Introduction
When you use the Configuration Manager tenant attach scenario, you can deploy endpoint security policies from Intune to devices you manage with Configuration Manager.
Prerequisites
- Tenant attach
- CMG (only if you need it to apply policies to internet based devices)
- Configuration Manager current branch version 2006 or later, with in-console update Configuration Manager 2006 Hotfix (KB4578605)
- Windows 10 and later (x86, x64, ARM64)
- Microsoft Defender ATP tenant must be integrated with your Microsoft Endpoint Manager tenant (For Endpoint Detection and response)
The tenant attach and CMG can be configured by using this blogpost by Lars Lohmann here
Collection to assign policies
First, we need to add a collection where we enable it to be reached from the cloud.
Assets and Compliance – right click
Create Device Collection
Give it a proper name – next
Let the collection be empty for starters. Click Next
OK
Next
Close
Go to properties on the newly created collection
Tick ”Make this collection available to assign Endpoint security policies from Microsoft Endpoint Manager admin center” – OK
Create and assign policies
Go to MEM Portal https://endpoint.microsoft.com/#home
Endpoint security -> Firewall
Create Policy
Windows 10 and later -> Microsoft Defender Firewall (ConfigMgr) (Preview)
Create
Have your naming in relation to the collection, it will help you later when the need to debug or track your policies.
Next
Set Domain profile to true
Do the same for the Private and Public
Select collections to include
Choose the collection we told to upload from our Configuration Manager.
Select
Create
My local firewall on a test machine was turned off for the Domain profile
On the local client go to the configuration manager Configurations tab.
Our policy arrived and has already created a configuration baseline for us.
Configuration baseline says “Compliant”
Going back to the firewall “domain network” it is still turned off, so I guess the “preview” is correct
To be fair I have no Defender ATP integrated to my intune subscription, and it is a requirement.
Summary
As tenant attach evolve, more and more value are added by the product team. I believe, that adding policies like this will overtime make daily support operations much easier. If possible, you should attach your configuration manager today. Nothing happens on the clients; it is all backend and it is safe to add.
I am really thrilled by the road Microsoft has chosen and look forward to see what we will get next!
Last minute note:
Currently we can set beneath settings through the MEM Portal. (remember it is PREVIEW)
