Search This Blog

Friday, November 6, 2020

Manage security polices directly from the cloud without co-management

Introduction

When you use the Configuration Manager tenant attach scenario, you can deploy endpoint security policies from Intune to devices you manage with Configuration Manager.

Prerequisites

  • Tenant attach
  • CMG (only if you need it to apply policies to internet based devices)
  • Configuration Manager current branch version 2006 or later, with in-console update Configuration Manager 2006 Hotfix (KB4578605)
  • Windows 10 and later (x86, x64, ARM64)
  • Microsoft Defender ATP tenant must be integrated with your Microsoft Endpoint Manager tenant (For Endpoint Detection and response)

 

The tenant attach and CMG can be configured by using this blogpost by Lars Lohmann here

Collection to assign policies

First, we need to add a collection where we enable it to be reached from the cloud.

clip_image002

Assets and Compliance – right click

clip_image004

Create Device Collection

clip_image006

Give it a proper name – next

clip_image008

Let the collection be empty for starters. Click Next

clip_image010

OK

clip_image012

Next

clip_image014

Close

clip_image016

Go to properties on the newly created collection

clip_image018

Tick ”Make this collection available to assign Endpoint security policies from Microsoft Endpoint Manager admin center” – OK

Create and assign policies

Go to MEM Portal https://endpoint.microsoft.com/#home

Endpoint security -> Firewall

clip_image020

Create Policy

clip_image022

Windows 10 and later -> Microsoft Defender Firewall (ConfigMgr) (Preview)

Create

clip_image024

Have your naming in relation to the collection, it will help you later when the need to debug or track your policies.

Next

clip_image026

Set Domain profile to true

clip_image028

Do the same for the Private and Public

clip_image030

Select collections to include

clip_image032

Choose the collection we told to upload from our Configuration Manager.

Select

clip_image034

Create

clip_image036

My local firewall on a test machine was turned off for the Domain profile

clip_image038

On the local client go to the configuration manager Configurations tab.

Our policy arrived and has already created a configuration baseline for us.

clip_image040

Configuration baseline says “Compliant”

clip_image042

Going back to the firewall “domain network” it is still turned off, so I guess the “preview” is correct

To be fair I have no Defender ATP integrated to my intune subscription, and it is a requirement.

 

Summary

As tenant attach evolve, more and more value are added by the product team.  I believe, that adding policies like this will overtime make daily support operations much easier. If possible, you should attach your configuration manager today. Nothing happens on the clients; it is all backend and it is safe to add.

I am really thrilled by the road Microsoft has chosen and look forward to see what we will get next!

Last minute note:

Currently we can set beneath settings through the MEM Portal. (remember it is PREVIEW)

image 

No comments:

Post a Comment