine i remembered it look at me go tagging the machine or device with this tag now i'm not going to be able to do that on a device that is not yet in my azure id or anywhere so what i'm interested to see is how do i tag that machine does it what does it do to make it visible in a place where i can add a tag it's not in azure already maybe it should be an issue already maybe this video is all going to go to pot when i realized that i've missed a step that isn't mentioned in the docs what i'm going to do is give it 30 minutes and it's guaranteed to work within 30 minutes isn't it 5 to 30. so we'll come back in 30 minutes and see how we get on okay it's been a little while now maybe not half an hour but i thought i'd just check in and see how we're getting on so if we take a look here um in this section here in endpoint manager i don't have any additional devices i've got these two but certainly not one called windows 11 and then in portal.azure.com refresh that still no no additional devices these were enrolled earlier in the year so just jumping back into onboarding you can see it now says that first on first device on border is completed which sounds wonderful and then down here we've got this option to run a detection test and the first device detection test is incomplete so just refresh that page so i ran the detection test earlier on and it was this so you know i i'll show you the command i ran it was uh crucially you can't so if i go into uh windows terminal and try and run that command you can see it says the term continue equals is not recognized so it's not it doesn't work so the thing you've actually got to do is run command as admin and then as promised the detection test closes i pressed enter there with my thumb and it it disappeared um there's any other way for me to show you that so it disappeared um so this obviously has runs it's got the first detection test completed so now i've got my device in this portal somewhere apparently device inventory uh look windows 11 dev and onboarded um its domain is work group let's take a look what we can see in here got the ip address info any additional things i can do no okay let's just check in my endpoint manager portal again see if he's there i mean he's not but i didn't expect him to be there because he's not a endpoint manager managed device but i did think he might appear in in the azure ad portal maybe not in all devices though um maybe where would he appear all devices seems right all devices seem to be the place you would you would have all your devices yeah i would i would hope he was there give it a little while longer ah thinking about it what was that tag thing i needed to do if we go back to onboarding and over to enforcement scope we've got this tag thing let's take a look at that so these tags are specific to defender for endpoint not endpoint manager or rad so i need to tag a device in defender for endpoint with this tag we're getting somewhere so it must be the defend the mde dash management tag and i've got my device up here so somehow i need to tag it got my device inventory choose it manage tags we're getting somewhere find or create tags i'm going to create new and choose save okay that did it uh tags tag tags well i've got a tag let's start so we have done the thing it asked us to do which was to tag devices i can't imagine it would be that quick to put things any of the other portals because i think the next thing i need to do is really target this specific device with some policy from endpoint manager or in tune from the endpoint security config and i'm only going to do that if i can see it in endpoint manager so i need to i need to have that uh device in there in order to be able to target it so i'm hoping it will pop in there at some point i'm going to give it a little while longer because i don't like to rush these things to the global global scale service right so it's not going to be instant i'm not expecting that but i'm gonna give it a little while longer and then come back okay if you've liked this video if it's been helpful up to this point please hit the like button hit subscribe that'd be wonderful you're probably not going to want to do that after this bit though um it's been over an hour and nothing has appeared in the portal let me show you what i mean i've got this device inventory here that i mentioned earlier on where i've got the win11 dev machine with the status of them boarded so all good and then you head into devices and you choose refresh and you look wherever else it might be uh and it doesn't appear to be in your endpoint manager portal for you to assign this for you to sign this thing and then you go into the user id portal which is this one here and you choose all devices and again it's not there i can't find it it's not there yet it's been over an hour well over an hour i'm tired i want to finish up for the day um but i tried right the documentation says it will take 30 or so minutes in order to get into the portal it's not there i don't want you to be in the same position where you try this out with an hour or so to spare and get frustrated by the fact that it doesn't work this is a very short video i failed fine we'll try again maybe it'll just appear in the morning when i wake up it'll all be there and we'll all be we'll all be happy if it isn't there then i can start troubleshooting it and we can understand how this this whole process works but either way we're learning that's the idea thanks for joining in please subscribe i'll see you next time [Music]
Info
Channel: CloudManagement.Community
Views: 277
Rating: undefined out of 5
Keywords: intune, windows 10, windows 11, Training, MEMIntune, Intune, Support, MSIntune, Microsoft Endpoint Management, Azure, MEM, Microsoft, Windows Defender for Endpoint, Microsoft Defender, For Endpoint, Endpoint Defender, Security
Id: k3R6961JuXM
Channel Id: undefined
Length: 17min 38sec (1058 seconds)
Published: Tue Dec 14 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.