Manage security polices directly from the cloud without co-management

Manage security polices directly from the cloud without co-management

Introduction

When you use the Configuration Manager tenant attach scenario, you can deploy endpoint security policies from Intune to devices you manage with Configuration Manager.

 

Prerequisites

  • Tenant attach
  • CMG (only if you need it to apply policies to internet based devices)
  • Configuration Manager current branch version 2006 or later, with in-console update Configuration Manager 2006 Hotfix (KB4578605)
  • Windows 10 and later (x86, x64, ARM64)
  • Microsoft Defender ATP tenant must be integrated with your Microsoft Endpoint Manager tenant (For Endpoint Detection and response)

 

The tenant attach and CMG can be configured by using this blogpost by Lars Lohmann here

Collection to assign policies

First, we need to add a collection where we enable it to be reached from the cloud.

Assets and Compliance – right click

Create Device Collection

Give it a proper name – next

Let the collection be empty for starters. Click Next

OK

Next

Close

Go to properties on the newly created collection

Tick ”Make this collection available to assign Endpoint security policies from Microsoft Endpoint Manager admin center” – OK

 

Create and assign policies

Go to MEM Portal https://endpoint.microsoft.com/#home

Endpoint security -> Firewall

Create Policy

Windows 10 and later -> Microsoft Defender Firewall (ConfigMgr) (Preview)

Create

Have your naming in relation to the collection, it will help you later when the need to debug or track your policies.

Next

Set Domain profile to true

Do the same for the Private and Public

Select collections to include

Choose the collection we told to upload from our Configuration Manager.

Select

Create

My local firewall on a test machine was turned off for the Domain profile

On the local client go to the configuration manager Configurations tab.

Our policy arrived and has already created a configuration baseline for us.

Configuration baseline says “Compliant”

Going back to the firewall “domain network” it is still turned off, so I guess the “preview” is correct

To be fair I have no Defender ATP integrated to my intune subscription, and it is a requirement.

 

Summary

As tenant attach evolve, more and more value are added by the product team.  I believe, that adding policies like this will overtime make daily support operations much easier. If possible, you should attach your configuration manager today. Nothing happens on the clients; it is all backend and it is safe to add.

I am really thrilled by the road Microsoft has chosen and look forward to see what we will get next!

Last minute note:

Currently we can set beneath settings through the MEM Portal. (remember it is PREVIEW)

 

+ posts

Mattias Melkersen is a community driven and passionate modern workplace consultant with 20 years’ experience in automating software, driving adoption and technology change within the Enterprise. He lives in Denmark and works at Mindcore.

He is an Enterprise Mobility Intune MVP, Official Contributor in a LinkedIn group with 41.000 members and Microsoft 365 Enterprise Administrator Expert.

Mattias blogs, gives interview and creates a YouTube content on the channel "MSEndpointMgr" where he creates helpful content in the MEM area and interview MVP’s who showcase certain technology or topic.

Official Contributor here "Modern Endpoint Management":
https://www.linkedin.com/groups/8761296/

Table of Contents

Share this post
Search blog posts
Search
Authors
Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.

Modern Workplace consultant and a Microsoft MVP in Windows and Devices.

Infrastructure architect with focus on Modern Workplace and Microsoft 365 security.

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

Cloud & security specialist with focus on Microsoft 365.

Cloud & Security Specialist, with a passion for all things Cybersecurity

Cloud and infrastructure security specialist with background in networking.

Infrastructure architect with focus on design, implementation, migration and consolidation.

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

Modern workplace and infrastructure architect with a focus on Microsoft 365 and security.

follow us in feedly
Categories

Follow on SoMe